The Reality of Algorithm Agility: Studying the DNSSEC Algorithm Life-Cycle

Moritz Müller, Willem Toorop, Taejoong Chung, Jelte Jansen, Roland van Rijswijk-Deij

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

7 Citations (Scopus)
902 Downloads (Pure)


The DNS Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System (DNS), the naming system of the Internet. With DNSSEC, signatures are added to the information provided in the DNS using public key cryptography. Advances in both cryptography and cryptanalysis make it necessary to deploy new algorithms in DNSSEC, as well as deprecate those with weakened security. If this process is easy, then the protocol has achieved what the IETF terms "algorithm agility". In this paper, we study the lifetime of algorithms for DNSSEC. This includes: (i) standardizing the algorithm, (ii) implementing support in DNS software, (iii) deploying new algorithms at domains and recursive resolvers, and (iv) replacing deprecated algorithms. Using data from more than 6.7 million signed domains and over 10,000 vantage points in the DNS, combined with qualitative studies, we show that DNSSEC has only partially achieved algorithm agility. Standardizing new algorithms and deprecating insecure ones can take years. We highlight the main barriers for getting new algorithms deployed, but also discuss success factors. This study provides key insights to take into account when new algorithms are introduced, for example when the Internet must transition to quantum-safe public key cryptography.

Original languageEnglish
Title of host publicationIMC '20
Subtitle of host publicationProceedings of the 20th ACM Internet Measurement Conference
PublisherACM Publishing
Number of pages14
ISBN (Print)978-1-4503-8138-3
Publication statusPublished - 27 Oct 2020
EventACM Internet Measurement Conference, IMC 2020 - Online
Duration: 27 Oct 202029 Oct 2020


ConferenceACM Internet Measurement Conference, IMC 2020
Abbreviated titleIMC


  • Cybersecurity


Dive into the research topics of 'The Reality of Algorithm Agility: Studying the DNSSEC Algorithm Life-Cycle'. Together they form a unique fingerprint.

Cite this