[dns-wg] follow up of "Update RIPE's DNS Zonemaster"

On 18/02/2022 14:41, Nick Cao via dns-wg wrote:

Hello Nick,

> When doing a DNSSEC algorithm rollover from ecdsap256sha256 to ed25519 
> today, I got the error 'Unknown cryptographic algorithm' when updating 
> ds-rdata field. A quick google search led me to 
> https://www.ripe.net/ripe/mail/archives/dns-wg/2021-January/003796.html, 
> which dates back to more than a year ago. It seems that the zonemaster 
> deployment has not been updated to day, thus I would like to ask about 
> the current progress.

Your observation is correct. The version of Zonemaster we're running 
isn't up to date, and can't handle algorithms 15 and 16.

We are working on updating all the things. It is a two-stage process, 
where we need to update Zonemaster first (running on our current Linux 
distribution, CentOS 7), and then deploy it on a derivative of RedHat 
Linux 8, whose openssl understands these newer algorithms.

Unfortunately, we cannot yet provide a date by when this will all be 
done. However, we appreciate your concern, and are putting more priority 
on getting this work done as soon as possible.

The automatic update of your DS record happened as a result of our daily 
CDS scans. The code that does the scans and checks does not invoke 
Zonemaster, because it is only concerned with ensuring that the DNSSEC 
chain of trust is correct.

Regards,
Anand Buddhdev
RIPE NCC