DNSSEC Algorithm 8

As of March 2021, it is not possible to enable Algorithm 8 for DNSSEC, even though it is required by the IETF spec:

Is there a specific reason that Cloudflare does not allow the option to use Algo 8? I understand that Algo 13 is pretty much definitively better, but some use cases need RSA based keys rather than ECDSA.
Is there a workaround that can be done to use Algo 8 without moving to a different DNS provider?

Well, from the documentation here:

Cloudflare’s chosen cipher suite (Algorithm 13, also known as ECDSA Curve P-256 with SHA-256), is not supported by some registrars. Note that some registrars support a different set of verification algorithms depending on the TLD.

If your registrar or TLD registry doesn’t support Algorithm 13, see section “What if my registrar or TLD doesn’t support DNSSEC?” on the next link: Understanding and configuring DNSSEC in Cloudflare DNS – Cloudflare Help Center

What if my registrar or TLD doesn’t support DNSSEC?

To enable DNSSEC, both your registrar and registry (TLD) need to support DNSSEC with Cloudflare’s preferred cipher choice, Algorithm 13.

Although DNSSEC support is required by ICANN and Algorithm 13 has been standardized for years, some registrars and registries do not support these protocols yet.

To try to get your registrar to support DNSSEC, you have three options:

  1. Contact your registrar to ask for DNSSEC with modern encryption. Many registrars are waiting to add support until they see higher demand, so by reaching out, you are letting them know that there is a need for DNSSEC with Algorithm 13.

  2. You can transfer your domain to a different registrar that supports DNSSEC with Algorithm 13, as listed in Step 2 above.

  3. Finally, you can file a complaint with ICANN, citing your registrar’s lack of compliance. ICANN requires registrars to support DNSSEC with all available DS algorithm types.

ICANN has no authority over country code TLD’s (ccTLD’s). Contact the ccTLD directly. IANA maintains a list of all delegated ccTLDs and their designated managers.

If support is lacking at the TLD level, try option 1 above. You can find the contact information for your TLD registry in the Iana Root Zone Database.

I am afraid no.
Last year, I contacted my ccTLD registar and had waited for almost 4 months for my ccTLD registar to implement and add a support for Algorihtm 13.
Until then, there was no possibillity to use DNSSEC with Cloudflare for my domains.

1 Like

Cloudflare uses ECDSA for two reasons. Cloudflare live sign the zones, and ECDSA signing is faster and less CPU intensive. The second reason is that the responses are smaller, and limit the ability of an attacker to use Cloudflares DNS servers for amplification.

2 Likes

Cloudflare live sign the zones, and ECDSA signing is faster and less CPU intensive.

While we do live singing, ECDSA (at least the curves P-256 , P-384 which is DNSSEC algos 13 and 14) is slightly slower than RSA depending on key size (https://www.researchgate.net/publication/282426588_Making_the_Case_for_Elliptic_Curves_in_DNSSEC)
However as you mention the DNS response is smaller and the algorithm is more secure than RSA and those two factors are more important and tips the scale in favor of ECDSA (Ed25519 is supposedly faster though)

3 Likes

Thanks for the response. I understand that ECDSA is better than RSA due to multiple factors, but RSA is still standardized and has its own use cases over ECDSA regarding using the DNSSEC key for other uses (like crypto).
I was just wondering if there was some workaround to use RSA rather than ECDSA because I need an RSA based DNSSEC key rather than ECDSA for my use case.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.