[dns-operations] suggested DNSKEY type
Evan Hunt
each at isc.org
Tue Mar 27 16:29:00 UTC 2018
On Tue, Mar 27, 2018 at 03:28:33PM +0200, A. Schulze wrote:
> yes, that where the point's I also saw...
> but to me, the really relevant point is support in the installed base only.
>
> I would prefer ECDSAP256SHA256 because smaller response size.
> But how many user will get lost because their resolver don't support ECDSAP256SHA256?
> What's with MTAs no longer deliver email messages to my MX because DANE fail?
>
> do have other DNS operators experiences?
I think I heard Geoff Huston say at OARC a few months ago that ECDSA is now
just as widely-deployed in validators as RSASHA256 is. Better confirm that
with him rather than trusting my leaky memory, though.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the dns-operations
mailing list