DNS records are public, so a zone can be documented honestly: anyone can run the same dig commands and see the same answers. The new guide Anatomy of a Hardened DNS Zone does exactly that with the live dnsdoh.art zone, grouped into six layers: DNSSEC identity (ECDSA P-256, algorithm 13), DANE TLSA pins on DoH, DoH3, DoT and DoQ, the HTTPS record carrying alpn="h3,h2" and the ECH configuration, DDR discovery answered by the resolver itself, the three no-mail records, and CAA issuance control. Each layer links to its deep guide and ends with the dig command that verifies it on any domain.

ECH keys now rotate monthly

The guide was written against infrastructure that changed the same day. The Encrypted Client Hello key published in the zone's HTTPS record now rotates automatically every month. Each rotation generates a fresh X25519 key with a new config id; the server keeps the previous key loaded for decryption for a full month, so clients holding an older DNS answer through a cache keep connecting without interruption. The DNS record is updated only after the new key is verified working on the server. The rotation runs on nginx compiled with BoringSSL, which provides the server-side ECH API; the guide publishes the full rotation script and the nginx placement rules, plus a note on how the same two-key architecture applies to patched OpenSSL builds.

Check your own zone

The guide closes with a six-command audit that works on any domain, no access required: DNSSEC chain, key pins, HTTPS record, discovery, mail policy and issuance control. Most domains fail most of the checks, and every empty answer is a concrete, fixable finding.