On 18/02/2022 14:41, Nick Cao via dns-wg wrote: Hello Nick,
When doing a DNSSEC algorithm rollover from ecdsap256sha256 to ed25519 today, I got the error 'Unknown cryptographic algorithm' when updating ds-rdata field. A quick google search led me to https://www.ripe.net/ripe/mail/archives/dns-wg/2021-January/003796.html, which dates back to more than a year ago. It seems that the zonemaster deployment has not been updated to day, thus I would like to ask about the current progress.
Your observation is correct. The version of Zonemaster we're running isn't up to date, and can't handle algorithms 15 and 16. We are working on updating all the things. It is a two-stage process, where we need to update Zonemaster first (running on our current Linux distribution, CentOS 7), and then deploy it on a derivative of RedHat Linux 8, whose openssl understands these newer algorithms. Unfortunately, we cannot yet provide a date by when this will all be done. However, we appreciate your concern, and are putting more priority on getting this work done as soon as possible. The automatic update of your DS record happened as a result of our daily CDS scans. The code that does the scans and checks does not invoke Zonemaster, because it is only concerned with ensuring that the DNSSEC chain of trust is correct. Regards, Anand Buddhdev RIPE NCC