Hi, regarding to RFC 8624 is the support of DNSSEC algorithm ED25519 is only RECOMMENDED [0]. This is the current distribution of DNSSEC algorithms across all 224 RIPE's in-addr.arpa. zones (some of them are counted multiple times because different hashing algorithms might be used per zone): awk '$2=="DS" && $4=="5" { print $0 }' *.in-addr.arpa-RIP | wc -l 18 awk '$2=="DS" && $4=="7" { print $0 }' *.in-addr.arpa-RIP | wc -l 30 awk '$2=="DS" && $4=="8" { print $0 }' *.in-addr.arpa-RIP | wc -l 114 awk '$2=="DS" && $4=="10" { print $0 }' *.in-addr.arpa-RIP | wc -l 9 awk '$2=="DS" && $4=="13" { print $0 }' *.in-addr.arpa-RIP | wc -l 208 awk '$2=="DS" && $4=="14" { print $0 }' *.in-addr.arpa-RIP | wc -l 20 awk '$2=="DS" && $4=="15" { print $0 }' *.in-addr.arpa-RIP | wc -l 0 DNSSEC algorithm 5 "RSASHA1" is NOT RECOMMENDED [0], but is still used 18 times. Please add support for DNSSEC algorithm ED25519. cheers, -arsen [0] https://tools.ietf.org/html/rfc8624#section-3.1 * Arsen STASIC <arsen.stasic@univie.ac.at> [2020-12-21 11:31 (+0100)]:
Hi,
RIPE's DNS Zonemaster version might be outdated, because it does not support DNSSEC algorithm ED25519. This is the error message: Signature for DNSKEY with tag 52537 failed to verify with error 'Unknown cryptographic algorithm'. https://dnscheck.ripe.net/test/328db6c75665721b
But the Zonemaster software (Versions: engine 4.0.3, backend 6.0.2, GUI 3.2.1) has already support for DNSSEC algorithm ED2551: https://www.zonemaster.net/result/c1607f01d96a8d60
It would be good if RIPE's Zonemaster could also list its version numbers.
cheers, -Arsen