What are the recommended settings for DNSSEC using ECDSA keys?

Follow

Comments

3 comments

  • Avatar
    b_p

    Don't these key lengths refer to the more traditional algorithms such as RSASHA256? Wasn't it the case that the benefit of ECDSA is that you can use shorter keys and signatures (see e.g., http://dx.doi.org/10.5121/ijesa.2015.5202)?

    Another interesting hint: https://labs.apnic.net/?p=544

  • Avatar
    Alexander Tsmokalyuk

    Thank you for the feedback. We will discuss your points with our developers and will update the article if necessary.

  • Avatar
    Konstantin Annikov

    Hello, 

    Here is the detailed answer:

     

    The following ECDSA algorithms can be used with DNSSEC: 
    https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

    13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * [RFC6605][standards track]
    14 ECDSA Curve P-384 with SHA-384 ECDSAP384SHA384 Y * [RFC6605[standards track]

    Definitions of this algorithms and considerations about key sizes are described in the RFC mentioned above:
    https://tools.ietf.org/html/rfc6605 - Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC

    1. Introduction

    ...

    This document defines the DNSKEY and RRSIG resource records (RRs) of
    two new signing algorithms: ECDSA (Elliptic Curve DSA) with curve
    P-256 and SHA-256, and ECDSA with curve P-384 and SHA-384. (A
    description of ECDSA can be found in [FIPS-186-3].) ...

    ...

    Current estimates are that ECDSA with curve P-256 has an approximate
    equivalent strength to RSA with 3072-bit keys. Using ECDSA with
    curve P-256 in DNSSEC has some advantages and disadvantages relative
    to using RSA with SHA-256 and with 3072-bit keys. ECDSA keys are
    much shorter than RSA keys; at this size, the difference is 256
    versus 3072 bits.

    So, possible key sizes are:

    • 256 bits - for ECDSA P-256
    • 384 bits - for ECDSA P-384

    Also it is said that ECDSA with 256-bit keys has an approximate equivalent strength to RSA with 3072-bit keys.

    Let's look on RSA algorithms which can be used with DNSSEC:
    https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml

    8 RSA/SHA-256 RSASHA256 Y * [RFC5702][proposed standard]
    ...
    10 RSA/SHA-512 RSASHA512 Y * [RFC5702][proposed standard]

    https://tools.ietf.org/html/rfc5702 - Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC

    2.1. RSA/SHA-256 DNSKEY Resource Records

    ...

    For interoperability, as in [RFC3110], the key size of RSA/SHA-256
    keys MUST NOT be less than 512 bits and MUST NOT be more than 4096
    bits.

    2.2. RSA/SHA-512 DNSKEY Resource Records

    ...

    The key size of RSA/SHA-512 keys MUST NOT be less than 1024 bits and
    MUST NOT be more than 4096 bits.

    ...

    4. Deployment Considerations

    4.1. Key Sizes

    Apart from the restrictions in Section 2, this document will not
    specify what size of keys to use. That is an operational issue and
    depends largely on the environment and intended use. A good starting
    point for more information would be NIST SP 800-57 [NIST800-57].

    According to NIST SP 800-57:

    • ECDSA with 256-bit key is "equivalent" to RSA with 3072-bit key.
    • ECDSA with 384-bit key is "equivalent" to RSA with 7680-bit key.
    • Both ECDSA P-256 and ECDSA P-384 are Acceptable i.e. not known to be insecure both "through 2030" and "2031 and beyond".

    Conclusion

    It is impossible to use ECDSA with 1024-bit or 2048-bit keys for DNSSEC.
    We recommend to use ECDSA with 256-bit key (curve P-256) for both KSK (Key Signing Key) and ZSK (Zone Signing Key).

     

    Please leave a comment if you have additional questions. 

Please sign in to leave a comment.