[dns-operations] DNSSEC parameter BCP

Geoff Huston gih at apnic.net
Sun Jun 18 06:12:27 UTC 2023



> On 13 Jun 2023, at 2:58 am, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> On Mon, Jun 12, 2023 at 10:41:12AM -0400, Viktor Dukhovni wrote:
> 
>> On Mon, Jun 12, 2023 at 10:37:22AM -0300, daniel majela wrote:
>> 
>>> What is the best algorithm for ksk and zsk?
>> 
>> The BCP algorithm is ECDSAP256SHA256(13).  This is both more secure and
>> more compact than RSA.  It is in wide use:
>> 
>>    https://stats.dnssec-tools.org/
>>    https://stats.dnssec-tools.org/#/?dnssec_param_tab=0
>> 
>> Today, out of 22,010,850 known signed zones, the number with algorithm
>> 14 KSKs is 9,982,219 or just over 45%.
>> 


The last time I looked at the capabilities of validators in recursive resolvers
comparing levels of support for RSA and ECDSA P256 SHA256 was in November 2021
(https://www.potaroo.net/ispcol/2021-11/ecdsa.html)

I should also note that the report on DNSSEC Validation Capability at
https://stats.labs.apnic.net/DNSSEC is based on ECDSA P256 SHA256
signatures, and has been for the past 3 years.

regards,

 Geoff








More information about the dns-operations mailing list