Does NSD support ED25519 KSK/ZSK keys?

Vladimir_Lomov1 · March 26, 2019, 4:21am

Hello,

the current ldns-keygen/ldns-signzone doesn't support ED25519/ED448
KSK/ZSK keys while dnssec-keygen can generate ED25519 keys. I generated
ED25519 KSK and ZSK keys using dnssec-keygen, published them in zone
file, checked the zone file (it is Ok) and sign zone by dnssec-signzone.
Though NSD was restarted successfully I wonder (actually I concern) does
NSD works fine with such keys?

I'm asking because I faced with strange problem with one of Registrar
(name.com) which supports ED25519/ED448 keys but their web interface
being able retrieve DNSKEY record from my DNS server unable to register
on their side the DS record for my DNS server.

Could it be that NSD couldn't work with ED25519 and sending wrong data
to Registrar when it tries to form DS record?

Wouter · March 26, 2019, 6:56am

Hi Vladimir,

Yes, NSD supports that. Because NSD is designed to copy the data to the client, the signatures and the DNSKEY data can be sent straight away.

The support itself consists of code to parse identifiers used when reading the zone file. If that concluded successfully, then the further operations should be unproblematic.

ldns-keygen and ldns-signzone have been updated in the code repository with the new algorithms.

Best regards, Wouter