[Opendnssec-user] ECC algo signing in ods?

Mon, 19 Dec 2016 09:01:39 -0800 

IANA lists "DNS Security Algorithm Numbers"

        
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

where

        "All algorithm numbers in this registry may be used in CERT RRs. Zone
         signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG)
         make use of particular subsets of these algorithms. Only algorithms
         usable for zone signing may appear in DNSKEY, RRSIG, and DS RRs.
         Only those usable for SIG(0) and TSIG may appear in SIG and KEY RRs."

The Zone-Signing enable algos listed are

        3       DSA/SHA1
        5       RSA/SHA-1
        6       DSA-NSEC3-SHA1
        7       RSASHA1-NSEC3-SHA1
        8       RSA/SHA-256
        10      RSA/SHA-512
        12      GOST R 34.10-2001
        13      ECDSA Curve P-256 with SHA-256
        14      ECDSA Curve P-384 with SHA-384

I'm interested in use of the ECC algos, #13 & #14, for signing in ods

ods allows changing the algo

        
https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-Changethesigningalgorithm

ods' defaults appear to be #8

        cat kasp.xml
                ...
                <!-- Parameters for KSK only -->
                <KSK>
                    <Algorithm length="2048">8</Algorithm>
                    <Lifetime>P1Y</Lifetime>
                    <Repository>SoftHSM</Repository>
                </KSK>

                <!-- Parameters for ZSK only -->
                <ZSK>
                    <Algorithm length="1024">8</Algorithm>
                    <Lifetime>P90D</Lifetime>
                    <Repository>SoftHSM</Repository>
                    <!-- <ManualRollover/> -->
                </ZSK>
                ...

I found this thread

        [Opendnssec-develop] Adding ECC to ods-signer
         
http://lists.opendnssec.org/pipermail/opendnssec-develop/2016-September/005437.html

                "...
                We would welcome this contribution.  If your time permits, I see
                no problem getting this into the next 2.1 release.
                ...
                When you have something to review or submit you can push your 
changes
                back to github and make a pull-request for it.
                ..."

but lost any further comment.

I've built ods from latest git

    ./ods-enforcer -V
        opendnssec version 2.1.0-dev

checking git log, I've missed any reference to inclusion of ECC algo signing 
support.

What's the status of ECC support in current/latest ods?
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to