Hello, the current ldns-keygen/ldns-signzone doesn't support ED25519/ED448 KSK/ZSK keys while dnssec-keygen can generate ED25519 keys. I generated ED25519 KSK and ZSK keys using dnssec-keygen, published them in zone file, checked the zone file (it is Ok) and sign zone by dnssec-signzone. Though NSD was restarted successfully I wonder (actually I concern) does NSD works fine with such keys? I'm asking because I faced with strange problem with one of Registrar (name.com) which supports ED25519/ED448 keys but their web interface being able retrieve DNSKEY record from my DNS server unable to register on their side the DS record for my DNS server. Could it be that NSD couldn't work with ED25519 and sending wrong data to Registrar when it tries to form DS record? --- WBR, Vladimir Lomov -- <Knghtbrd> you people are all insane. <Joey> knight: sure, that's why we work on Debian. <JHM> Knghtbrd: get in touch with your inner nutcase. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 228 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20190326/3adfd58d/attachment.bin>
Wouter Wijngaards
2019-Mar-26 06:56 UTC
[nsd-users] Does NSD support ED25519 KSK/ZSK keys?
Hi Vladimir, Yes, NSD supports that.? Because NSD is designed to copy the data to the client, the signatures and the DNSKEY data can be sent straight away. The support itself consists of code to parse identifiers used when reading the zone file.? If that concluded successfully, then the further operations should be unproblematic. ldns-keygen and ldns-signzone have been updated in the code repository with the new algorithms. Best regards, Wouter On 26/03/2019 05:21, Vladimir Lomov wrote:> Hello, > > the current ldns-keygen/ldns-signzone doesn't support ED25519/ED448 > KSK/ZSK keys while dnssec-keygen can generate ED25519 keys. I generated > ED25519 KSK and ZSK keys using dnssec-keygen, published them in zone > file, checked the zone file (it is Ok) and sign zone by dnssec-signzone. > Though NSD was restarted successfully I wonder (actually I concern) does > NSD works fine with such keys? > > I'm asking because I faced with strange problem with one of Registrar > (name.com) which supports ED25519/ED448 keys but their web interface > being able retrieve DNSKEY record from my DNS server unable to register > on their side the DS record for my DNS server. > > Could it be that NSD couldn't work with ED25519 and sending wrong data > to Registrar when it tries to form DS record? > > --- > WBR, Vladimir Lomov > > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20190326/f8def0a9/attachment.htm> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20190326/f8def0a9/attachment.bin>