Home / Blogs

The Path Toward Increasing the Security of DNSSEC with Elliptic Curve Cryptography

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Dan York

How do we make DNSSEC even more secure through the use of elliptic curve cryptography? What are the advantages of algorithms based on elliptic curves? And what steps need to happen to make this a reality? What challenges lie in the way?

Over the past few months we've been discussing these questions within the community of people implementing DNSSEC, with an aim of increasing both the security and performance of DNSSEC. Ondřej Surý of CZ.NIC Labs has been leading the way both with writing Internet drafts (draft-ietf-curdle-dnskey-ed25519 and draft-ietf-curdle-dnskey-ed448) and also in helping to organize sessions at various events.

Here's a brief view of where that discussion has and will be taking place:

  • 9 March 2016 – a panel session at ICANN 55 DNSSEC Workshop in Marrakech, Morocco- (see below)
  • 1 April 2016 – a panel session at DNS-OARC in Buenos Aires
  • 5 April 2016 – a discussion of the drafts in the CURDLE Working Group at IETF 95
  • 6/8 April 2016 – a discussion of another draft in the DNSOP Working Group to reduce usage of older DNSSEC crypto algorithms (see my overview of DNSSEC activity at IETF 95 for more context on what is happening there)
  • 23-27 May 2016 – a panel session at RIPE 72 in Copenhagen, Denmark
  • 27 June 2016 – a proposed panel session at the ICANN 56 DNSSEC Workshop in Helsinki, Finland

Let me provide a quick overview of what happened at ICANN 55 and then explain a new Internet draft that came out of that experience.

ICANN 55 DNSSEC Workshop

At ICANN 55 in Marrakech, we had a panel that I moderated where we presented several different viewpoints about how we go about implementing new DNSSEC algorithms and what are the challenges. I started out with a presentation where I outlined some of the challenges in this set of slides:

Challenges To Deploying New DNSSEC Cryptographic Algorithms from Deploy360 Programme (Internet Society)

I was then followed by four panelists (links are to the slide decks three of the four panelists had):

Geoff Huston started out giving an overview of what APNIC's research had found in the support of a current elliptic curve algorithm (ECDSA) in DNS resolvers (remembering that there are two sides to DNSSEC). Jim Galvin then provided a view of DNSSEC algorithms from a registry perspective. Olafur reported on the experience CloudFlare had rolling out ECDSA support and Ondřej wrapped up the session explaining the two new elliptic curve algorithms proposed for DNSSEC. There were a good number of questions asked and it was a healthy discussion.

Our Internet Draft on new deploying DNSSEC algorithms

After that ICANN 55 session, I went back and wrote up a summary of what we learned out of that discussion and then incorporated further input from Ondřej, Ólafur and Paul Wouters. The result was a new Internet-draft:


As I said in the abstract:

As new cryptographic algorithms are developed for use in DNSSEC signing and validation, this document captures the steps needed for new algorithms to be deployed and enter general usage. The intent is to ensure a common understanding of the typical deployment process and potentially identify opportunities for improvement of operations.

We are looking forward to further discussion — and welcome any and all feedback on the document.

The DNS-OARC panel on Friday, April 1

Which leads to a mention of the next discussion happening on this Friday, April 1, at the DNS-OARC 24th meeting happening in Buenos Aires right before IETF 95. The very last session from 1700-1745 ART (UTC-3) will be on "DNSSEC algorithm flexibility”. I'll be moderating the panel again and the focus this time will be on software implementations and what needs to be done there to support more encryption algorithms. The panelists will include:

  • Dan York, moderator
  • Ondřej Surý, representing Debian
  • Paul Wouters, Red Hat
  • Evan Hunt, ISC / BIND
  • Benno Overeinder, NLNet Labs / Unbound
  • Jan Včelák, CZ.NIC / Knot
  • Ralf Weber, Nominum

I'm told there will be a live stream of the DNS-OARC session and it should be accessible from the DNS-OARC Google+ page.

Our goal with all of this work is to lay out a solid path forward to bringing strong elliptic curve algorithms to DNSSEC — and then making that plan a reality. The end goal is an even more secure DNSSEC infrastructure that brings about an even more trusted DNS.

We'd welcome your comments and assistance with this — please do send us comments on the Internet Draft (email addresses at the end) or comment here or on social media about any of this. We need many different people helping move this forward!

NOTE: An earlier version of this article appeared on the Internet Society Deploy360 blog.

By Dan York, Author and Speaker on Internet technologies - and on staff of Internet Society. Dan is employed as a Senior Content Strategist with the Internet Society but opinions posted on CircleID are entirely his own. Visit the blog maintained by Dan York here.

Related topics: DNS, DNS Security, Security



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year