[Yeti DNS Discuss] OT: migration to ECDSA / edwards curves
andreas.schulze at datev.de
Fri Aug 25 07:57:41 UTC 2017
Daniel gave me the impulse to play with ecdsa.
I just compared RSASHA256 with ECDSAP256SHA256
my testzone is a 500k file with ~13k entries
algo signing time signed zone size
RSASHA256 25 sec. 15 Mb
ECDSAP256SHA256 2 sec. 8 Mb
using NSEC instead of NSEC3 save me only a megabyte signed zone size. No other difference.
I also signed two zones out of my bunch of parked domains:
wwwdatev.org (ECDSAP256SHA256) and wwwdatev.net (RSASHA256)
Identical length and zone content but again, different algorithms.
The response to zone apex for the "ECDSA" zone is 1206 byte while RSASHA256 generate 2938 byte data.
ESCDS save response sizes.
Now I'm aware off https://rootcanary.org/. It simply say "my infrastructure can handle both algorithms"
So what' is the show stopper? Why should one not use ECDSA (or the upcoming ed25519/ed448)?
At least EC signatures do avoid IPv6 UDP fragmentation in most cases.
More information about the discuss