[dns-operations] suggested DNSKEY type
Frederico A C Neves
fneves at registro.br
Tue Mar 27 17:21:11 UTC 2018
On Tue, Mar 27, 2018 at 04:29:00PM +0000, Evan Hunt wrote:
> On Tue, Mar 27, 2018 at 03:28:33PM +0200, A. Schulze wrote:
> > yes, that where the point's I also saw...
> > but to me, the really relevant point is support in the installed base only.
> >
> > I would prefer ECDSAP256SHA256 because smaller response size.
> > But how many user will get lost because their resolver don't support ECDSAP256SHA256?
> > What's with MTAs no longer deliver email messages to my MX because DANE fail?
> >
> > do have other DNS operators experiences?
>
> I think I heard Geoff Huston say at OARC a few months ago that ECDSA is now
> just as widely-deployed in validators as RSASHA256 is. Better confirm that
> with him rather than trusting my leaky memory, though.
Your memory is correct. But there is some issues with the measurements
latelly.
https://stats.labs.apnic.net/ecdsa
If you look for the data upto Dec/2017, depending on the region ,
ECDSA/RSA validation ratio varies from 2/3 to 4/5.
Fred
More information about the dns-operations
mailing list