When will Google DNS support ECCDSA algorithms P256 and P384

164 views
Skip to first unread message

ola...@cloudflare.com

unread,
Oct 2, 2014, 8:54:54 PM10/2/14
to public-dn...@googlegroups.com

Hi, 

I was testing various DNSSEC enabled resolvers for algorithm support and noticed that Google DNS does not validate answers signed by the modern ECC algorithms
You can test this by doing following queries 

  dig @8.8.8.8 +dnssec ds-2.alg-8-nsec.dnssec-test.org. dnskey +dnssec

this answer will have the AD bit set 


 dig @8.8.8.8 +dnssec ds-2.alg-13-nsec.dnssec-test.org. dnskey +dnssec

works but w/o AD bit on answer 


Do you have a timeline to support the ECC algorithms?


Thanks 

Olafur 

Yunhong Gu

unread,
Oct 3, 2014, 12:13:40 PM10/3/14
to ola...@cloudflare.com, public-dn...@googlegroups.com
At the moment, there is no ETA for ECDSA support from Google Public DNS resolvers.

Yunhong

--
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email to
public-dns-disc...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================
---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

ola...@cloudflare.com

unread,
Oct 3, 2014, 8:30:22 PM10/3/14
to public-dn...@googlegroups.com, ola...@cloudflare.com

Cloudflare is planning to start rolling out DNSSEC for customers we host in the next 6 months and the DNS data will be signed with ECDSA 
and we would love that Google DNS is ready for that

    Olafur


On Friday, October 3, 2014 9:13:40 AM UTC-7, Yunhong Gu wrote:
At the moment, there is no ETA for ECDSA support from Google Public DNS resolvers.

Yunhong
On Thu, Oct 2, 2014 at 8:54 PM, <ola...@cloudflare.com> wrote:

Hi, 

I was testing various DNSSEC enabled resolvers for algorithm support and noticed that Google DNS does not validate answers signed by the modern ECC algorithms
You can test this by doing following queries 

  dig @8.8.8.8 +dnssec ds-2.alg-8-nsec.dnssec-test.org. dnskey +dnssec

this answer will have the AD bit set 


 dig @8.8.8.8 +dnssec ds-2.alg-13-nsec.dnssec-test.org. dnskey +dnssec

works but w/o AD bit on answer 


Do you have a timeline to support the ECC algorithms?


Thanks 

Olafur 

--
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dn...@googlegroups.com
To unsubscribe from this group, send email to

For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================
---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsub...@googlegroups.com.

Yunhong Gu

unread,
Dec 11, 2014, 1:59:53 PM12/11/14
to ola...@cloudflare.com, public-dn...@googlegroups.com
Hello, Olafur

ECDSA is now supported by Google Public DNS.

Cheers,
Yunhong


For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================
---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.

ola...@cloudflare.com

unread,
Dec 18, 2014, 10:32:46 AM12/18/14
to public-dn...@googlegroups.com, ola...@cloudflare.com
Yunhong, 
thank you a lot for this feature extension. 
good work by you and your colleagues. 

   Olafur

For more options, visit this group at
http://groups.google.com/group/public-dns-discuss?hl=en
For more information on Google Public DNS, please visit
http://code.google.com/speed/public-dns
========================================================
---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages