ed25519 for DNSSEC

Ed25519 is a public-key signature system invented by Bernstein et al. that is standardized for use in internet protocols as RFC 8032. In RFC 8080, ed25519 (and ed448) were standardized for use in DNSSEC in February 2017.

This domainname, is DNSSEC signed with this algorithm.

Why use ed25519 for DNSSEC signatures?

ed25519, as an elliptic curve cryptography(ECC) signature algorithm, offers high security signatures in a small signature size. A 256 bit ECC key has similar security properties to 3072 bit RSA signatures (see table 3, page 53 of NIST SP 800-57).

As an example, an ed25519 signature is 64 bytes long, compared to 256 bytes for an RSA 2048 signature. These smaller signatures ensure that DNS amplification attacks are less severe than before, without sacrificing the security of DNSSEC.

So what about EcDSA (also standardized for use in DNSSEC)? EcDSA requires random data when signing, this can lead to leaking the private key when bad random data is used. Deterministic EcDSA does exists, alleviating the need for this. ed25519, however, only requires random data when generating the private key.

DNS software supporting ed25519

This is an incomplete list of DNS tools and servers that support or will support ed25519:

DNS software not supporting ed25519

And an incomplete list of tools and servers that do not support ed25519: