[dns-operations] .ORG still using SHA-1 DNSKEYs
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Feb 6 00:58:26 UTC 2020
On Wed, Feb 05, 2020 at 12:05:41PM -0500, Joe Abley wrote:
> We (PIR) are currently discussing a timeline for implementing changes
> with Afilias, who run all the back-end registry systems for ORG.
> Algorithm 8 or 13 both seem like plausible targets, but opinions from
> the community would be very welcome.
FWIW, the momentum seems to be with algorithm 13:
https://twitter.com/AFNIC/status/1222904523481444362
But if the wisdom of the crowd is not the right basis for a decision,
the considerations as I see them are:
1. P256(13) is generally considered equivalent to ~3072-bit
RSA in security.
2. P256 signatures are half the size of 1024-bit RSA signatures
(less amplification and/or truncation).
3. Signing with P256 is much faster than RSA. For example, on my
25-watt (low power) 4-core 8-thread Xeon some quick informal
measurements with "openssl speed" (1.1.1d) (1 thread, 4 threads
and 8 threads) yield[1]:
sign verify sign/s verify/s
rsa 2048 bits 0.000750s 0.000021s 1333.0 48295.7
rsa 2048 bits 0.000225s 0.000008s 4445.0 131794.8 (4x MP)
rsa 2048 bits 0.000173s 0.000005s 5768.1 193455.0 (8x MP)
rsa 1024 bits 0.000107s 0.000007s 9302.9 146937.3
rsa 1024 bits 0.000034s 0.000002s 29785.5 467587.8 (4x MP)
rsa 1024 bits 0.000025s 0.000002s 40302.4 564390.1 (8x MP)
rsa 1280 bits 0.000388s 0.000012s 2575.4 83000.6
rsa 1280 bits 0.000124s 0.000004s 8058.4 256073.9 (4x MP)
rsa 1280 bits 0.000091s 0.000003s 10937.2 349880.0 (8x MP)
ecdsa p256 0.0000s 0.0001s 36479.8 12455.2
ecdsa p256 0.0000s 0.0000s 124877.2 40733.4 (4x MP)
ecdsa p256 0.0000s 0.0000s 167358.6 52250.6 (8x MP)
4. However, as you can see above, signature *verification* with
P256 is ~7 times slower than with 1280-bit RSA (or ~12 times
slower than with 1024-bit RSA).
So if you're optimizing for higher security and lower packet size (and
perhaps much faster zone signing time), P256(13) is the way to go. If
however, you're concerned about resolver performance, then rsa1280 has
an advantage.
Thus my 25W server running flat out can do ~350K rsa1280 signature
checks per second, vs. ~52K P256 signature checks per second.
When the DANE/DNSSEC survey is running, unbound is keeping 1 core pretty
busy handling O(5K) cache misses a second.
I don't know what fraction of the CPU cost is in the crypto vs. all the
other costs of processing the traffic. I am reluctant to increase
concurrency, lest my queries be throttled by upstream nameservers.
The survey already has to deal with a large fraction of the domains
using P256, so these likely already dominate any crypto impact on CPU
cost, and yet I can do ~5K validated qps on a low power server also
running a Postgres database and the survey engine. The system is
somewhat less than 50% utilized while running the survey.
--
Viktor.
[1] I rebuit OpenSSL from source, adding an option to test rsa1280.
More information about the dns-operations
mailing list