On Tue, 2021-04-27 at 22:56 +0200, Arne Jensen wrote:
> NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is that
> I've seen DNSSEC signatures with 14 2 (ECDSAP384SHA256), which I would find
> quite weird.
This appears to be a frequent source of confusion.
In '14 4', '14' is
On Wed 2021-04-28 12:02:18+0200 Mark wrote:
> On 4/28/21 11:51, Tony Finch wrote:
>
> > Yes. I recommend p256 because the security advantages of p384 are
> > not significant enough to justify the increased costs in space
> > (packet size) and time.
>
> Both 13 and 14 are already smaller than 8
On 4/28/21 11:51, Tony Finch wrote:
Yes. I recommend p256 because the security advantages of p384 are not
significant enough to justify the increased costs in space (packet size)
and time.
Both 13 and 14 are already smaller than 8 (which is the most widely
deployed algorithm today).
512
Arne Jensen wrote:
>
> RFC8624 "Algorithm Implementation Requirements and Usage Guidance for
> DNSSEC"
>
> -> https://tools.ietf.org/html/rfc8624
>
> > What algorithms do you typically sign with
> > (RSASHA256, ECDSAP256SHA256, both, something other)?
>
> Those two mentioned are the ones that the
On 4/27/21 22:56, Arne Jensen wrote:
In the end, I would simply set up everything with 14 4, a.k.a.
ECDSAP384SHA384, unless any customers/clients could provide valid
justification (including evidence) why it "cannot" be used, such as
e.g. a TLD not supporting it, could be valid
On 4/27/21 21:31, Eric Germann via NANOG wrote:
What algorithms do you typically sign with (RSASHA256,
ECDSAP256SHA256, both, something other)?
I've been using ECDSAP384SHA384 (14) for a few months now, with no
problems of note.
I know that ECDSAP256SHA256 (13) is "firmer", but hey
On Tue, Apr 27, 2021 at 12:34 PM Eric Germann via NANOG
wrote:
> Does anyone have a pointer to a good resource for current best practices
> for deployment of DNSSEC, preferably newer than RFC6781?
>
> What algorithms do you typically sign with (RSASHA256, ECDSAP256SHA256,
> both, something
Den 27-04-2021 kl. 21:31 skrev Eric Germann via NANOG:
> Does anyone have a pointer to a good resource for current best
> practices for deployment of DNSSEC, preferably newer than RFC6781?
RFC8624 "Algorithm Implementation Requirements and Usage Guidance for
DNSSEC"
->
Does anyone have a pointer to a good resource for current best practices for
deployment of DNSSEC, preferably newer than RFC6781?
What algorithms do you typically sign with (RSASHA256, ECDSAP256SHA256, both,
something other)?
Feel free to little r me off list if you wish
—
Eric Germann
9 matches
Mail list logo
