research-article

The Reality of Algorithm Agility: Studying the DNSSEC Algorithm Life-Cycle

Authors:

Roland van Rijswijk-DeijAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 295 - 308

https://doi.org/10.1145/3419394.3423638

Published: 27 October 2020 Publication History

Get Access

Abstract

The DNS Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System (DNS), the naming system of the Internet. With DNSSEC, signatures are added to the information provided in the DNS using public key cryptography. Advances in both cryptography and cryptanalysis make it necessary to deploy new algorithms in DNSSEC, as well as deprecate those with weakened security. If this process is easy, then the protocol has achieved what the IETF terms "algorithm agility".

In this paper, we study the lifetime of algorithms for DNSSEC. This includes: (i) standardizing the algorithm, (ii) implementing support in DNS software, (iii) deploying new algorithms at domains and recursive resolvers, and (iv) replacing deprecated algorithms. Using data from more than 6.7 million signed domains and over 10,000 vantage points in the DNS, combined with qualitative studies, we show that DNSSEC has only partially achieved algorithm agility. Standardizing new algorithms and deprecating insecure ones can take years. We highlight the main barriers for getting new algorithms deployed, but also discuss success factors. This study provides key insights to take into account when new algorithms are introduced, for example when the Internet must transition to quantum-safe public key cryptography.

Supplementary Material

MP4 File (imc2020-136-long_01.mp4)

In this video, we present some of our findings of our paper ?The Reality of Algorithm Agility: Studying the DNSSEC Algorithm Life-Cycle?. We study the lifetime of algorithms for DNSSEC, the security extensions of the Domain Name System (DNS). This includes: (i) standardizing the algorithm, (ii) implementing support in DNS software, (iii) deploying new algorithms at domains and recursive resolvers, and (iv) replacing deprecated algorithms. Using data from more than 6.7 million signed domains and over 10,000 vantage points in the DNS, combined with qualitative studies, we show that DNSSEC has only partially achieved algorithm agility. Standardizing new algorithms and deprecating insecure ones can take years. We highlight the main barriers for getting new algorithms deployed, but also discuss success factors. Our study provides key insights to take into account when new algorithms are introduced, for example when the Internet must transition to quantum-safe public key cryptography.

Download
267.91 MB

References

[1]

R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose. 2005. DNS Security Introduction and Requirements. RFC 4033 (Proposed Standard)., 21 pages. https://doi.org/10.17487/RFC4033 Updated by RFCs 6014, 6840.

Abstract

Supplementary Material

References

Cited By

Recommendations

RFC 6277: Online Certificate Status Protocol Algorithm Agility

RFC 8636: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Algorithm Agility

Cryptographic agility and its relation to circular encryption

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations