Tags DNS / DNSSEC / Verisign

In early August, Verisign announced that they will be doing what is known as an “algorithm roll” for the three top level domains that they operate.

Verisign is the registry operator for the .COM, .NET, and .EDU top level domains. Domains registered through a registrar for COM and NET, and through EDUCAUSE for EDU domains, are tracked and managed by Verisign, and they publish the related DNS zones.

DNSSEC signing a zone involves generating a cryptographic key-pair using a particular algorithm. Although all public key encryption algorithms make use of the same basic mathematical concepts, each one has its own approach to key and signature generation, which means each one has different characteristics in terms of their resistance to attack, and the size of the blobs of data involved in using the algorithm.

The Verisign-operated TLDs started out using the RSA/SHA-256 algorithm whey they were first DNSSEC signed, as was the best practice at the time. Since then, best practices have changed as new encryption technologies have been standardized. The new algorithm that Verisign is moving to is Elliptic Curve Digital Signature Algorithm (ECDSA), using curve P-256 with SHA-256 hashes. In addition to being considered more secure than RSA/SHA-256, ECDSA also results in much smaller keys and signatures which is a benefit all on its own.

An algorithm roll like this doesn’t happen very often, however it’s a very standard procedure which is well tested. Over the course of the last couple of years I’ve done exactly the same algorithm roll (from RSASHA256 to ECDSAP256SHA256) with nearly every zone I operate. Verisign has much more at risk if anything goes wrong, hence waiting a bit longer than others, and shouting announcements from the rooftops, but they have a long record of getting the technical things right, so there’s little concern of an issue. Regular Internet users shouldn’t notice at all.

As part of their reasonable, cautious approach, they’re staggering changes to the three TLDs, in opposite order of zone size (and operational impact to the Internet, should there be a problem). Signatures (RRSIG records) generated by the new algorithm (ECDSA—algorithm 13) will begin appearing in the zone this week, followed by the public keys (DNSKEY records). They say they expect the DS record in the root zone to be updated between September 12th and 15th, which will be the point at which DNSSEC validators will begin actually using the new keys and signatures.

The algorithm rolls for the NET and COM zones will take place later this year, and Verisign will make announcements about scheduling for those when they’re ready to proceed.


When I posted this earlier in the evening, I had completely forgotten that Duane Wessels would be presenting about this migration at the OARC 41 Workshop today in Da Nang, Vietnam. Slides are up now on DNS-OARC‘s web site, and the video of the presentation should appear on their Youtube channel in a couple of weeks once it has been processed and edited.

#100DaysToOffload article 4 of 100