This domain is protected with DNSSEC algorithm 15 (Ed25519). It is hosted at domainname.shop. They sign all their zones using DNSSEC by default.
Ed25519 was standardized for use with DNSSEC in February 2017 (RFC8080) and has been a RECOMMENDED algorithm since June 2019 (RFC8624). It has been supported in the .no zone since February 2020. The latest stable versions of OpenSSL (3.x / 1.1.1) fully support Ed25519. All older versions (including 1.1.0, 1.0.2 and 1.0.0) are now out of support and users of these older versions are encouraged to upgrade to 3.x or 1.1.1 as soon as possible. Ed25519 is also supported by the public resolvers of CloudFlare (126.96.36.199), Google (188.8.131.52) and Quad9 (184.108.40.206), and it is expected to become the future RECOMMENDED default DNSSEC algorithm.
Ed25519 is an Edwards-curve Digital Signature Algorithm (EdDSA). Like other ellipctic curve algorithms, its main advantage over RSA is that it offers the same level of security with much shorter key lengths, leading to shorter DNSKEY and RRSIG records. This in turn means that most DNS responses will fit in a single UDP packet (<512 bytes), and the potential for DNS amplification DDoS attacks is greatly reduced. EdDSA also has a number of advantages over ECDSA algorithms such as DNSSEC algorithm 13 (ECDSA P-256) and 14 (ECDSA P-384): it is faster, it is not dependent on a unique random number when generating signatures, it is more resilient to side-channel attacks, and it is easier to implement correctly.
|Algorithm||DNSSEC algorithm number||Security level (bits)||DNSKEY length (bytes)||Sample DNSKEY (base64)|
Here is a list of current DNSSEC algorithms that your resolver supports, courtesy of rootcanary.org.
13: ECDSA P-256
14: ECDSA P-384
|DNSSEC validation succeeded for this DS and signing algorithm combination|
|This DS and signing algorithm combination are not validated by your resolver(s)|
|This DS and signing algorithm lead to a
The DNSThough project by NLnet Labs measures worldwide DNSSEC algorithm support and publishes updated statistics at regular intervals.
Here is a collection of tools to verify that DNSSEC has been correctly configured for a particular zone:
Below are a few links for further reading: