DNSSEC: Nameshield adopts ECDSA


DNSSEC is the protocol that guarantees the integrity of DNS resolution by establishing a chain of trust all the way back to the root. Data security is ensured by a mechanism of cryptographic keys that sign DNS zone records. Historically, DNS operators have used RSA keys (RSASHA256 algorithm), renowned for their robustness.

As an alternative to this asymmetric cryptographic algorithm, there are elliptic curve algorithms. In the case of DNSSEC, the “ECDSA Curve P-256 with SHA-256” algorithm (RFC 6605 and 8624) offers a higher level of security with smaller key sizes.

The ECDSA algorithm is increasingly being implemented by major players in the domain names industry, such as Verisign and AFNIC, and aims to become the standard.

This has several advantages over our current implementation:

  • Smaller signatures and smaller zone files (approx. -33%);
  • Faster zone transfer and reload;
  • Improved signing performance;
  • Potentially faster DNS requests (less reliance on IP fragmentation);
  • Reduced amplification factor of DDoS attacks based on DNS.

For all these reasons, Nameshield has chosen to use this algorithm by default to secure its own domain names and those of its customers.

Image credit : Nameshield with storyset.com

Author: Steve DESPRES

Developer - Nameshield group