I wonder what can we do if our DNS ccTLD registry currently (only) supports the algorithms for DNSSEC as listed below:
CloudFlare offers to add DNSSEC for the domain, but with algorithm 13, which is not supported by the ccTLD registry.
What other options have we got?
Thank you for answer and help.
That is a question for the Croatian registry I am afraid.
Apart from algorithm 8 all these algorithms either must not be implemented to begin with or are not recommended, whereas the algorithm in question is actually a mandatory one.
You might want to point out to them that their choice of algorithms is not really RFC compliant and they support algorithms which specifically should not be implemented for security reasons.
Will do, kindly ask them. If not, I believe I can urge that with ICANN compliant?, as stated here:
https://support.cloudflare.com/hc/en-us/articles/360006660072-Understanding-and-Configuring-DNSSEC-in-Cloudflare-DNS#nodnssec
You wont be able to file a complaint here. The registry is not required to support DNSSEC. What you linked to refers to registrars who operate under ICANN rules, but this does not exactly include country specific top-level domains.
Does anyone have experience if I have sub-domains and custom DNSKEY provided from the ISPConfig?
I mean, I have the main domain example.com signed with one key.
Moreover, as far as I can see, I have three more sub-domains, all signed with a different key than the main domain:
As well as the mail.example.com and mail.app.example.com?
My gosh … to much complication because of it!! It just had to support the algorithm 13, and all the problems and issues should go right away with one Cloudflare DS record … 
I see I can add more than one DS record through the domain ccTLD interface for my ccTLD .hr domain.
Should I add all of them right there to got my sub-domains signed as well and keep DNSSEC working as expected?
Ohh … just great one …
Allright, after trying to get it working, nothing can be done and fixed at least not for now.
I canceled CloudFlare DNSSEC option long ago.
Also remowed the added DS record from the ccTLD registry and on the CloudFlare DNS dashboard.
Waiting for my website to, hopefully, work again in the next 8 hours … if so …
Will do my best to urge the ccTLD team to support algorithm 13 for DNSSEC hopefully to support it till the end of year 2020.
Minor correction: 15 and 16 aren’t “not recommended”. 15 is recommended, 16 is optional. Many people regard EdDSA as being more secure than ECDSA, and it’s generally less controversial, but it’s not as widely supported (though that’s changing).
To future readers who may be landing here from a search engine at some point in the future: there’s a good chance 13 is no longer the favored option now; double-check which algorithm you actually need before contacting your registrar. It may be 15, or it may be something else entirely.
I am not sure what you mean. I didnt say they werent.
Sorry, misunderstood. I thought you meant all the algorithms on the Wikipedia page, not in the original post.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.