New DNSSEC algorithm for .nl | Cybersecurity | SIDN (original) (raw)
DNSSEC is a technology that protects internet users against manipulation of the Domain Name System (DNS). With DNSSEC, the validity of DNS responses is assured by providing them with digital signatures. SIDN generates the digital signatures for .nl. We do that by using a cryptographic algorithm. At the moment, we use DNSSEC algorithm 8 (RSA/SHA-256) for the .nl zone. However, another algorithm – algorithm 13, ECDSA Curve P-256 with SHA-256 – is now available, which yields smaller DNS responses and better security. Since algorithm 13 is now widely supported and the smaller responses make it harder to abuse the DNS for DDoS attacks, we have decided to start using the new algorithm for .nl. Another reason for making the switch is that signatures generated using algorithm 13 are slightly harder to verify. Although that might sound like a disadvantage, it means that it's harder for crooks to 'crack' the signatures because more verification work is involved.
This blog describes the various steps in the process of rolling over to the new algorithm. We'll be gradually adding new information to the blog over time.
SIDN switches .nl zone from DNSSEC algorithm 8 to algorithm 13
The general timetable is as follows:
- 2023-07-04: phase 0 (preparation)
- 2023-07-05: phase 1 (modification of OpenDNSSEC policies, so that EC keys can be used, and checking that everything works properly)
- 2023-07-11: phase 2 (addition of new DS record to the root zone)
- 2023-07-14: phase 3* (checking the algorithm 13 key path and whether algorithm 8 keys are in decline)
- 2023-07-17: phase 4* (deletion of the algorithm 8 DS record from the root zone)
- 2023-07-19: phase 5* (telling OpenDNSSEC to delete the algorithm 8 keys)
* In these phases we depend on IANA, so the dates may change.
Phase 0
Preparation
During the preparatory phase, we'll organise effective internal and external monitoring of the rollover. In anticipation, on 24 May we already made modifications to the signature generation and signing process, aimed at speeding it up. Tests in our acceptance environment have shown that, without the changes, the process would take more than half an hour. That would be problematic, since we generate a new zone every half an hour. Our new, faster Hardware Security Modules can easily perform the calculations for the new digital signatures, but the need to verify the 20 million-plus signatures after signing represents a significant bottleneck.
We use DNSviz.net to support the process visually. In phase 0 it looks like this (click image to enlarge):
Figure 1: Visualization of phase 0 of the rollover from algorithm 8 to 13 .nl.
https://dnsviz.net/d/nl/ZKO0xA/dnssec/
Phase 1
Modification of OpenDNSSEC policies, so that EC keys can be used, and checking that everything works properly
In this phase, we will modify our OpenDNSSEC configuration to enable the generation of keys based on algorithm 13, because during the transition phase both types of signature must be present. Activation of the new configuration will be apparent from the presence of additional DNSKEY records in the zone. The inclusion of the additional records will mean that generation and publication of the zone takes roughly 4 minutes longer than at the end of phase 0. All records will be signed using both algorithms, increasing the size of our zone by roughly 41 per cent.
We will of course be backing up the new keys, so that they can be recovered in case of an emergency.
After that, we have to wait for the keys to be propagated around the world. Because DNS records are cached to enable rapid query response, and as a buffer against DNS outages, we have to wait for all cached data to be refreshed, so that the new keys are present everywhere. This takes about 150 hours. We can then proceed to the next phase.
The visualization after phase 1 looks like this (click image to enlarge):
Figure 2: Visualization of phase 1 of the rollover from algorithm 8 to 13 for .nl.
https://dnsviz.net/d/nl/ZKUx5g/dnssec/
Phase 2
Addition of new DS record to the root zone
Activation of the new algorithm requires the addition of a DS record to the root zone. The record will be added by following an IANA procedure that involves approval of the change by multiple people. Because we'll be dependent on outside organisations and people, we cannot say exactly how long this phase will last.
Figure 3: Visualization of phase 2 of the rollover from algorithm 8 to 13 for .nl. The additional DS record has been added.
https://dnsviz.net/d/nl/ZLDMUA/dnssec/
Phase 3
Checking the algorithm 13 key path and whether algorithm 8 keys are in decline
As soon as the new DS record has been published in the root, people will be able to use the DNSSEC path used by algorithm 13. Before we take any further action, however, we'll have to wait long enough to be sure that the new DS record has been propagated around the world.
Once our monitoring indicates that the algorithm 13 path is fully functional everywhere, we can commit to deleting the algorithm 8 keys. If that fails for any reason, we'll still be able to revert to using algorithm 8 on its own.
Phase 4
Deletion of the algorithm 8 DS record from the root zone
In this phase, we'll follow another IANA procedure to get the DS record for algorithm 8 deleted from the root zone. Once that's been done, only algorithm 13 will be active in the DNSSEC path for .nl.
Figure 4: Visualization of phase 4 of the rollover from algorithm 8 to 13 for .nl. Algorithm 8 is removed.
https://dnsviz.net/d/nl/ZLDMUA/dnssec/
Phase 5
Telling OpenDNSSEC to delete the algorithm 8 keys
Once the DS record for algorithm 8 has been deleted worldwide, we can give OpenDNSSEC the command to delete the keys for algorithm 8. The DNSKEY records will then disappear from the zone. As a result, the zone will decrease in size by roughly 42 per cent, and the process of signing the .nl zone will take about 3 minutes less.