icon onderhoud icon incidenten
mobile-menu mobile-menu
menu

We have upgraded the DNSSEC lock cylinders and distributed new keys

We have upgraded the DNSSEC lock cylinders and distributed new keys

... and nobody noticed a thing!

Over the past few weeks, we have quietly replaced the digital keys used for DNSSEC functionality within our authoritative nameservers with smaller, yet more effective versions.

If you have a domain name and BIT manages your DNS, there’s a good chance that BIT has also set up DNSSEC for you, meaning your domain in DNS now has a shiny new key.

A Quick Refresher

DNSSEC uses digital signatures to provide cryptographic proof that the answer given by a nameserver hasn’t been altered in transit, ensuring that if the signature validates, you can trust the answer is correct.

DNSSEC deals with the authenticity of DNS traffic but not its confidentiality, so it doesn’t encrypt DNS requests – that’s a whole different ball game.

How It All Began

The adoption of DNSSEC has been a long, slow journey, as the standard has existed since 2005. However, it only started to become useful to deploy “validating resolvers” four years later when a few daredevils within the .com top-level domain had digitally signed their DNS zones.

Along with XS4ALL (at the time), BIT was one of the first providers to enforce validation of DNS responses for users of our DNS resolvers in late 2009.

It wasn’t until three years later, in 2012, that it became possible to secure .nl domains with DNSSEC. BIT jumped on this opportunity, and by the end of that year, we had equipped all domains under our responsibility with DNSSEC.

In the years that followed, DNSSEC slowly but surely gained more attention. Now it’s on Comply-or-Explain lists and comes up in various information system audits.

What About Those Keys?

Cryptography, digital signatures – you might be familiar with these from HTTPS / TLS: it all works in a ‘Public Key Infrastructure’, often abbreviated to PKI.

To create a digital signature or encrypt data digitally, a digital key pair is needed. It’s actually one key, but it consists of a public part and a private part.

The private part creates a digital signature, and the public part “fits” and validates that signature.

When the world started with this, “RSA” technology seemed the best choice for digital keys. With a “bit size” of 1024 or even 2048 bits! That seemed secure enough for the future…

But computers are getting faster by the day, computer clusters are getting bigger, and soon new technologies are providing better security with less computing power.

We’ve therefore switched from RSA keys with 2048 bits to ECDSA keys with 256 bits, 1792 fewer bits. The digital signatures are also significantly smaller, leading to more optimal use of DNS.

Despite the smaller number of bits and smaller digital signatures, an attacker would still need about 2^256 attempts to find the private part of the key.

That’s
59285549689505892056868344324448208820874232148807968788202283012051522375647232
attempts.

We expect this to be sufficient for the next few years.

And with this ‘algorithm rollover’ from RSA to ECDSA, we’ve gained experience for the next step.

Bring it on, quantum encryption!

By: Sander Smeenk