Hello.
On 23/07/2021 16.13, Schindler, Stefan wrote:
> Because for some reason a lot of ISP resolvers support RSA only while
> I would like to future-proof my zone with ED25519 at the same time.
As the current DNSSEC standards go, I think it's normally not worth
using two algorithms at once on a single zone (except temporarily when
changing from one to another). Validators will succeed when validation
with *any* of the algorithms succeeds. Therefore adding a stronger algo
won't make the result stronger (attackers can choose which one to
compromise) - at least until the weaker algo gets (commonly) considered
as insecure.
Weirdly enough, DNSSEC validators do not do that even with short RSAs -
one problem is that standardized (non-)support mechanism is independent
of key length. That's OK for the new fixed-length algos but not so much
for RSA.
--Vladimir | knot-resolver.cz