[dns-operations] EdDSA status ?

Mukund Sivaraman muks at mukund.org
Thu May 31 16:22:55 UTC 2018 

Hello Fujiwara san,

On Fri, Jun 01, 2018 at 12:53:33AM +0900, fujiwara at jprs.co.jp wrote:
> I'm testing EdDSA DNSKEY algorithm.
> 
> If you have any information, please reply.
> 
> EdDSA requires OpenSSL 1.1.1  (pre6 or pre7 or git head).
>       (openssl 1.1.1 lacks benchmarking of ED25519 and ED448)
> 
> Signer:   LDNS (git head, ldns-signzone) supports both ED25519 and ED448.
>           BIND 9.12.1 (dnssec-signzone) supports ED25519.
> 	       	                        does not support ED448.
> 
> Validator: BIND 9.12.1 does not support ED25519 (SERVFAIL!).
> 	   BIND 9 (git head) supports ED25519 validation.
> 	                     does not support ED448 validation (SERVFAIL).

BIND master branch has support for Ed448, but there is a minor bug
that's causing Ed448 to fail right now (OpenSSL 1.1.1-pre6). It looks
like the ASN.1 prefix/suffix it uses with libcrypto API is
incorrect. There's a bug ticket open for it.

https://gitlab.isc.org/isc-projects/bind9/issues/225

I'd expect it to be fixed shortly.

		Mukund

More information about the dns-operations mailing list