[dns-operations] ECDSA and Google Public DNS
Daisuke HIGASHI
daisuke.higashi at gmail.com
Thu Jan 16 17:28:26 UTC 2014
Hi,
I set up an experimental ECDSAP256SHA256-signed zone
and found that Google Public DNS treats this zone as insecure (ad-bit not set).
Furthermore it doesn’t cache RRs at all. (TTL=0).
$ dig @8.8.8.8 ecdsa.hdais.net +dnssec
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
ecdsa.hdais.net. 0 IN A ...
ecdsa.hdais.net. 0 IN RRSIG ...
Of course RSASHA256 zones are verified as secure and cached.
$ dig @8.8.8.8 www.hdais.net +dnssec
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
www.hdais.net. 10800 IN A ...
www.hdais.net. 10800 IN RRSIG ...
I suppose Google Public DNS validator has no ECDSA support yet but
I don’t know why RRs aren't cached.
Any wrong configuration with my ECDSA zone?
Regards,
--
Daisuke HIGASHI <daisuke.higashi at gmail.com>
More information about the dns-operations
mailing list