[dns-wg] Update RIPE's DNS Zonemaster
- Previous message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
- Next message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Arsen STASIC
arsen.stasic at univie.ac.at
Tue Dec 22 15:21:10 CET 2020
Hi, regarding to RFC 8624 is the support of DNSSEC algorithm ED25519 is only RECOMMENDED [0]. This is the current distribution of DNSSEC algorithms across all 224 RIPE's in-addr.arpa. zones (some of them are counted multiple times because different hashing algorithms might be used per zone): awk '$2=="DS" && $4=="5" { print $0 }' *.in-addr.arpa-RIP | wc -l 18 awk '$2=="DS" && $4=="7" { print $0 }' *.in-addr.arpa-RIP | wc -l 30 awk '$2=="DS" && $4=="8" { print $0 }' *.in-addr.arpa-RIP | wc -l 114 awk '$2=="DS" && $4=="10" { print $0 }' *.in-addr.arpa-RIP | wc -l 9 awk '$2=="DS" && $4=="13" { print $0 }' *.in-addr.arpa-RIP | wc -l 208 awk '$2=="DS" && $4=="14" { print $0 }' *.in-addr.arpa-RIP | wc -l 20 awk '$2=="DS" && $4=="15" { print $0 }' *.in-addr.arpa-RIP | wc -l 0 DNSSEC algorithm 5 "RSASHA1" is NOT RECOMMENDED [0], but is still used 18 times. Please add support for DNSSEC algorithm ED25519. cheers, -arsen [0] https://tools.ietf.org/html/rfc8624#section-3.1 * Arsen STASIC <arsen.stasic at univie.ac.at> [2020-12-21 11:31 (+0100)]: >Hi, > >RIPE's DNS Zonemaster version might be outdated, because it does not support DNSSEC algorithm ED25519. This is the error message: >Signature for DNSKEY with tag 52537 failed to verify with error 'Unknown cryptographic algorithm'. >https://dnscheck.ripe.net/test/328db6c75665721b > > >But the Zonemaster software (Versions: engine 4.0.3, backend 6.0.2, GUI 3.2.1) has already support for DNSSEC algorithm ED2551: >https://www.zonemaster.net/result/c1607f01d96a8d60 > > >It would be good if RIPE's Zonemaster could also list its version numbers. > >cheers, >-Arsen
- Previous message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
- Next message (by thread): [dns-wg] Update RIPE's DNS Zonemaster
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]