[dns-operations] DNSSEC parameter BCP
Geoff Huston
gih at apnic.net
Sun Jun 18 06:12:27 UTC 2023
> On 13 Jun 2023, at 2:58 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> On Mon, Jun 12, 2023 at 10:41:12AM -0400, Viktor Dukhovni wrote:
>
>> On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote:
>>
>>> What is the best algorithm for ksk and zsk?
>>
>> The BCP algorithm is ECDSAP256SHA256(13). This is both more secure and
>> more compact than RSA. It is in wide use:
>>
>> https://stats.dnssec-tools.org/
>> https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
>>
>> Today, out of 22,010,850 known signed zones, the number with algorithm
>> 14 KSKs is 9,982,219 or just over 45%.
>>
The last time I looked at the capabilities of validators in recursive resolvers
comparing levels of support for RSA and ECDSA P256 SHA256 was in November 2021
(https://www.potaroo.net/ispcol/2021-11/ecdsa.html)
I should also note that the report on DNSSEC Validation Capability at
https://stats.labs.apnic.net/DNSSEC is based on ECDSA P256 SHA256
signatures, and has been for the past 3 years.
regards,
Geoff
More information about the dns-operations
mailing list