Skip to content
This repository has been archived by the owner on Feb 6, 2022. It is now read-only.

Support of ECDSA key to DNSKEY ? #13

Closed
ralfhauser opened this issue Nov 12, 2018 · 2 comments
Closed

Support of ECDSA key to DNSKEY ? #13

ralfhauser opened this issue Nov 12, 2018 · 2 comments

Comments

@ralfhauser
Copy link

Does the current ValidatingResolver already support this new algorithm ?

From: Daniel Stirnimann daniel.stirnimann@switch.ch
Subject: [swinog] .CH/.LI DNSSEC Algorithm Rollover
Date: 12 November 2018 at 08:45:28 CET
To: swinog@lists.swinog.ch

Hello,

for your information, SWITCH will perform a DNSSEC algorithm rollover
from RSA to ECDSA for ch. and li.

ECDSA uses smaller keys and signatures than their RSA counterparts,
which means responses to DNS queries are smaller.

ECDSA was already standardised for use in DNSSEC in 2012. While
switch.ch has been signed with ECDSA since 2016, IANA the root zone
operator has only recently allowed TLDs to use it.

The changes to the ch. and li. zones DNSKEY record are as following with
times reported in UTC:

2018-11-21T13:30 Add new ECDSA key to DNSKEY record set
2018-12-21T13:30 Remove old RSA key from DNSKEY record set

Between this interval, the chain of trust for ch. and li. will be
updated in the root zone to point to the new ECDSA key only.

Operators of DNSSEC validating DNS resolvers do not need to do anything.
In the unlikely case that your validating DNS resolver only understands
RSA but not ECDSA, then it will answer to ch. or li. queries as if they
were not DNSSEC signed.

You can test which DNSSEC algorithms are supported by the DNS
resolver(s) configured on your system by visiting:
https://rootcanary.org/test.html

Best regards,
Daniel Stirnimann, SWITCH

--
SWITCH
Daniel Stirnimann, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 24
daniel.stirnimann@switch.ch, www.switch.ch

swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
@stirnim
Copy link

stirnim commented Nov 12, 2018
edited
Loading

I guess it does. This stub resolver seems to use http://www.dnsjava.org which has support for ECDSA already.

@ibauersachs
Copy link
Owner

You should be able to run the rootcanary.org test with a Java based reverse proxy and injecting dnssecjava as the DNS resolver. Be aware that your JRE/JDK needs to have support for ECDSA.

The list of currently supported algorithms is here:
https://github.com/ibauersachs/dnssecjava/blob/master/src/main/java/org/jitsi/dnssec/validator/ValUtils.java#L790

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ibauersachs @ralfhauser @stirnim