On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC

Rijswijk-Deij, Roland van; Jonker, Mattijs; Sperotto, Anna

doi:10.1109/cnsm.2016.7818428

Cited by 11 publications

(8 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A 2016 study by Van Rijswijk-Deij et al [62] analyses early deployment of ECDSA. Finally, in recent work Müller et al [48] perform a case study of the feasibility of using quantum-safe cryptographic algorithms in DNSSEC.…”

Section: Related Workmentioning

confidence: 99%

The Reality of Algorithm Agility

Müller

Toorop²,

Chung

et al. 2020

Proceedings of the ACM Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

The DNS Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System (DNS), the naming system of the Internet. With DNSSEC, signatures are added to the information provided in the DNS using public key cryptography. Advances in both cryptography and cryptanalysis make it necessary to deploy new algorithms in DNSSEC, as well as deprecate those with weakened security. If this process is easy, then the protocol has achieved what the IETF terms "algorithm agility".In this paper, we study the lifetime of algorithms for DNSSEC. This includes: (i) standardizing the algorithm, (ii) implementing support in DNS software, (iii) deploying new algorithms at domains and recursive resolvers, and (iv) replacing deprecated algorithms. Using data from more than 6.7 million signed domains and over 10,000 vantage points in the DNS, combined with qualitative studies, we show that DNSSEC has only partially achieved algorithm agility. Standardizing new algorithms and deprecating insecure ones can take years. We highlight the main barriers for getting new algorithms deployed, but also discuss success factors. This study provides key insights to take into account when new algorithms are introduced, for example when the Internet must transition to quantum-safe public key cryptography.

show abstract

Section: Related Workmentioning

confidence: 99%

The Reality of Algorithm Agility

Müller

Toorop²,

Chung

et al. 2020

Proceedings of the ACM Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…This offers excellent security properties combined with good performance in terms of signature validation speed. Indeed, a major early adopter of ECC-based DNSSEC signing (CloudFlare) [22] has chosen to use ECDSA P-256. For the longer term we recommend considering Edwards curves-based signature schemes, in particular Ed25519 as future default algorithm and Ed448 for deployments with high security requirements.…”

Section: Summary and Recommendationsmentioning

confidence: 99%

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

Rijswijk-Deij

Hageman

Sperotto

et al. 2017

IEEE/ACM Trans. Networking

Self Cite

View full text Add to dashboard Cite

Abstract-The domain name system (DNS) is a core Internet infrastructure that translates names to machine-readable information, such as IP addresses. Security flaws in DNS led to a major overhaul, with the introduction of the DNS security (DNSSEC) extensions. DNSSEC adds integrity and authenticity to the DNS using digital signatures. DNSSEC, however, has its own concerns. It suffers from availability problems due to packet fragmentation and is a potent source of distributed denial-of-service attacks. In earlier work, we argued that many issues with DNSSEC stem from the choice of RSA as default signature algorithm. A switch to alternatives based on elliptic curve cryptography (ECC) can resolve these issues. Yet switching to ECC introduces a new problem: ECC signature validation is much slower than RSA validation. Thus, switching DNSSEC to ECC imposes a significant additional burden on DNS resolvers, pushing load toward the edges of the network. Therefore, in this paper, we study the question: will switching DNSSEC to ECC lead to problems for DNS resolvers, or can they handle the extra load? To answer this question, we developed a model that accurately predicts how many signature validations DNS resolvers have to perform. This allows us to calculate the additional CPU load ECC imposes on a resolver. Using real-world measurements from four DNS resolvers and with two open-source DNS implementations, we evaluate future scenarios where DNSSEC is universally deployed. Our results conclusively show that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolvers, even in worst case scenarios.

show abstract

“…They nd that often insecure algorithms are deployed. A 2016 study by Van Rijswijk-Deij et al [61] analyses early deployment of ECDSA. Finally, in recent work Müller et al [21] perform a case study of the feasibility of using quantum-safe cryptographic algorithms in DNSSEC.…”

Section: Related Workmentioning

confidence: 99%

“…We look at the aspects of algorithm deployment, as identi ed by York et al [58], and extend this work by analyzing real world data. Like Van Rijswijk-Deij et al [61], we rely on data collected by the OpenINTEL DNS measurement platform [62], which now covers more than ve years (see Section 3.4). This allows us to study the adoption and deprecation of additional algorithms compared to [61].…”

Section: Related Workmentioning

confidence: 99%

“…Like Van Rijswijk-Deij et al [61], we rely on data collected by the OpenINTEL DNS measurement platform [62], which now covers more than ve years (see Section 3.4). This allows us to study the adoption and deprecation of additional algorithms compared to [61]. We carry out additional active measurements, providing a new perspective on algorithm deployment.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Making DNSSEC Future Proof

Müller¹

View full text Add to dashboard Cite

vi made it through some tough times, and without your trust and support I would not be where I am today. You always had faith in my decisions and helped me to nd my own way. Apparently, I did not need to know Latin after all. Also, many thanks to Sascha for being a great friend, even when living more than 9.000 km apart, and to Franziska and the rest of my family in Germany for your support and thoughts, despite me living in Holland for more than 6 years. In those 6 years I not only made new friends, with a special shout-out to my second paranymph and climbing viking Anders, but also got invited to the Brus-family who helped me feel at home in the Low Countries.And this brings me to Aafke. Sharing basically one room for more than one and half years while pursuing a PhD would have been a challenge for some relationships. Ours, however, just grew stronger and I am thankful for every single day I can spend with you.

show abstract

On the adoption of the elliptic curve digital signature algorithm (ECDSA) in DNSSEC

Cited by 11 publications

References 11 publications

The Reality of Algorithm Agility

The Reality of Algorithm Agility

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

Making DNSSEC Future Proof

Contact Info

Product

Resources

About