On 21/12/2020 11:31, Arsen STASIC wrote: Hi Arsen,
RIPE's DNS Zonemaster version might be outdated, because it does not support DNSSEC algorithm ED25519. This is the error message: Signature for DNSKEY with tag 52537 failed to verify with error 'Unknown cryptographic algorithm'. https://dnscheck.ripe.net/test/328db6c75665721b
You are correct. We are using an older version of Zonemaster, and it does not support ED25519.
But the Zonemaster software (Versions: engine 4.0.3, backend 6.0.2, GUI 3.2.1) has already support for DNSSEC algorithm ED2551: https://www.zonemaster.net/result/c1607f01d96a8d60
It would be good if RIPE's Zonemaster could also list its version numbers.
We are already testing the latest version of Zonemaster, but we also need to update the OS it runs on, since we need newer versions of OpenSSL with support for ED25519. I don't have a date for you, but we hope to update Zonemaster to the latest version very soon. In the meantime, if you need to add or update a DS record for your zones, please email dns@ripe.net with a complete copy of your domain object, and we will do the updates for you manually. Regards, Anand Buddhdev RIPE NCC