This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Update RIPE's DNS Zonemaster
- Previous message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
- Next message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Arsen STASIC
arsen.stasic at univie.ac.at
Tue Dec 22 15:21:10 CET 2020
Hi, regarding to RFC 8624 is the support of DNSSEC algorithm ED25519 is only RECOMMENDED [0]. This is the current distribution of DNSSEC algorithms across all 224 RIPE's in-addr.arpa. zones (some of them are counted multiple times because different hashing algorithms might be used per zone): awk '$2=="DS" && $4=="5" { print $0 }' *.in-addr.arpa-RIP | wc -l 18 awk '$2=="DS" && $4=="7" { print $0 }' *.in-addr.arpa-RIP | wc -l 30 awk '$2=="DS" && $4=="8" { print $0 }' *.in-addr.arpa-RIP | wc -l 114 awk '$2=="DS" && $4=="10" { print $0 }' *.in-addr.arpa-RIP | wc -l 9 awk '$2=="DS" && $4=="13" { print $0 }' *.in-addr.arpa-RIP | wc -l 208 awk '$2=="DS" && $4=="14" { print $0 }' *.in-addr.arpa-RIP | wc -l 20 awk '$2=="DS" && $4=="15" { print $0 }' *.in-addr.arpa-RIP | wc -l 0 DNSSEC algorithm 5 "RSASHA1" is NOT RECOMMENDED [0], but is still used 18 times. Please add support for DNSSEC algorithm ED25519. cheers, -arsen [0] https://tools.ietf.org/html/rfc8624#section-3.1 * Arsen STASIC <arsen.stasic at univie.ac.at> [2020-12-21 11:31 (+0100)]: >Hi, > >RIPE's DNS Zonemaster version might be outdated, because it does not support DNSSEC algorithm ED25519. This is the error message: >Signature for DNSKEY with tag 52537 failed to verify with error 'Unknown cryptographic algorithm'. >https://dnscheck.ripe.net/test/328db6c75665721b > > >But the Zonemaster software (Versions: engine 4.0.3, backend 6.0.2, GUI 3.2.1) has already support for DNSSEC algorithm ED2551: >https://www.zonemaster.net/result/c1607f01d96a8d60 > > >It would be good if RIPE's Zonemaster could also list its version numbers. > >cheers, >-Arsen
- Previous message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
- Next message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]