Making the Case for Elliptic Curves in DNSSEC

    Research output: Contribution to journalArticleAcademicpeer-review

    17 Citations (Scopus)


    The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.
    Original languageUndefined
    Pages (from-to)13-19
    Number of pages7
    JournalComputer communication review
    Issue number5
    Publication statusPublished - Oct 2015


    • EWI-26583
    • IR-98723
    • METIS-315107

    Cite this