[dns-operations] suggested DNSKEY type

Frederico A C Neves fneves at registro.br
Tue Mar 27 17:21:11 UTC 2018

On Tue, Mar 27, 2018 at 04:29:00PM +0000, Evan Hunt wrote:
> On Tue, Mar 27, 2018 at 03:28:33PM +0200, A. Schulze wrote:
> > yes, that where the point's I also saw...
> > but to me, the really relevant point is support in the installed base only.
> > 
> > I would prefer ECDSAP256SHA256 because smaller response size.
> > But how many user will get lost because their resolver don't support ECDSAP256SHA256?
> > What's with MTAs no longer deliver email messages to my MX because DANE fail?
> > 
> > do have other DNS operators experiences?
> I think I heard Geoff Huston say at OARC a few months ago that ECDSA is now
> just as widely-deployed in validators as RSASHA256 is. Better confirm that
> with him rather than trusting my leaky memory, though.

Your memory is correct. But there is some issues with the measurements


If you look for the data upto Dec/2017, depending on the region ,
ECDSA/RSA validation ratio varies from 2/3 to 4/5.


More information about the dns-operations mailing list