[dns-operations] EdDSA status ?

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jun 1 15:40:34 UTC 2018



> On Jun 1, 2018, at 4:49 AM, fujiwara at jprs.co.jp wrote:
> 
> Then, when OpenSSL 1.1.1 will release, people will be ready to use
> ED25519 (and ED448).

The good news:

   OpenSSL 1.1.1 will be released in the July/August timeframe.

The bad news:

  It'll be some time before it appears as the default
  OpenSSL version in shipping operating systems, and
  a considerably longer time before most users upgrade
  to those new operating systems.

Therefore, while it should become easier to start signing
with Ed25519/Ed448 soon at early adopter sites, it only
makes sense to include some Ed25519 or Ed448 KSKs along
side more established algorithms 8(RSA-SHA256) or
13(ECDSA-P256).

The ZSK should probably still be just one of the
established algorithms. Sending two signatures with
every leaf RRset adds bloat risking UDP fragmentation
barriers.  Yes, granted, Ed25519 RRsigs are comparatively
small, and so in combination with 13(ECDSA-P256) yield
1024 bits of signature, and so with compression of the
repeated owner name yield about the same overhead as
RSA with 1024 bit keys.

Bottom line, at this time IMHO the early adopters should
only deploy Ed25519 KSKs along with ECDSA-P256 KSKs, and
use just ECDSA ZSKs, waiting ~5-10 years before cutting
over the ZSK to just Ed25519.  With a bit of luck that'll
happen before scalable universal quantum computers make
EdDSA obsolete... :-)

-- 
	Viktor.




More information about the dns-operations mailing list