[dns-operations] EdDSA status ?
muks at mukund.org
Thu May 31 16:22:55 UTC 2018
Hello Fujiwara san,
On Fri, Jun 01, 2018 at 12:53:33AM +0900, fujiwara at jprs.co.jp wrote:
> I'm testing EdDSA DNSKEY algorithm.
> If you have any information, please reply.
> EdDSA requires OpenSSL 1.1.1 (pre6 or pre7 or git head).
> (openssl 1.1.1 lacks benchmarking of ED25519 and ED448)
> Signer: LDNS (git head, ldns-signzone) supports both ED25519 and ED448.
> BIND 9.12.1 (dnssec-signzone) supports ED25519.
> does not support ED448.
> Validator: BIND 9.12.1 does not support ED25519 (SERVFAIL!).
> BIND 9 (git head) supports ED25519 validation.
> does not support ED448 validation (SERVFAIL).
BIND master branch has support for Ed448, but there is a minor bug
that's causing Ed448 to fail right now (OpenSSL 1.1.1-pre6). It looks
like the ASN.1 prefix/suffix it uses with libcrypto API is
incorrect. There's a bug ticket open for it.
I'd expect it to be fixed shortly.
More information about the dns-operations