[dns-operations] dnssec ecc

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jul 15 07:49:30 UTC 2014


On Fri, Jul 11, 2014 at 06:46:16PM -0400,
 James Cloos <cloos at jhcloos.com> wrote 
 a message of 6 lines which said:

> Are enough current verifiers capable of verifying ecdsa to make is
> reasonable to deploy ECDSAP256SHA256 or ECDSAP384SHA384 keys?

I'm not aware of any published survey (Geoff Huston's style: send a
Flash ad, which loads three images, one in an unsigned domain, one in
a domain properly signed with ECC and one deliberately broken-signed
with ECC, and see which image(s) is(are) loaded).

So, the answer is "I don't know".

There are some already existing domains signed only with ECC, such as
ecdsa.isc.org. You can try to query them from several points (using
Atlas probes, may be) and see how often you get the AD bit.



More information about the dns-operations mailing list