research-article

Making the Case for Elliptic Curves in DNSSEC

Online:30 September 2015Publication History

Abstract

The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.

References

  1. G. van den Broek, R. van Rijswijk, A. Sperotto, and A. Pras. DNSSEC Meets Real World: Dealing with Unreachability Caused by Fragmentation. IEEE Communications Magazine, 52(April):154--160, 2014.Google ScholarGoogle Scholar
  2. R. van Rijswijk-Deij, A. Sperotto, and A. Pras. DNSSEC and its potential for DDoS attacks. In ACM IMC 2014, Vancouver, BC, Canada, 2014. ACM Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. B. Ager, H. Dreger, and A. Feldmann. Predicting the DNSSEC overhead using DNS traces. Proc. of IEEE CISS 2006, pages 1484--1489, 2007.Google ScholarGoogle Scholar
  4. H. Yang, E. Osterweil, D. Massey, S. Lu, and L. Zhang. Deploying cryptography in internet-scale systems: A case study on DNSSEC. IEEE Trans. on Dependable and Secure Comp., 8(5):656--669, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. A. Herzberg and H. Shulman. Cipher-Suite Negotiation for DNSSEC: Hop-by-Hop or End-to-End? IEEE Internet Computing, 19:80--84, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for Key Management - Part 1: General (r. 3). NIST SP800--57, 2012.Google ScholarGoogle Scholar
  7. E. Barker and Q. Dang. Recommendation for Key Management - Part 3: Application-Specific Key Management Guidance (r. 1). NIST SP 800--57, 2015.Google ScholarGoogle Scholar
  8. D. Hankerson, A.J. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. NIST. FIPS PUB 186--4 - Digital Signature Standard (DSS). Processing Standards Publication, 2009.Google ScholarGoogle Scholar
  10. D. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.Y. Yang. High-Speed High-Security Signatures. Journal of Cryptographic Engineering, 2(2):77--89, 2012.Google ScholarGoogle ScholarCross RefCross Ref
  11. D. Bernstein, P. Birkner, M. Joye, and T. Lange. Twisted Edwards Curves. In AFRICACRYPT 2008, volume 2, pages 389--405. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. S. Josefsson and N. Moeller. EdDSA and Ed25519 (draft-josefsson-eddsa-ed25519-03), 2015.Google ScholarGoogle Scholar
  13. O. Surý. Ed25519 for DNSSEC (draft-sury-dnskey-ed25519-00), 2015.Google ScholarGoogle Scholar
  14. N. Smart. ECRYPT II Yearly Report on Algorithms and Keysizes 2011--2012. Technical report, 2012.Google ScholarGoogle Scholar

Index Terms

  1. Making the Case for Elliptic Curves in DNSSEC

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!