Elliptic curves to the rescue: tackling availability and attack potential in DNSSEC
Over the past decade, we have seen the gradual rollout of DNSSEC across the name space, with adoption growing slowly but steadily. While DNSSEC was introduced to s …
| Talk Title | Elliptic curves to the rescue: tackling availability and attack potential in DNSSEC |
| Speakers | Roland van Rijswijk-Deij (SURFnet) |
| Conference | NANOG67 |
| Conf Tag | |
| Location | Chicago, Illinois |
| Date | Jun 13 2016 - Jun 15 2016 |
| URL | Talk Page |
| Slides | [Talk Slides](https://archive.nanog.org/sites/default/files/Roland_Elliptic Curves.pdf) |
| Video | Talk Video |
Over the past decade, we have seen the gradual rollout of DNSSEC across the name space, with adoption growing slowly but steadily. While DNSSEC was introduced to solve security problems in the DNS, it is not without its own problems. In particular, it suffers from two big problems: 1) Use of DNSSEC can lead to fragmentation of DNS responses, which impacts the availability of signed domains due to resolvers being unable to receive fragmented responses and 2) DNSSEC can be abused to create potent denial-of-service attacks based on amplification. Arguably, the choice of the RSA cryptosystem as default algorithm for DNSSEC is the root cause of these problems. RSA signatures need to be large to be cryptographically strong. Given that DNS responses can contain multiple signatures, this has a major impact on the size of these responses. Using elliptic curve cryptography, we can solve both problems with DNSSEC, because ECC offers much better cryptographic strength with far smaller keys and signatures. But using ECC will introduce one new problem: signature validation - the most commonly performed operation in DNSSEC - can be up to two orders of magnitude slower than with RSA. Thus, we run the risk of pushing workload to the edges of the network by introducing ECC in DNSSEC. This talk discusses solid research results that show 1) the benefits of using ECC in terms of solving open issues in DNSSEC, and 2) that the potential new problem of CPU use for signature validation on resolvers is not prohibitive, to such an extent that even if DNSSEC becomes universally deployed, the signature validations a resolver would need to perform can easily be handled on a single modern CPU core. Based on these results, we call for an overhaul of DNSSEC where operators move away from using RSA to using elliptic curve-based signature schemes.
