John Levine wrote: > Are there any published numbers estimating how well the various DNSSEC > algorithms are supported in DNS caches and client software? > > Or to put it another way, were I to switch from signing with > algorithm 8 to 13, how much would I regret it?
If I recall correctly, one of the major issues with ECDSA support was the lack of support on some commercial OSes; e.g. it had been intentionally disabled on RHEL. It looks like support for ECDSA with P-256/P-384 in OpenSSL was enabled in RHEL 6.5 [0], which was released in 2013. [0] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.5_release_notes/bh-chap-security -- Robert Edmonds _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
