Increasing use of algorithm 13 for DNSSEC signing

This is the first in a new series of periodic blog posts explaining key .nl statistics, as published on stats.sidnlabs.nl. This time, we look at the accelerating adoption of algorithm 13 – an elliptic curve-based cryptographic algorithm used with the domain name security protocol DNSSEC.

DNSSEC is a system that lets registrants add digital signatures to their domain names. Resolvers can then verify the reliability of incoming information about the signed domain names. The system depends on cryptographic signing of the information about domain names recorded in the DNS. Since 2016, it's been possible to sign .nl domain names using modern, elliptic curve-based algorithms. Such algorithms are also widely supported by resolvers: scanning shows that nearly as many DNSSEC-validating resolvers support the algorithms as older and currently more widely used algorithms. On rootcanary.org, you can see for yourself which algorithms your resolver supports. Against that background, we thought it would be interesting to review the state of play three years on from the new algorithms being enabled.

Why elliptic curve?

The algorithms introduced in 2016 are ECDSAP256SHA256 (known for short as 'number 13') and ECDSAP384SHA384 (number 14). They have major advantages over older algorithms: signatures created using the modern algorithms are just as secure as, for example, signatures based on the RSA algorithms, but much shorter. That reduces the scope for abuse in the context of DDoS attacks and prevents DNSSEC information becoming too bulky for certain parts of the internet to handle. The RFC 8624 standard was therefore recently updated to say that DNSSEC software developers should support algorithm 13. More information about ECDSA is given in a previous blog post.

Elliptic curve on the up in .nl

Grafiek 1 - Gebruikte DNSSEC-algoritmes bij .nl

DNSSEC-algorithms used in .nl From the chart above, you can see that nearly 7 per cent of signed .nl domain names make use of algorithm 13. In other words, their key signing key (KSK) is based on algorithm 13. A year ago, the figure was just 3.5 per cent. Popular domain names signed using algorithm 13 include surfnet.nl, kpn.nl and rijksmuseum.nl. Algorithm 14 is currently used in less than 1 per cent of cases. That's not a matter of concern, since algorithm 13 is secure enough to be used for a long time to come. Of the domain names now signed with algorithm 13, 32 per cent were previously signed using an older algorithm. Switching from an older algorithm to algorithm 13 involves the operator performing an 'algorithm rollover'. The other 68 per cent of the algorithm-13 domain names were not previously signed using DNSSEC.

TLD support for elliptic curve

So, ECDSA use is increasing for .nl domain names, but what's the situation with .nl itself? The .nl domain isn't yet signed using algorithm 13 or 14; RSA/SHA-256 (number 8) is still used. That algorithm still provides adequate security, but we're investigating what kind of rollover we should perform in due course and which algorithms we should use. Various other TLDs, including .br, .ch, and .cz, have already successfully made the switch.

Summary

Use of ECDSA is rising, and that is helping to make the internet more secure. The data in the chart above is taken from our registration database. It's updated weekly and the aggregated data is available on stats.sidnlabs.nl. Follow this blog for more interesting facts and figures about .nl.

Comments

Moritz-Muller

Moritz Müller

Research engineer

+31 26 35 255 00

moritz.muller@sidn.nl

  • Tuesday 26 March 2019

    News

    Our terms and conditions are changing

    Thumb-man-examining-a-document-with-a-magnifying-glass

    New T&Cs effective from 1 May 2019

    Read more
  • Thursday 31 October 2019

    News

    Not one, not two, not three, but four CENTR awards!

    Thumb-centr-awards-ceremony

    Our active contribution to the domain name industry wins praise

    Read more
  • Thursday 21 June 2018

    News

    Watch out for unscrupulous firms trying to sell you domain names at inflated prices

    Thumb-fingers-crossed

    Our advice: don't be rushed into agreeing a sale

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.