On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC

    Research output: Contribution to conferencePaperAcademicpeer-review

    6 Citations (Scopus)
    16 Downloads (Pure)

    Abstract

    The Domain Name System Security Extensions (DNSSEC) are steadily being deployed across the Internet. DNSSEC extends the DNS protocol with two vital security properties, authenticity and integrity, using digital signatures. While DNSSEC is meant to solve security issues in the DNS, it also introduces a new one: the digital signatures significantly increase DNS packet sizes, making DNSSEC an attractive vector to abuse in amplification denial-of-service attacks. By default, DNSSEC uses RSA for digital signatures. Earlier work has shown that alternative signature schemes, based on elliptic curve cryptography, can significantly reduce the impact of signatures on DNS response sizes. In this paper we study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50% of the global DNS namespace over a period of 1.5 years. Adoption is still marginal, with just 2.3% of DNSSEC-signed domains in the .com TLD using ECDSA. Nevertheless, use of ECDSA is growing, with at least one large operator leading the pack. And adoption could be up to 42% higher. As we demonstrate, there are barriers to deployment that hamper adoption. Operators wishing to deploy DNSSEC using current recommendations (with ECDSA as signing algorithm) must be mindful of this when planning their deployment.
    Original languageUndefined
    Pages258-262
    Number of pages5
    DOIs
    Publication statusPublished - Nov 2016
    Event12th international Conference on Network and Service Management, CNSM 2016 - Montreal, Canada
    Duration: 31 Oct 20164 Nov 2016
    Conference number: 12
    http://www.cnsm-conf.org/2016/

    Conference

    Conference12th international Conference on Network and Service Management, CNSM 2016
    Abbreviated titleCNSM 2016
    CountryCanada
    CityMontreal
    Period31/10/164/11/16
    Internet address

    Keywords

    • IR-104111
    • EWI-27653

    Cite this

    van Rijswijk, R. M., Jonker, M., & Sperotto, A. (2016). On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC. 258-262. Paper presented at 12th international Conference on Network and Service Management, CNSM 2016, Montreal, Canada. https://doi.org/10.1109/CNSM.2016.7818428
    van Rijswijk, Roland M. ; Jonker, Mattijs ; Sperotto, Anna. / On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC. Paper presented at 12th international Conference on Network and Service Management, CNSM 2016, Montreal, Canada.5 p.
    @conference{3d69c3e77cf140f79f971f9f3a11b9b9,
    title = "On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC",
    abstract = "The Domain Name System Security Extensions (DNSSEC) are steadily being deployed across the Internet. DNSSEC extends the DNS protocol with two vital security properties, authenticity and integrity, using digital signatures. While DNSSEC is meant to solve security issues in the DNS, it also introduces a new one: the digital signatures significantly increase DNS packet sizes, making DNSSEC an attractive vector to abuse in amplification denial-of-service attacks. By default, DNSSEC uses RSA for digital signatures. Earlier work has shown that alternative signature schemes, based on elliptic curve cryptography, can significantly reduce the impact of signatures on DNS response sizes. In this paper we study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50{\%} of the global DNS namespace over a period of 1.5 years. Adoption is still marginal, with just 2.3{\%} of DNSSEC-signed domains in the .com TLD using ECDSA. Nevertheless, use of ECDSA is growing, with at least one large operator leading the pack. And adoption could be up to 42{\%} higher. As we demonstrate, there are barriers to deployment that hamper adoption. Operators wishing to deploy DNSSEC using current recommendations (with ECDSA as signing algorithm) must be mindful of this when planning their deployment.",
    keywords = "IR-104111, EWI-27653",
    author = "{van Rijswijk}, {Roland M.} and Mattijs Jonker and Anna Sperotto",
    year = "2016",
    month = "11",
    doi = "10.1109/CNSM.2016.7818428",
    language = "Undefined",
    pages = "258--262",
    note = "null ; Conference date: 31-10-2016 Through 04-11-2016",
    url = "http://www.cnsm-conf.org/2016/",

    }

    van Rijswijk, RM, Jonker, M & Sperotto, A 2016, 'On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC' Paper presented at 12th international Conference on Network and Service Management, CNSM 2016, Montreal, Canada, 31/10/16 - 4/11/16, pp. 258-262. https://doi.org/10.1109/CNSM.2016.7818428

    On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC. / van Rijswijk, Roland M.; Jonker, Mattijs; Sperotto, Anna.

    2016. 258-262 Paper presented at 12th international Conference on Network and Service Management, CNSM 2016, Montreal, Canada.

    Research output: Contribution to conferencePaperAcademicpeer-review

    TY - CONF

    T1 - On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC

    AU - van Rijswijk, Roland M.

    AU - Jonker, Mattijs

    AU - Sperotto, Anna

    PY - 2016/11

    Y1 - 2016/11

    N2 - The Domain Name System Security Extensions (DNSSEC) are steadily being deployed across the Internet. DNSSEC extends the DNS protocol with two vital security properties, authenticity and integrity, using digital signatures. While DNSSEC is meant to solve security issues in the DNS, it also introduces a new one: the digital signatures significantly increase DNS packet sizes, making DNSSEC an attractive vector to abuse in amplification denial-of-service attacks. By default, DNSSEC uses RSA for digital signatures. Earlier work has shown that alternative signature schemes, based on elliptic curve cryptography, can significantly reduce the impact of signatures on DNS response sizes. In this paper we study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50% of the global DNS namespace over a period of 1.5 years. Adoption is still marginal, with just 2.3% of DNSSEC-signed domains in the .com TLD using ECDSA. Nevertheless, use of ECDSA is growing, with at least one large operator leading the pack. And adoption could be up to 42% higher. As we demonstrate, there are barriers to deployment that hamper adoption. Operators wishing to deploy DNSSEC using current recommendations (with ECDSA as signing algorithm) must be mindful of this when planning their deployment.

    AB - The Domain Name System Security Extensions (DNSSEC) are steadily being deployed across the Internet. DNSSEC extends the DNS protocol with two vital security properties, authenticity and integrity, using digital signatures. While DNSSEC is meant to solve security issues in the DNS, it also introduces a new one: the digital signatures significantly increase DNS packet sizes, making DNSSEC an attractive vector to abuse in amplification denial-of-service attacks. By default, DNSSEC uses RSA for digital signatures. Earlier work has shown that alternative signature schemes, based on elliptic curve cryptography, can significantly reduce the impact of signatures on DNS response sizes. In this paper we study the actual adoption of ECDSA by DNSSEC operators, based on longitudinal datasets covering over 50% of the global DNS namespace over a period of 1.5 years. Adoption is still marginal, with just 2.3% of DNSSEC-signed domains in the .com TLD using ECDSA. Nevertheless, use of ECDSA is growing, with at least one large operator leading the pack. And adoption could be up to 42% higher. As we demonstrate, there are barriers to deployment that hamper adoption. Operators wishing to deploy DNSSEC using current recommendations (with ECDSA as signing algorithm) must be mindful of this when planning their deployment.

    KW - IR-104111

    KW - EWI-27653

    U2 - 10.1109/CNSM.2016.7818428

    DO - 10.1109/CNSM.2016.7818428

    M3 - Paper

    SP - 258

    EP - 262

    ER -

    van Rijswijk RM, Jonker M, Sperotto A. On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC. 2016. Paper presented at 12th international Conference on Network and Service Management, CNSM 2016, Montreal, Canada. https://doi.org/10.1109/CNSM.2016.7818428