[Yeti DNS Discuss] OT: migration to ECDSA / edwards curves

Andreas Schulze andreas.schulze at datev.de
Fri Aug 25 07:57:41 UTC 2017


Daniel gave me the impulse to play with ecdsa.
I just compared RSASHA256 with ECDSAP256SHA256

my testzone is a 500k file with ~13k entries

algo			signing time 		signed zone size
RSASHA256		25 sec.			15 Mb
ECDSAP256SHA256		 2 sec.			 8 Mb

using NSEC instead of NSEC3 save me only a megabyte signed zone size. No other difference.

I also signed two zones out of my bunch of parked domains:
wwwdatev.org (ECDSAP256SHA256) and wwwdatev.net (RSASHA256)

Identical length and zone content but again, different algorithms.
The response to zone apex for the "ECDSA" zone is 1206 byte while RSASHA256 generate 2938 byte data.
ESCDS save response sizes.

Now I'm aware off https://rootcanary.org/. It simply say "my infrastructure can handle both algorithms"

So what' is the show stopper? Why should one not use ECDSA (or the upcoming ed25519/ed448)?
At least EC signatures do avoid IPv6 UDP fragmentation in most cases.

A. Schulze

More information about the discuss mailing list