Public Review for Making the Case for Elliptic Curves in DNSSEC

摘要

Like many of the Internet's protocols, DNS was designed without security in mind. Given its central role in translating human readable names into IP addresses, it constitutes an achilles heel in terms of Internet security. This fact has not gone unnoticed, with active development on DNS Security Extensions (DNSSEC) which adds integrity and authenticity to the DNS, by digitally signing DNS data. However, DNSSEC deployment has been lackluster. The authors argue that there are three problems at the core of the deployment impasse: DNSSEC responses are large which can result in (1) IP fragmentation and (2) open the door for DDoS based on DNSSEC. Third, key management complexities can result in domains becoming unreachable. The authors argue that the choice of RSA for DNSSEC is at the heart of these problems and they evaluate the potential benefits of leveraging elliptic curve cryptography (ECC) instead to ameliorate these issues. The reviewers appreciated the data-driven approach taken in this paper using data from a real network to evaluate the potential gains of ECC. They found the arguments for ECC were convincing with empirical evaluations of how ECC can help mitigate threats such as amplification attacks as well as key rollover management issues. The reviewers also raised open questions about the transition to ECC from RSA and how the two signature schemes could co-exist during the transition period. The potential overheads of verification for ECC signatures was also raised. The reviewers agree that the problem tackled in this paper is an important one, and the data-driven approach provides a convincing argument for ECC. The work also raises interesting questions about how a transition to ECC would occur in practice and whether there are other factors hindering deployment aside from the issues raised about RSA.