[dns-operations] ECDSA and Google Public DNS

Yunhong Gu guu at google.com
Thu Jan 16 18:36:06 UTC 2014


Hi, Daisuke

I work on Google Public DNS. Yes, we do not support ECDSA yet. The 0-TTL is
probably an over-reaction on algorithms our software does not recognize. I
will see if I can get it reverted within the next few weeks.

Thanks,
Yunhong


On Thu, Jan 16, 2014 at 12:28 PM, Daisuke HIGASHI <daisuke.higashi at gmail.com
> wrote:

> Hi,
>
> I set up an experimental ECDSAP256SHA256-signed zone
> and found that Google Public DNS treats this zone as insecure (ad-bit not
> set).
> Furthermore it doesn’t cache RRs at all. (TTL=0).
>
> $ dig @8.8.8.8 ecdsa.hdais.net +dnssec
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> ecdsa.hdais.net.    0    IN    A ...
> ecdsa.hdais.net.    0    IN    RRSIG ...
>
>
> Of course RSASHA256 zones are verified as secure and cached.
>
> $ dig @8.8.8.8 www.hdais.net +dnssec
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> ;; ANSWER SECTION:
> www.hdais.net.     10800    IN    A    ...
> www.hdais.net.     10800    IN    RRSIG ...
>
> I suppose Google Public DNS validator has no ECDSA support yet but
> I don’t know why RRs aren't cached.
>
> Any wrong configuration with my ECDSA zone?
>
> Regards,
> --
>  Daisuke HIGASHI <daisuke.higashi at gmail.com>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140116/f18ba6df/attachment.html>


More information about the dns-operations mailing list