Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

27654 The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation
Home Policy Brochure Browse Search User Area Contact Help

van Rijswijk-Deij, R.M. and Hageman, K.D. and Sperotto, A. and Pras, A. (2017) The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation. IEEE/ACM transactions on networking, online pre-publication. pp. 1-13. ISSN 1063-6692 *** ISI Impact 2,186 ***

Full text available as:

- Univ. of Twente only
6862 Kb

Official URL:


The Domain Name System is a core Internet infrastructure that translates names to machine-readable information, such as IP addresses. Security flaws in DNS led to a major overhaul, with the introduction of the DNS Security Extensions. DNSSEC adds integrity and authenticity to the DNS using digital signatures. DNSSEC, however, has its own concerns. It suffers from availability problems due to packet fragmentation and is a potent source of distributed denial-of-service attacks.
In earlier work we argued that many issues with DNSSEC stem from the choice of RSA as default signature algorithm. A switch to alternatives based on elliptic curve cryptography (ECC) can resolve these issues. Yet switching to ECC introduces a new problem: ECC signature validation is much slower than RSA validation. Thus, switching DNSSEC to ECC imposes a significant additional burden on DNS resolvers, pushing load toward the edges of the network. Therefore, in this paper we study the question: will switching DNSSEC to ECC lead to problems for DNS resolvers, or can they handle the extra load?
To answer this question, we developed a model that accurately predicts how many signature validations DNS resolvers have to perform. This allows us to calculate the additional CPU load ECC imposes on a resolver. Using real-world measurements from four DNS resolvers and with two open source DNS implementations, we evaluate future scenarios where DNSSEC is universally deployed. Our results conclusively show that switching DNSSEC to ECC signature schemes does not impose an insurmountable load on DNS resolvers, even in worst-case scenarios.

Item Type:Article
Research Group:EWI-DACS: Design and Analysis of Communication Systems
Research Program:CTIT-General
Research Project:FLAMINGO-2: Management Of Future Internet, Gigaport: Research on Networks
ID Code:27654
Status:Online pre-publication
Deposited On:15 March 2017
ISI Impact Factor:2,186
More Information:statistics

Export this item as:

To request a copy of the PDF please email us request copy

To correct this item please ask your editor

Repository Staff Only: edit this item