DNS ccTLD registry does not support Algorithm 13 for DNSSEC - any other options available?

I wonder what can we do if our DNS ccTLD registry currently (only) supports the algorithms for DNSSEC as listed below:

  • 3, 5, 6, 7, 8, 10

CloudFlare offers to add DNSSEC for the domain, but with algorithm 13, which is not supported by the ccTLD registry.

What other options have we got?

Thank you for answer and help.

That is a question for the Croatian registry I am afraid.

Apart from algorithm 8 all these algorithms either must not be implemented to begin with or are not recommended, whereas the algorithm in question is actually a mandatory one.

1 Like

Yes, exaclty - .hr (Croatian) ccTLD registry.

As I got their response:

> In the administration interface unfortunately you can not select a 13th algorithm. You can only select the options visible in the drop-down menu.

The options from drop-down menu are 3, 5, 6, 7, 8 and 10 - for algorithm.

What a sad day for me … :frowning:

I was so close, and then again, nothing. Helpless …

You might want to point out to them that their choice of algorithms is not really RFC compliant and they support algorithms which specifically should not be implemented for security reasons.

1 Like

Will do, kindly ask them. If not, I believe I can urge that with ICANN compliant?, as stated here:

You wont be able to file a complaint here. The registry is not required to support DNSSEC. What you linked to refers to registrars who operate under ICANN rules, but this does not exactly include country specific top-level domains.

1 Like

Does anyone have experience if I have sub-domains and custom DNSKEY provided from the ISPConfig?

I mean, I have the main domain example.com signed with one key.

Moreover, as far as I can see, I have three more sub-domains, all signed with a different key than the main domain:

As well as the mail.example.com and mail.app.example.com?

My gosh … to much complication because of it!! It just had to support the algorithm 13, and all the problems and issues should go right away with one CloudFlare DS record … :frowning:

I see I can add more than one DS record through the domain ccTLD interface for my ccTLD .hr domain.
Should I add all of them right there to got my sub-domains signed as well and keep DNSSEC working as expected?

Ohh … just great one …

Fun fact, after adding DS record through the ccTLD administration interface and on the CloudFlare DNS, regarding the latest topic about adding the DNSKEY (values 256 and 257 for “Flags” field) which cannot be added due to the accepted values 0-255 possible, now it cannot be validated as well …

  • this result is shown using the DS record generated through ISPConfig (algorithm 7 which is supported by the ccTLD domain registry and the web hosting)

Allright, after trying to get it working, nothing can be done and fixed at least not for now.

I canceled CloudFlare DNSSEC option long ago.
Also remowed the added DS record from the ccTLD registry and on the CloudFlare DNS dashboard.

Waiting for my website to, hopefully, work again in the next 8 hours … if so …

Will do my best to urge the ccTLD team to support algorithm 13 for DNSSEC hopefully to support it till the end of year 2020.

Standing on put and prepared, if they would support it as soon as possible …

Minor correction: 15 and 16 aren’t “not recommended”. 15 is recommended, 16 is optional. Many people regard EdDSA as being more secure than ECDSA, and it’s generally less controversial, but it’s not as widely supported (though that’s changing).

To future readers who may be landing here from a search engine at some point in the future: there’s a good chance 13 is no longer the favored option now; double-check which algorithm you actually need before contacting your registrar. It may be 15, or it may be something else entirely.

I am not sure what you mean. I didnt say they werent.

1 Like

Sorry, misunderstood. I thought you meant all the algorithms on the Wikipedia page, not in the original post.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.