[Opendnssec-user] Default ZSK sizes

Paul Wouters paul at nohats.ca
Thu Jan 26 15:22:20 UTC 2012

On Thu, 26 Jan 2012, Roland van Rijswijk wrote:

> Seconded, ECC is a good alternative to RSA and should drastically reduce on-the-wire sizes of signatures and DNSKEY sets. And ECC is on the way (but not there yet) for DNSSEC: http://tools.ietf.org/html/draft-ietf-dnsext-ecdsa-04.
> Wonder if it will please DJB when ECC is added as algorithm to DNSSEC ;-)

If you really want to use ECC, you can already use GOST als your DNSEC

Be aware that Fedora/RHEL/CentOS does not support ECC in openssl or any
software depending on openssl, including bind and unbound. The lawyers
do not like the patent minefield.

Hopefully, this will change in the next two years, as the USG relies
more and more on ECC itself.


More information about the Opendnssec-user mailing list