[dns-operations] EdDSA status ?

Pieter Lexis pieter.lexis at powerdns.com
Thu May 31 16:52:33 UTC 2018


On 05/31/2018 05:53 PM, fujiwara at jprs.co.jp wrote:
> If you have any information, please reply.
> EdDSA requires OpenSSL 1.1.1  (pre6 or pre7 or git head).
>       (openssl 1.1.1 lacks benchmarking of ED25519 and ED448)
> Signer:   LDNS (git head, ldns-signzone) supports both ED25519 and ED448.
>           BIND 9.12.1 (dnssec-signzone) supports ED25519.
> 	       	                        does not support ED448.

PowerDNS Authoritative Server 4.0.x and 4.1.x support ed25519 via
libsodium and ed448 via libdecaf. You will need to compile yourself, as
our packages only support ed25519.

> Validator: BIND 9.12.1 does not support ED25519 (SERVFAIL!).
> 	   BIND 9 (git head) supports ED25519 validation.
> 	                     does not support ED448 validation (SERVFAIL).
>            Unbound 1.7.1 supports both ED25519 and ED448.
> does not support ED25519/ED448, but NOERROR (insecure).
> and may support ED25519.
> 	   	       	       may not support ED448 (insecure).

The PowerDNS Recursor 4.1.x supports both algorithms in the same way as
the Authoritative Server does.

> Registry and Registrar:
>       I found one TLD/registrar that allow algorithm 15 and 16 registration.
> 	   TLD = .ASIA
> 	   Registrar = do-reg.jp  (http://do-reg.jp/)

SIDN (.nl) also accepts these keys. See ed448.nl and ed25519.nl.

Best regards,

Pieter Lexis

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the dns-operations mailing list