My Domainprovider did set up DS/DNSkey records for me. But I also asked the provider to set up a li and a it domain.
He told me, that he cannot enter the record for .it but he can for .li - only the ECDSA/SHA-256 (13) algorithm is not available for .li - RSA/SHA256 (8) would be available.
Is there a way to get a DS record with the RSA/SHA256 algorithm at desec?
Thanks for your message, and welcome to deSEC!
According to the Technical Guidelines from .it (Section 5.1), various algorithms are supported, including 13 (ECDSAP256SHA256).
The same is the case for the .li registry (see page Section 3 in this document). In another document, the .li registry operator states that they made the same decision as deSEC, and always use the ECDSA algorithm for their own keys.
This means that the choice for ECDSA is common, and there are good reasons for it. Mainly, it produces much shorter signatures, eliminating several DNSSEC-related security and operational issues. We are not planning to go back to RSA.
If your domain provider has issues provisioning such DS records, it is fair to say that your provider’s DNSSEC support is not up to date. You may want to point the above things out to them, while hoping that they will add support for current best practices. If they don’t, it’s fair to say that their DNSSEC support is incomplete, and you should consider changing providers.
I’m sorry I have no better news! Still, I hope you can find a solution.