[dns-operations] Registrars supporting ED25519
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Jul 31 21:27:37 UTC 2021
On Sun, Aug 01, 2021 at 06:28:38AM +1000, Geoff Huston wrote:
> On this topic, I note that Joao Damas and I tested the level of
> support for DNSSEC validation using ED25519 in May and June this year.
> The writeup of this measurement can be found at
> https://www.potaroo.net/ispcol/2021-06/eddi.html. At this stage a
> number of large ISPs that operate DNS services perform DNSSEC
> validation do not support this particular algorithm, and the level of
> support in DNSSEC-validators is in total some 50% of the level of
> support for RSA and ECDSA P-256. This may change in the future of
> course, but at this stage it does not appear to offer any compelling
> features that stand it apart from ECDSA P-256, and some significant
> differences in the lack of algorithm support in validating resolvers.
Indeed, and on the authoritative side it appears that one large provider
(I think domeneshop.no) rolled out ED25519 earlier this year, and then
changed their mind. See attached graph of observed published algorithm
15 RRSet counts over time.
--
Viktor.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alg15.pdf
Type: application/pdf
Size: 8811 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210731/eb19661c/attachment.pdf>
More information about the dns-operations
mailing list