Increasing use of algorithm 13 for DNSSEC signing

This is the first in a new series of periodic blog posts explaining key .nl statistics, as published on stats.sidnlabs.nl. This time, we look at the accelerating adoption of algorithm 13 – an elliptic curve-based cryptographic algorithm used with the domain name security protocol DNSSEC.

DNSSEC is a system that lets registrants add digital signatures to their domain names. Resolvers can then verify the reliability of incoming information about the signed domain names. The system depends on cryptographic signing of the information about domain names recorded in the DNS. Since 2016, it's been possible to sign .nl domain names using modern, elliptic curve-based algorithms. Such algorithms are also widely supported by resolvers: scanning shows that nearly as many DNSSEC-validating resolvers support the algorithms as older and currently more widely used algorithms. On rootcanary.org, you can see for yourself which algorithms your resolver supports. Against that background, we thought it would be interesting to review the state of play three years on from the new algorithms being enabled.

Why elliptic curve?

The algorithms introduced in 2016 are ECDSAP256SHA256 (known for short as 'number 13') and ECDSAP384SHA384 (number 14). They have major advantages over older algorithms: signatures created using the modern algorithms are just as secure as, for example, signatures based on the RSA algorithms, but much shorter. That reduces the scope for abuse in the context of DDoS attacks and prevents DNSSEC information becoming too bulky for certain parts of the internet to handle. The RFC 8624 standard was therefore recently updated to say that DNSSEC software developers should support algorithm 13. More information about ECDSA is given in a previous blog post.

Elliptic curve on the up in .nl

Grafiek 1 - Gebruikte DNSSEC-algoritmes bij .nl

DNSSEC-algorithms used in .nl From the chart above, you can see that nearly 7 per cent of signed .nl domain names make use of algorithm 13. In other words, their key signing key (KSK) is based on algorithm 13. A year ago, the figure was just 3.5 per cent. Popular domain names signed using algorithm 13 include surfnet.nl, kpn.nl and rijksmuseum.nl. Algorithm 14 is currently used in less than 1 per cent of cases. That's not a matter of concern, since algorithm 13 is secure enough to be used for a long time to come. Of the domain names now signed with algorithm 13, 32 per cent were previously signed using an older algorithm. Switching from an older algorithm to algorithm 13 involves the operator performing an 'algorithm rollover'. The other 68 per cent of the algorithm-13 domain names were not previously signed using DNSSEC.

TLD support for elliptic curve

So, ECDSA use is increasing for .nl domain names, but what's the situation with .nl itself? The .nl domain isn't yet signed using algorithm 13 or 14; RSA/SHA-256 (number 8) is still used. That algorithm still provides adequate security, but we're investigating what kind of rollover we should perform in due course and which algorithms we should use. Various other TLDs, including .br, .ch, and .cz, have already successfully made the switch.

Summary

Use of ECDSA is rising, and that is helping to make the internet more secure. The data in the chart above is taken from our registration database. It's updated weekly and the aggregated data is available on stats.sidnlabs.nl. Follow this blog for more interesting facts and figures about .nl.

Comments

Moritz-Muller

Moritz Müller

Research engineer

+31 26 35 255 00

moritz.muller@sidn.nl

  • Monday 28 May 2018

    News

    "Privacy is an opportunity, not an administrative burden"

    Thumb-padlock-people

    Privacy Designer smooths the way to GDPR compliance

    Read more
  • Friday 19 April 2019

    News

    Don't disable IPv6!

    Thumb-close-up-switch-on-off

    It's a quick fix that stores up problems for later

    Read more
  • Monday 14 January 2019

    News

    Hundredth municipal authority reachable using IPv6

    Thumb-tally-paper

    Still a long way to go

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.