[dns-operations] How widely implemented are different DNSSEC algorithms?

Robert Edmonds edmonds at mycre.ws
Sat Sep 12 14:52:18 UTC 2020


John Levine wrote:
> Are there any published numbers estimating how well the various DNSSEC
> algorithms are supported in DNS caches and client software?
> 
> Or to put it another way, were I to switch from signing with
> algorithm 8 to 13, how much would I regret it?

If I recall correctly, one of the major issues with ECDSA support was
the lack of support on some commercial OSes; e.g. it had been
intentionally disabled on RHEL. It looks like support for ECDSA with
P-256/P-384 in OpenSSL was enabled in RHEL 6.5 [0], which was released
in 2013.

[0] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_release_notes/bh-chap-security

-- 
Robert Edmonds



More information about the dns-operations mailing list