[nsd-users] Does NSD support ED25519 KSK/ZSK keys?

[Wouter Wijngaards]

Hi Vladimir,

Yes, NSD supports that.  Because NSD is designed to copy the data to the
client, the signatures and the DNSKEY data can be sent straight away.

The support itself consists of code to parse identifiers used when
reading the zone file.  If that concluded successfully, then the further
operations should be unproblematic.

ldns-keygen and ldns-signzone have been updated in the code repository
with the new algorithms.

Best regards, Wouter

On 26/03/2019 05:21, Vladimir Lomov wrote:
> Hello,
>
> the current ldns-keygen/ldns-signzone doesn't support ED25519/ED448
> KSK/ZSK keys while dnssec-keygen can generate ED25519 keys. I generated
> ED25519 KSK and ZSK keys using dnssec-keygen, published them in zone
> file, checked the zone file (it is Ok) and sign zone by dnssec-signzone.
> Though NSD was restarted successfully I wonder (actually I concern) does
> NSD works fine with such keys?
>
> I'm asking because I faced with strange problem with one of Registrar
> (name.com) which supports ED25519/ED448 keys but their web interface
> being able retrieve DNSKEY record from my DNS server unable to register
> on their side the DS record for my DNS server.
>
> Could it be that NSD couldn't work with ED25519 and sending wrong data
> to Registrar when it tries to form DS record?
>
> ---
> WBR, Vladimir Lomov
>
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20190326/f8def0a9/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20190326/f8def0a9/attachment.bin>