19923208953

Committed 04 Dec 2025 08:56AM UTC coverage: 83.125% (+0.5%) from 82.58%

Build # 19923208953

Build Type

push

github

Committed by

web-flow

Commit Message

Implement support for ed25519 and ed448 cryptography (#90)

Since we've already added support for ECDSA as in [RFC6605](https://datatracker.ietf.org/doc/rfc6605/), I thought of, well, there are much stronger and efficient elliptic curves out there...

---

Consider the drivers for implementing elliptic-curve cryptography to begin with: for the same security factor, we have way smaller keys, which translates into much smaller network packets, and a couple orders of magnitude performance improvements. So, when the de-facto _standard_ is RSA-3072, this gives us 128bits of entropy and a key size of 388bytes. Now:

| Algorithm | Entropy (bits) | Key Size (bytes) | number of signatures per second |
| :--- | :--- | :--- | :--- |
| RSA | 128 | 388 | 1050 |
| ECDSA-P256 | 128 | 64 | 94020 |
| ECDSA-P384 | 192 | 96 | 10460 |
| Ed25519 | 128 | 32 | 64203 |
| Ed448 | 224 | 56 | 31308 |

Reference:
- [RFC8080](https://datatracker.ietf.org/doc/rfc8080/)
- https://ed25519.no/ and https://ed448.no/
- `openssl speed -seconds 1 rsa3072 ecdsap256 ecdsap384 ed25519 ed448` on my mac M4

Note, [RFC8624](https://datatracker.ietf.org/doc/rfc8624) recommends them, Ed25519 is even declared as a must.

---

For transparency, cursor helped massively. Prompt and summary as generated below, 99% of the code done in less than one minute. Then I took a bit to super carefully clean it up.

PROMPT:
See how in recent commits I've added support for ECDSAP256SHA256 and ECDSAP384SHA384, and now add support, and tests, for ed25519 and ed448 following the definitions from RFC8080.

SUMMARY:

Added support for ed25519 and ed448 DNSSEC algorithms per RFC8080, following the ECDSA implementation pattern.

Changes Made:

1. Algorithm definitions (include/dns_terms.hrl): • Added DNS_ALG_ED25519 (algorithm 15) • Added DNS_ALG_ED448 (algorithm 16)
2. Type definitions: • Updated dns_records.hrl to include ed25519/ed448 in RRSIG alg types • Updated dns.erl to include ed25519/ed448 in alg type • Update... (continued)

Run Details

16 of 24 new or added lines in 4 files covered. (66.67%)

63 existing lines in 5 files now uncovered.

1798 of 2163 relevant lines covered (83.13%)

1240.37 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.52

/src/dns_encode.erl

dnsimple / dns_erlang / 19923208953

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous