[dns-operations] ECDSA and Google Public DNS
Yunhong Gu
guu at google.com
Thu Jan 16 18:36:06 UTC 2014
Hi, Daisuke
I work on Google Public DNS. Yes, we do not support ECDSA yet. The 0-TTL is
probably an over-reaction on algorithms our software does not recognize. I
will see if I can get it reverted within the next few weeks.
Thanks,
Yunhong
On Thu, Jan 16, 2014 at 12:28 PM, Daisuke HIGASHI <daisuke.higashi at gmail.com
> wrote:
> Hi,
>
> I set up an experimental ECDSAP256SHA256-signed zone
> and found that Google Public DNS treats this zone as insecure (ad-bit not
> set).
> Furthermore it doesn’t cache RRs at all. (TTL=0).
>
> $ dig @8.8.8.8 ecdsa.hdais.net +dnssec
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> ecdsa.hdais.net. 0 IN A ...
> ecdsa.hdais.net. 0 IN RRSIG ...
>
>
> Of course RSASHA256 zones are verified as secure and cached.
>
> $ dig @8.8.8.8 www.hdais.net +dnssec
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> www.hdais.net. 10800 IN A ...
> www.hdais.net. 10800 IN RRSIG ...
>
> I suppose Google Public DNS validator has no ECDSA support yet but
> I don’t know why RRs aren't cached.
>
> Any wrong configuration with my ECDSA zone?
>
> Regards,
> --
> Daisuke HIGASHI <daisuke.higashi at gmail.com>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140116/f18ba6df/attachment.html>
More information about the dns-operations
mailing list