Hi, I set up an experimental ECDSAP256SHA256-signed zone and found that Google Public DNS treats this zone as insecure (ad-bit not set). Furthermore it doesn’t cache RRs at all. (TTL=0).
$ dig @8.8.8.8 ecdsa.hdais.net +dnssec ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; ANSWER SECTION: ecdsa.hdais.net. 0 IN A ... ecdsa.hdais.net. 0 IN RRSIG ... Of course RSASHA256 zones are verified as secure and cached. $ dig @8.8.8.8 www.hdais.net +dnssec ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; ANSWER SECTION: www.hdais.net. 10800 IN A ... www.hdais.net. 10800 IN RRSIG ... I suppose Google Public DNS validator has no ECDSA support yet but I don’t know why RRs aren't cached. Any wrong configuration with my ECDSA zone? Regards, -- Daisuke HIGASHI <[email protected]> _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
