This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] follow up of "Update RIPE's DNS Zonemaster"
- Previous message (by thread): [dns-wg] follow up of "Update RIPE's DNS Zonemaster"
- Next message (by thread): [dns-wg] follow up of "Update RIPE's DNS Zonemaster"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Geoff Huston
gih at apnic.net
Mon Feb 21 04:57:15 CET 2022
“tempting smell”? I love that expression! :-) The full report of where these algorithms are sup;orted canm be found at https://www.potaroo.net/ispcol/2021-06/eddi.html Of the major DNSSEC-validating resolver networks we observed: Google 8.8.8.8 - Yes Comcast - No Reliance Jio - No so its a mixed package Geoff > On 21 Feb 2022, at 1:28 pm, Nick Cao via dns-wg <dns-wg at ripe.net> wrote: > > Nice catch! But who can resist the tempting smell of a brand new cryptographic building block? Speaking of the level of support, I personally have a low barrier on that: does major public resolvers support it? If that's a yes, we are good to go. > > On 2/21/22 09:58, Geoff Huston wrote: >> ok - I’ll bite - why do you want to use Ed25519 or Ed448 for DNSSEC? >> When I looked at the level of support for Ed25519 last June the measurements showed that "slightly less than one half of all users who use DNS recursive resolvers that perform DNSSEC validation using ECDSA P-256 also treat ED25519 digital signatures as “unknown.” [1] >> That study concluded with the Q&A: >> "Is Ed25519 ready for use? >> In my view, this data is telling us “No!” If you want to take advantage of the smaller signature sizes offered by these curve-based crypto algorithms, then ECDSA P-256 appears to offer similar cryptographic strength with the same key sizes as Ed25519, but with a far more widespread support base for validation.” [1] >> Hence my question - why are you wanting to sign with an algorithm that does not have enywhere near the level of validating resolver support as ECDSA P-256? >> thanks, >> Geoff >> [1] https://www.potaroo.net/ispcol/2021-06/eddi.html >>> On 19 Feb 2022, at 1:37 am, Tyrasuki via dns-wg <dns-wg at ripe.net> wrote: >>> >>> Also curious myself, >>> >>> I was trying to set up DNSSEC for my own and my workplace's network, and ran into the same issue, the same goes for Ed448. >>> The newest that seems to be accepted is protocol 14 (ECDSAP384SHA384), so I've been using this for now. >>> >>> Would also be interested in the current status of this. >>> >>> Cheers, >>> Jori (Tyrasuki) >>> REDP-RIPE >>> >>> On 2/18/2022 2:41 PM, Nick Cao via dns-wg wrote: >>>> When doing a DNSSEC algorithm rollover from ecdsap256sha256 to ed25519 today, I got the error 'Unknown cryptographic algorithm' when updating ds-rdata field. A quick google search led me to https://www.ripe.net/ripe/mail/archives/dns-wg/2021-January/003796.html, which dates back to more than a year ago. It seems that the zonemaster deployment has not been updated to day, thus I would like to ask about the current progress. >>>> >>> >>> -- >>> >>> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/ > > -- > > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/
- Previous message (by thread): [dns-wg] follow up of "Update RIPE's DNS Zonemaster"
- Next message (by thread): [dns-wg] follow up of "Update RIPE's DNS Zonemaster"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]