[dns-operations] EdDSA status ?
pieter.lexis at powerdns.com
Thu May 31 16:52:33 UTC 2018
On 05/31/2018 05:53 PM, fujiwara at jprs.co.jp wrote:
> If you have any information, please reply.
> EdDSA requires OpenSSL 1.1.1 (pre6 or pre7 or git head).
> (openssl 1.1.1 lacks benchmarking of ED25519 and ED448)
> Signer: LDNS (git head, ldns-signzone) supports both ED25519 and ED448.
> BIND 9.12.1 (dnssec-signzone) supports ED25519.
> does not support ED448.
PowerDNS Authoritative Server 4.0.x and 4.1.x support ed25519 via
libsodium and ed448 via libdecaf. You will need to compile yourself, as
our packages only support ed25519.
> Validator: BIND 9.12.1 does not support ED25519 (SERVFAIL!).
> BIND 9 (git head) supports ED25519 validation.
> does not support ED448 validation (SERVFAIL).
> Unbound 1.7.1 supports both ED25519 and ED448.
> 184.108.40.206 does not support ED25519/ED448, but NOERROR (insecure).
> 220.127.116.11 and 18.104.22.168 may support ED25519.
> may not support ED448 (insecure).
The PowerDNS Recursor 4.1.x supports both algorithms in the same way as
the Authoritative Server does.
> Registry and Registrar:
> I found one TLD/registrar that allow algorithm 15 and 16 registration.
> TLD = .ASIA
> Registrar = do-reg.jp (http://do-reg.jp/)
SIDN (.nl) also accepts these keys. See ed448.nl and ed25519.nl.
PowerDNS.COM BV -- https://www.powerdns.com
More information about the dns-operations