Making the Case for Elliptic Curves in DNSSEC

    Research output: Contribution to journalArticleAcademicpeer-review

    12 Citations (Scopus)

    Abstract

    The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.
    Original languageUndefined
    Pages (from-to)13-19
    Number of pages7
    JournalComputer communication review
    Volume45
    Issue number5
    DOIs
    Publication statusPublished - Oct 2015

    Keywords

    • EWI-26583
    • IR-98723
    • METIS-315107

    Cite this

    @article{2731863f99804c2ca5c246728e31f2c8,
    title = "Making the Case for Elliptic Curves in DNSSEC",
    abstract = "The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.",
    keywords = "EWI-26583, IR-98723, METIS-315107",
    author = "{van Rijswijk}, {Roland M.} and Anna Sperotto and Aiko Pras",
    note = "eemcs-eprint-26583",
    year = "2015",
    month = "10",
    doi = "10.1145/2831347.2831350",
    language = "Undefined",
    volume = "45",
    pages = "13--19",
    journal = "Computer communication review",
    issn = "0146-4833",
    publisher = "Association for Computing Machinery (ACM)",
    number = "5",

    }

    Making the Case for Elliptic Curves in DNSSEC. / van Rijswijk, Roland M.; Sperotto, Anna; Pras, Aiko.

    In: Computer communication review, Vol. 45, No. 5, 10.2015, p. 13-19.

    Research output: Contribution to journalArticleAcademicpeer-review

    TY - JOUR

    T1 - Making the Case for Elliptic Curves in DNSSEC

    AU - van Rijswijk, Roland M.

    AU - Sperotto, Anna

    AU - Pras, Aiko

    N1 - eemcs-eprint-26583

    PY - 2015/10

    Y1 - 2015/10

    N2 - The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.

    AB - The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.

    KW - EWI-26583

    KW - IR-98723

    KW - METIS-315107

    U2 - 10.1145/2831347.2831350

    DO - 10.1145/2831347.2831350

    M3 - Article

    VL - 45

    SP - 13

    EP - 19

    JO - Computer communication review

    JF - Computer communication review

    SN - 0146-4833

    IS - 5

    ER -