Add support for Ed25519 in DNSSEC (!763) · Merge requests · Knot projects / Knot DNS

Ondřej Surý requested to merge ed25519 into master Jul 15, 2017

This MR adds support for Ed25519 algorithm for DNSSEC. Key generation, and signing works.

It needs https://gitlab.com/gnutls/gnutls/merge_requests/397 to be merged into GnuTLS first though.

But with locally compiled GnuTLS you can get:

$ dig +noall +answer +dnssec +multi -p 25519 IN DNSKEY ed25519.cz @localhost
ed25519.cz.		60 IN DNSKEY 256 3 15 (
				wrE07TLibvLco5f2rgLc5f3BH6vRAcirNLrTUkPrTtc=
				) ; ZSK; alg = 15 ; key id = 61167
ed25519.cz.		60 IN DNSKEY 257 3 15 (
				/XVbeCuUGttNMaIf3AvCe7AtmZUAgfRWLM+c21kMRjM=
				) ; KSK; alg = 15 ; key id = 55499
ed25519.cz.		60 IN RRSIG DNSKEY 15 2 60 (
				20170729163713 20170715163713 55499 ed25519.cz.
				5yB006iyy5YGEcg5QAdyG7e5xc2/Bfcpe/+xeoq5ZgDW
				Ljm6T7Vvz/pjxclKqzi0t463xM1tA3dhOi0p8V6xCw== )

and

$ dig +noall +answer +dnssec +multi -p 25519 IN CDNSKEY ed25519.cz @localhost
ed25519.cz.		0 IN CDNSKEY 257 3 15 (
				/XVbeCuUGttNMaIf3AvCe7AtmZUAgfRWLM+c21kMRjM=
				) ; KSK; alg = 15 ; key id = 55499
ed25519.cz.		0 IN RRSIG CDNSKEY 15 2 0 (
				20170729163713 20170715163713 61167 ed25519.cz.
				Gx1kbV5hFYIZNDUqoTLwmc2X6fS6tQmrE7Yp6E+nTLNX
				fCInI7WFSfnTgpxp65S3BsZSD5HExeUD/THR/8rwBQ== )

Intentionally picking @lpeltan as reviewer as @dsalzman has a tendency to rewrite all my code :).

Edited Jul 15, 2017 by Ondřej Surý

Admin message

Admin message

Add support for Ed25519 in DNSSEC

Merge request reports