Is there a specific reason that Cloudflare does not allow the option to use Algo 8? I understand that Algo 13 is pretty much definitively better, but some use cases need RSA based keys rather than ECDSA.
Is there a workaround that can be done to use Algo 8 without moving to a different DNS provider?
Cloudflare’s chosen cipher suite (Algorithm 13, also known as ECDSA Curve P-256 with SHA-256), is not supported by some registrars. Note that some registrars support a different set of verification algorithms depending on the TLD.
What if my registrar or TLD doesn’t support DNSSEC?
To enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with Cloudflare’s preferred cipher choice, Algorithm 13.
Although DNSSEC support is required by ICANN and Algorithm 13 has been standardized for years, some registrars and registries do not support these protocols yet.
To try to get your registrar to support DNSSEC, you have three options:
Contact your registrar to ask for DNSSEC with modern encryption. Many registrars are waiting to add support until they see higher demand, so by reaching out, you are letting them know that there is a need for DNSSEC with Algorithm 13.
You can transfer your domain to a different registrar that supports DNSSEC with Algorithm 13, as listed in Step 2 above.
Finally, you can file a complaint with ICANN, citing your registrar’s lack of compliance. ICANN requires registrars to support DNSSEC with all available DS algorithm types.
ICANN has no authority over country code TLD’s (ccTLD’s). Contact the ccTLD directly. IANA maintains a list of all delegated ccTLDs and their designated managers.
I am afraid no.
Last year, I contacted my ccTLD registar and had waited for almost 4 months for my ccTLD registar to implement and add a support for Algorihtm 13.
Until then, there was no possibillity to use DNSSEC with Cloudflare for my domains.
Cloudflare uses ECDSA for two reasons. Cloudflare live sign the zones, and ECDSA signing is faster and less CPU intensive. The second reason is that the responses are smaller, and limit the ability of an attacker to use Cloudflares DNS servers for amplification.
Thanks for the response. I understand that ECDSA is better than RSA due to multiple factors, but RSA is still standardized and has its own use cases over ECDSA regarding using the DNSSEC key for other uses (like crypto).
I was just wondering if there was some workaround to use RSA rather than ECDSA because I need an RSA based DNSSEC key rather than ECDSA for my use case.