“tempting smell”? I love that expression! :-) The full report of where these algorithms are sup;orted canm be found at https://www.potaroo.net/ispcol/2021-06/eddi.html Of the major DNSSEC-validating resolver networks we observed: Google 8.8.8.8 - Yes Comcast - No Reliance Jio - No so its a mixed package Geoff
On 21 Feb 2022, at 1:28 pm, Nick Cao via dns-wg <dns-wg@ripe.net> wrote:
Nice catch! But who can resist the tempting smell of a brand new cryptographic building block? Speaking of the level of support, I personally have a low barrier on that: does major public resolvers support it? If that's a yes, we are good to go.
On 2/21/22 09:58, Geoff Huston wrote:
ok - I’ll bite - why do you want to use Ed25519 or Ed448 for DNSSEC? When I looked at the level of support for Ed25519 last June the measurements showed that "slightly less than one half of all users who use DNS recursive resolvers that perform DNSSEC validation using ECDSA P-256 also treat ED25519 digital signatures as “unknown.” [1] That study concluded with the Q&A: "Is Ed25519 ready for use? In my view, this data is telling us “No!” If you want to take advantage of the smaller signature sizes offered by these curve-based crypto algorithms, then ECDSA P-256 appears to offer similar cryptographic strength with the same key sizes as Ed25519, but with a far more widespread support base for validation.” [1] Hence my question - why are you wanting to sign with an algorithm that does not have enywhere near the level of validating resolver support as ECDSA P-256? thanks, Geoff [1] https://www.potaroo.net/ispcol/2021-06/eddi.html
On 19 Feb 2022, at 1:37 am, Tyrasuki via dns-wg <dns-wg@ripe.net> wrote:
Also curious myself,
I was trying to set up DNSSEC for my own and my workplace's network, and ran into the same issue, the same goes for Ed448. The newest that seems to be accepted is protocol 14 (ECDSAP384SHA384), so I've been using this for now.
Would also be interested in the current status of this.
Cheers, Jori (Tyrasuki) REDP-RIPE
On 2/18/2022 2:41 PM, Nick Cao via dns-wg wrote:
When doing a DNSSEC algorithm rollover from ecdsap256sha256 to ed25519 today, I got the error 'Unknown cryptographic algorithm' when updating ds-rdata field. A quick google search led me to https://www.ripe.net/ripe/mail/archives/dns-wg/2021-January/003796.html, which dates back to more than a year ago. It seems that the zonemaster deployment has not been updated to day, thus I would like to ask about the current progress.
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg