[dns-operations] suggested DNSKEY type

Evan Hunt each at isc.org
Tue Mar 27 16:29:00 UTC 2018

On Tue, Mar 27, 2018 at 03:28:33PM +0200, A. Schulze wrote:
> yes, that where the point's I also saw...
> but to me, the really relevant point is support in the installed base only.
> I would prefer ECDSAP256SHA256 because smaller response size.
> But how many user will get lost because their resolver don't support ECDSAP256SHA256?
> What's with MTAs no longer deliver email messages to my MX because DANE fail?
> do have other DNS operators experiences?

I think I heard Geoff Huston say at OARC a few months ago that ECDSA is now
just as widely-deployed in validators as RSASHA256 is. Better confirm that
with him rather than trusting my leaky memory, though.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the dns-operations mailing list