On 4/27/21 22:56, Arne Jensen wrote:

In the end, I would simply set up everything with 14 4, a.k.a. ECDSAP384SHA384, unless any customers/clients could provide valid justification (including evidence) why it "cannot" be used, such as e.g. a TLD not supporting it, could be valid justification to make an exception for that particular TLD. But in order to make that exception, there would need to be evidence (from the customer/client) documenting the claim, so they cannot just go with "I don't like this algorithm", or other useless crap to go down to for example SHA1.

It would likewise be mandatory, if I had anything to say, for public sector/government and financial institutions (banks, card issuers, and so on), to run DNSSEC and to always secure that they had the strongest possible algorithms on it.


NB: The reason I'm writing 14 4, a.k.a. ECDSAP384SHA384 all along is that I've seen DNSSEC signatures with 14 2 (ECDSAP384SHA256), which I would find quite weird.


I've been happy with ECDSAP384SHA384 for a few months now. No issues to report. All works. My registrar supports it. End of.

The only other thing I can say to the OP is the whether the registrar supports the uploading of DS records, or derives the DS record from the DNSKEY you submit to them. From another list discussion a while back, the world appears to be split 50/50 on this.

Mark.