[dns-operations] suggested DNSKEY type

A. Schulze sca at andreasschulze.de
Tue Mar 27 13:28:33 UTC 2018

Am 27.03.2018 um 12:41 schrieb Jim Reid:
> Depends on your definition of better... signing time, validation time, number of years until the algorithm pair gets deprecated, wider/longer support in the installed base, compatibility with local applications and systems, etc, etc.

Hello Jim,

yes, that where the point's I also saw...
but to me, the really relevant point is support in the installed base only.

I would prefer ECDSAP256SHA256 because smaller response size.
But how many user will get lost because their resolver don't support ECDSAP256SHA256?
What's with MTAs no longer deliver email messages to my MX because DANE fail?

do have other DNS operators experiences?


More information about the dns-operations mailing list