Changing DNSSEC algorithm

Is there an option to change the DNSSEC algorithm from RSA to ECDSA? I cant find it.

it seems to create RSA SHA 256 by default which according to some sources is still the best choice but ECDSA is also supported.

Just a guess. Is it installed and currently enabled on your OS?

Is this the info you seek?

The letsencrypt is set to ECC which is ECDSA but that is not the DNSSEC key.

My understanding is that letsencrypt is used to verfiy.

DNSSEC in virtualmin creates keys with algorithm 8 RSA SHA 256 and I would like to try 13 ECDSA.

My registrar seems to support algorithm 13.

more info:

ECDSA: The missing piece of DNSSEC | Cloudflare

This can be set in System Settings ⇾ Server Templates: DNS domain page using DNSSEC cryptographic algorithm option.

1 Like

thank you, I take it this is then for new domains once changed the template? Can it be changed for existing?

For an existing domain, it can only be changed on the Webmin / Servers ⇾ BIND DNS Server: zone1.domain.com -> Setup DNSSEC Key page. Then, you would need to remove the existing key and create a new one with the desired algo.

Just to let people know, also delete TLSA records and re-add them in virtualmin for that domain under DNS Settings > DNS options

I think it should be considered to make ECDSA the default now instead of RSA for DNSSEC in virtualmin.

Granted this is a proposed standard, but I see that in practice, it is already well supported:

RFC 8624 - Algorithm Implementation Requirements and Usage Guidance for DNSSEC (ietf.org)

RSASHA256 is widely used and considered strong. It has been the
default algorithm for a number of years and is now slowly being
replaced with ECDSAP256SHA256 due to its shorter key and signature
size, resulting in smaller DNS packets.

Due to the industry-wide trend towards elliptic curve cryptography,
ECDSAP256SHA256 is the RECOMMENDED DNSKEY algorithm for use by new
DNSSEC deployments, and users of RSA-based algorithms SHOULD upgrade
to ECDSAP256SHA256.

The .com tld zone also uses ECDSA, .net also. Some are on RSA and root remains on RSA.