Making the Case for Elliptic Curves in DNSSEC

Rijswijk-Deij, Roland van; Sperotto, Anna; Pras, Aiko

doi:10.1145/2831347.2831350

Cited by 17 publications

(28 citation statements)

References 11 publications

(16 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…r 3 ) operated by SURFnet. 3 We performed a live capture of traffic 2 See http://www.internetsociety.org/deploy360/dnssec/statistics/ 3 The National Research and Education Network in the Netherlands. from clients to these DNS resolvers and replayed this traffic against an instrumented DNS resolver.…”

Section: B Modelmentioning

confidence: 99%

“…This number is then compared against a benchmark figure indicating the number of signature validations that can be performed on a single modern CPU core for specific elliptic curve digital signature schemes. Just as in our earlier study on the use of ECC in DNSSEC [3], we examine multiple signature schemes. We include the two signature schemes currently standardised for use in DNSSEC, ECDSA P-256 and ECDSA P-384 [14], [15].…”

Section: Popular-domains-first Growth To 100% Dnssec Deploy-mentioning

confidence: 99%

“…In earlier work [3] we relied on benchmarks from the eBACS project 7 to compare RSA and elliptic curve implementations. For this paper, we performed new benchmark tests.…”

Section: B Ecc Benchmarksmentioning

confidence: 99%

“…The cryptographic strength of ECDSA P-256 is roughly equivalent to 3072-bit RSA [20]. The reason we make this comparison is because RSA 1024-bit is the most common signature type in DNSSEC at present, while ECDSA P-256 is the most attractive candidate to replace the current RSA-based schemes [3].…”

Section: B Ecc Benchmarksmentioning

confidence: 99%

“…The root cause of these issues is the choice of RSA as default signature algorithm for DNSSEC. We showed that alternative signature schemes based on elliptic curve cryptography (ECC) effectively address the major issues in DNSSEC described above [3]. This is because ECC signatures are significantly smaller in size, leading to smaller DNS responses.…”

mentioning

confidence: 99%

See 4 more Smart Citations

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

Rijswijk-Deij

Hageman

Sperotto

et al. 2017

IEEE/ACM Trans. Networking

Self Cite

View full text Add to dashboard Cite

Abstract-The domain name system (DNS) is a core Internet infrastructure that translates names to machine-readable information, such as IP addresses. Security flaws in DNS led to a major overhaul, with the introduction of the DNS security (DNSSEC) extensions. DNSSEC adds integrity and authenticity to the DNS using digital signatures. DNSSEC, however, has its own concerns. It suffers from availability problems due to packet fragmentation and is a potent source of distributed denial-of-service attacks. In earlier work, we argued that many issues with DNSSEC stem from the choice of RSA as default signature algorithm. A switch to alternatives based on elliptic curve cryptography (ECC) can resolve these issues. Yet switching to ECC introduces a new problem: ECC signature validation is much slower than RSA validation. Thus, switching DNSSEC to ECC imposes a significant additional burden on DNS resolvers, pushing load toward the edges of the network. Therefore, in this paper, we study the question: will switching DNSSEC to ECC lead to problems for DNS resolvers, or can they handle the extra load? To answer this question, we developed a model that accurately predicts how many signature validations DNS resolvers have to perform. This allows us to calculate the additional CPU load ECC imposes on a resolver. Using real-world measurements from four DNS resolvers and with two open-source DNS implementations, we evaluate future scenarios where DNSSEC is universally deployed. Our results conclusively show that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolvers, even in worst case scenarios.

show abstract

Section: B Modelmentioning

confidence: 99%

Section: Popular-domains-first Growth To 100% Dnssec Deploy-mentioning

confidence: 99%

“…In earlier work [3] we relied on benchmarks from the eBACS project 7 to compare RSA and elliptic curve implementations. For this paper, we performed new benchmark tests.…”

Section: B Ecc Benchmarksmentioning

confidence: 99%

Section: B Ecc Benchmarksmentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation

Rijswijk-Deij

Hageman

Sperotto

et al. 2017

IEEE/ACM Trans. Networking

Self Cite

View full text Add to dashboard Cite

show abstract

Blockchain Backed DNSSEC

Gourley

Tewari

2019

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

The traditional Domain Name System (DNS) does not include any security details, making it vulnerable to a variety of attacks which were discovered in 1990. The Domain Name System Security Extensions (DNSSEC) attempted to address these concerns and extended the DNS protocol to add origin authentication and message integrity whilst remaining backwards compatible. Yet despite the fact that issues with DNS have been well known since the late 90s, there has been very little adoption of DNSSEC. This paper proposes a new system using blockchain technology. Our system aims to provide the same security benefits as DNSSEC whilst addressing the concerns that led to its slow adoption.

show abstract