On Mon, Jul 10, 2017 at 6:41 PM, Mark Andrews <ma...@isc.org> wrote: > > > > I also don't want to deploy only Ed448 and cause my zone to be instantly > > treated as unsigned by the vast majority of resolvers. Obviously, because > > I've nullified the security benefit of DNSSEC, but also because I have > > application security protocols, like DANE, that critically depend on > DNSSEC > > authentication, for which this would pose a grave security risk. > > For some reason there is this insane rush to use Ed448 before even > the major crypto providors have shipped releases which support it. > Get support into major packages then use it in production. Yes, > we are working on adding it to BIND. Name servers get upgraded. >
Hi Mark, This was a hypothetical example that I thought might come up for some in the future. I wasn't describing my personal plans, so don't rush to implement Ed448 on my account! :-) -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
