Increasing use of algorithm 13 for DNSSEC signing
This is the first in a new series of periodic blog posts explaining key .nl statistics, as published on stats.sidnlabs.nl. This time, we look at the accelerating adoption of algorithm 13 – an elliptic curve-based cryptographic algorithm used with the domain name security protocol DNSSEC.
DNSSEC is a system that lets registrants add digital signatures to their domain names. Resolvers can then verify the reliability of incoming information about the signed domain names. The system depends on cryptographic signing of the information about domain names recorded in the DNS. Since 2016, it's been possible to sign .nl domain names using modern, elliptic curve-based algorithms. Such algorithms are also widely supported by resolvers: scanning shows that nearly as many DNSSEC-validating resolvers support the algorithms as older and currently more widely used algorithms. On rootcanary.org, you can see for yourself which algorithms your resolver supports. Against that background, we thought it would be interesting to review the state of play three years on from the new algorithms being enabled.
Why elliptic curve?
The algorithms introduced in 2016 are ECDSAP256SHA256 (known for short as 'number 13') and ECDSAP384SHA384 (number 14). They have major advantages over older algorithms: signatures created using the modern algorithms are just as secure as, for example, signatures based on the RSA algorithms, but much shorter. That reduces the scope for abuse in the context of DDoS attacks and prevents DNSSEC information becoming too bulky for certain parts of the internet to handle. The RFC 8624 standard was therefore recently updated to say that DNSSEC software developers should support algorithm 13. More information about ECDSA is given in a previous blog post.
Elliptic curve on the up in .nl
DNSSEC-algorithms used in .nl From the chart above, you can see that nearly 7 per cent of signed .nl domain names make use of algorithm 13. In other words, their key signing key (KSK) is based on algorithm 13. A year ago, the figure was just 3.5 per cent. Popular domain names signed using algorithm 13 include surfnet.nl, kpn.nl and rijksmuseum.nl. Algorithm 14 is currently used in less than 1 per cent of cases. That's not a matter of concern, since algorithm 13 is secure enough to be used for a long time to come. Of the domain names now signed with algorithm 13, 32 per cent were previously signed using an older algorithm. Switching from an older algorithm to algorithm 13 involves the operator performing an 'algorithm rollover'. The other 68 per cent of the algorithm-13 domain names were not previously signed using DNSSEC.
TLD support for elliptic curve
So, ECDSA use is increasing for .nl domain names, but what's the situation with .nl itself? The .nl domain isn't yet signed using algorithm 13 or 14; RSA/SHA-256 (number 8) is still used. That algorithm still provides adequate security, but we're investigating what kind of rollover we should perform in due course and which algorithms we should use. Various other TLDs, including .br, .ch, and .cz, have already successfully made the switch.
Use of ECDSA is rising, and that is helping to make the internet more secure. The data in the chart above is taken from our registration database. It's updated weekly and the aggregated data is available on stats.sidnlabs.nl. Follow this blog for more interesting facts and figures about .nl.