research-article

Making the Case for Elliptic Curves in DNSSEC

Authors:

Roland van Rijswijk-Deij,

Anna Sperotto, and

Aiko PrasAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 45, Issue 5

Pages 13 - 19

https://doi.org/10.1145/2831347.2831350

Published: 30 September 2015 Publication History

Get Access

Abstract

The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNSSEC is more susceptible to packet fragmentation and makes DNSSEC an attractive vector to abuse in amplification-based denial-of-service attacks. Additionally, key management policies are often complex. This makes DNSSEC fragile and leads to operational failures. In this paper, we argue that the choice for RSA as default cryptosystem in DNSSEC is a major factor in these three problems. Alternative cryptosystems, based on elliptic curve cryptography (ECDSA and EdDSA), exist but are rarely used in DNSSEC. We show that these are highly attractive for use in DNSSEC, although they also have disadvantages. To address these, we have initiated research that aims to investigate the viability of deploying ECC at a large scale in DNSSEC.

References

[1]

G. van den Broek, R. van Rijswijk, A. Sperotto, and A. Pras. DNSSEC Meets Real World: Dealing with Unreachability Caused by Fragmentation. IEEE Communications Magazine, 52(April):154--160, 2014.

Google Scholar

[2]

R. van Rijswijk-Deij, A. Sperotto, and A. Pras. DNSSEC and its potential for DDoS attacks. In ACM IMC 2014, Vancouver, BC, Canada, 2014. ACM Press.

Digital Library

Google Scholar

[3]

B. Ager, H. Dreger, and A. Feldmann. Predicting the DNSSEC overhead using DNS traces. Proc. of IEEE CISS 2006, pages 1484--1489, 2007.

Google Scholar

[4]

H. Yang, E. Osterweil, D. Massey, S. Lu, and L. Zhang. Deploying cryptography in internet-scale systems: A case study on DNSSEC. IEEE Trans. on Dependable and Secure Comp., 8(5):656--669, 2011.

Digital Library

Google Scholar

[5]

A. Herzberg and H. Shulman. Cipher-Suite Negotiation for DNSSEC: Hop-by-Hop or End-to-End? IEEE Internet Computing, 19:80--84, 2015.

Digital Library

Google Scholar

[6]

E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid. Recommendation for Key Management - Part 1: General (r. 3). NIST SP800--57, 2012.

Google Scholar

[7]

E. Barker and Q. Dang. Recommendation for Key Management - Part 3: Application-Specific Key Management Guidance (r. 1). NIST SP 800--57, 2015.

Google Scholar

[8]

D. Hankerson, A.J. Menezes, and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer, 2004.

Digital Library

Google Scholar

[9]

NIST. FIPS PUB 186--4 - Digital Signature Standard (DSS). Processing Standards Publication, 2009.

Google Scholar

[10]

D. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.Y. Yang. High-Speed High-Security Signatures. Journal of Cryptographic Engineering, 2(2):77--89, 2012.

Crossref

Google Scholar

[11]

D. Bernstein, P. Birkner, M. Joye, and T. Lange. Twisted Edwards Curves. In AFRICACRYPT 2008, volume 2, pages 389--405. 2008.

Digital Library

Google Scholar

[12]

S. Josefsson and N. Moeller. EdDSA and Ed25519 (draft-josefsson-eddsa-ed25519-03), 2015.

Google Scholar

[13]

O. Surý. Ed25519 for DNSSEC (draft-sury-dnskey-ed25519-00), 2015.

Google Scholar

[14]

N. Smart. ECRYPT II Yearly Report on Algorithms and Keysizes 2011--2012. Technical report, 2012.

Google Scholar

Cited By

View all

van der Toorn OMüller MDickinson SHesselman CSperotto Avan Rijswijk-Deij R(2022)Addressing the challenges of modern DNS a comprehensive tutorialComputer Science Review10.1016/j.cosrev.2022.10046945(100469)Online publication date: Aug-2022
https://doi.org/10.1016/j.cosrev.2022.100469
Müller Mde Jong Jvan Heesch MOvereinder Bvan Rijswijk-Deij R(2020)Retrofitting post-quantum cryptography in internet protocolsACM SIGCOMM Computer Communication Review10.1145/3431832.343183850:4(49-57)Online publication date: 26-Oct-2020
https://dl.acm.org/doi/10.1145/3431832.3431838
Xu HZhang ZYan JMa XSchrittwieser S(2019)Evaluating the Impact of Name Resolution Dependence on the DNSSecurity and Communication Networks10.1155/2019/85653972019Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1155/2019/8565397
Show More Cited By

Index Terms

Making the Case for Elliptic Curves in DNSSEC

Recommendations

DNSSEC and its potential for DDoS attacks: a comprehensive measurement study
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the ...
Read More
Understanding the role of registrars in DNSSEC deployment
IMC '17: Proceedings of the 2017 Internet Measurement Conference

The Domain Name System (DNS) provides a scalable, flexible name resolution service. Unfortunately, its unauthenticated architecture has become the basis for many security attacks. To address this, DNS Security Extensions (DNSSEC) were introduced in ...
Read More
On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC
CNSM 2016: Proceedings of the 12th Conference on International Conference on Network and Service Management

The Domain Name System Security Extensions (DNSSEC) are steadily being deployed across the Internet. DNSSEC extends the DNS protocol with two vital security properties, authenticity and integrity, using digital signatures. While DNSSEC is meant to ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 45, Issue 5

October 2015

41 pages

ISSN:0146-4833

DOI:10.1145/2831347

Editors:
Konstantina Papagiannaki
Telefonica Research, Barcelona, Spain
,
Katerina Argyraki
EPFL, Switzerland
,
Hitesh Ballani
Microsoft Research Cambridge, UK
,
Fabián Bustamante
Northwestern University, USA
,
Joseph Camp
SMU, USA
,
Augustin Chaintreau
Columbia University, USA
,
Phillipa Gill
Stony Brook University, USA
,
Marco Mellia
Politecnico di Torino, Italy
,
Bhaskaran Raman
IIT Bombay, India
,
Joel Sommers
Colgate University, USA
,
Aline Carneiro Viana
INRIA, France

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 September 2015

Published in SIGCOMM-CCR Volume 45, Issue 5

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

SURF
European Union Framework Programme 7 (FP7)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
215
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Other Metrics

View Author Metrics

Citations

Cited By

View all

van der Toorn OMüller MDickinson SHesselman CSperotto Avan Rijswijk-Deij R(2022)Addressing the challenges of modern DNS a comprehensive tutorialComputer Science Review10.1016/j.cosrev.2022.10046945(100469)Online publication date: Aug-2022
https://doi.org/10.1016/j.cosrev.2022.100469
Müller Mde Jong Jvan Heesch MOvereinder Bvan Rijswijk-Deij R(2020)Retrofitting post-quantum cryptography in internet protocolsACM SIGCOMM Computer Communication Review10.1145/3431832.343183850:4(49-57)Online publication date: 26-Oct-2020
https://dl.acm.org/doi/10.1145/3431832.3431838
Xu HZhang ZYan JMa XSchrittwieser S(2019)Evaluating the Impact of Name Resolution Dependence on the DNSSecurity and Communication Networks10.1155/2019/85653972019Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1155/2019/8565397
Li GChen XChang PZou XZang TWu X(2019)MFRdnsIProceedings of the 2nd International Conference on Information Science and Systems10.1145/3322645.3322675(27-32)Online publication date: 16-Mar-2019
https://dl.acm.org/doi/10.1145/3322645.3322675
Muller MChung TMislove Avan Rijswijk-Deij R(2019)Rolling With Confidence: Managing the Complexity of DNSSEC OperationsIEEE Transactions on Network and Service Management10.1109/TNSM.2019.291617616:3(1199-1211)Online publication date: Sep-2019
https://doi.org/10.1109/TNSM.2019.2916176
Gourley STewari H(2019)Blockchain Backed DNSSECBusiness Information Systems Workshops10.1007/978-3-030-04849-5_15(173-184)Online publication date: 3-Jan-2019
https://doi.org/10.1007/978-3-030-04849-5_15
Le Tvan Rijswijk-Deij RAllodi LZannone N(2018)Economic incentives on DNSSEC deployment: Time to move from quantity to qualityNOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS.2018.8406223(1-9)Online publication date: Apr-2018
https://doi.org/10.1109/NOMS.2018.8406223
Scaife NCarter HLidsky LJones RTraynor P(2018)OnionDNSInternational Journal of Information Security10.1007/s10207-017-0391-z17:6(645-660)Online publication date: 1-Nov-2018
https://dl.acm.org/doi/10.1007/s10207-017-0391-z
Wander MBoelmann CWeis T(2018)Domain Name System Without Root ServersRisks and Security of Internet and Systems10.1007/978-3-319-76687-4_14(203-216)Online publication date: 24-Feb-2018
https://doi.org/10.1007/978-3-319-76687-4_14
Wander M(2017)Measurement survey of server-side DNSSEC adoption2017 Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA.2017.8002913(1-9)Online publication date: Jun-2017
https://doi.org/10.23919/TMA.2017.8002913
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

DNSSEC and its potential for DDoS attacks: a comprehensive measurement study

Understanding the role of registrars in DNSSEC deployment

On the Adoption of the Elliptic Curve Digital Signature Algorithm (ECDSA) in DNSSEC