At the IEPG meeting today at IETF92, Geoff presented on the APNIC labs measurement of the EC-DSA algorithm support in DNSSEC. Elliptic Curve cryptography is interesting for two reasons: firstly, its capable of being computed about 10 times faster than the more commonly deployed RSA algorithm. And secondly, the computed signatures are 10 times smaller.
The first reason is just icing on the cake. But the second reason is critical: it means that we can produce DNSSEC signed packets which are significantly shorter than the ones signed with RSA. This is good, because as the key length required in RSA keeps rising (over time, computers become faster, and more capable of cracking the RSA cryptography by exhaustive search, and there is always the risk somebody finds a faster path to break the key) the signature length increases in size. This has the consequent outcome on DNS packet size, and we have reached the point where “rolling the key” in RSA, which means carrying two signatures at the same time, will probably make a packet which is too big for many DNS systems and infrastructure to cope with.
If we can use EC-DSA, we get smaller packets. Which means more people can see DNSSEC signed DNS packets. But there’s a problem: because of Intellectual Property concerns, a significant volume of DNS systems worldwide do not implement the EC-DSA algorithm. The ones in question, which are Fedora, RedHat and Centos derived Operating Systems should by now have been updated to newer code releases which do accept EC-DSA, because the IPR claims have been roundly rejected. However, in the Internet a lot of DNS infrastructure is being left un-upgraded and as a consequence a lot of DNSSEC services cannot understand EC-DSA.
Based on our experiments, out of an 18 day sample period, we saw 11 million people. Approximately 24% were doing DNSSEC, but of these only 19% of the original sample could do EC-DSA: one in five of the validating clients couldn’t handle it. Overall, this is an improvement, because when we first did this experiment six months ago, it was over one in three which couldn’t do EC-DSA. But it does mean that a significant subset of the DNSSEC aware community cannot handle this efficient, smaller signing method.
A shame, because this has very good prospects for making key rollover in the DNS more widely acceptable in the long term.
APNIC Labs has a pretty good list of which resolvers inside which ASN are having a problem. This is a tractable problem space we should be working on. If we could reduce the set of old, outdated resolvers, we could make EC-DSA a more attractive proposition.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.