[dns-operations] .ORG still using SHA-1 DNSKEYs

Petr Špaček petr.spacek at nic.cz
Fri Feb 7 09:25:34 UTC 2020 


On 06. 02. 20 1:58, Viktor Dukhovni wrote:
> On Wed, Feb 05, 2020 at 12:05:41PM -0500, Joe Abley wrote:
> 
>> We (PIR) are currently discussing a timeline for implementing changes
>> with Afilias, who run all the back-end registry systems for ORG.
>> Algorithm 8 or 13 both seem like plausible targets, but opinions from
>> the community would be very welcome.
> 
> FWIW, the momentum seems to be with algorithm 13:
> 
>     https://twitter.com/AFNIC/status/1222904523481444362
> 
> But if the wisdom of the crowd is not the right basis for a decision,
> the considerations as I see them are:
> 
>     1.  P256(13) is generally considered equivalent to ~3072-bit
>         RSA in security.
> 
>     2.  P256 signatures are half the size of 1024-bit RSA signatures
>         (less amplification and/or truncation).
> 
>     3.  Signing with P256 is much faster than RSA.  For example, on my
>         25-watt (low power) 4-core 8-thread Xeon some quick informal
>         measurements with "openssl speed" (1.1.1d) (1 thread, 4 threads
>         and 8 threads) yield[1]:
> 
>                           sign    verify    sign/s verify/s
>         rsa 2048 bits 0.000750s 0.000021s   1333.0  48295.7
>         rsa 2048 bits 0.000225s 0.000008s   4445.0 131794.8  (4x MP)
>         rsa 2048 bits 0.000173s 0.000005s   5768.1 193455.0  (8x MP)
> 
>         rsa 1024 bits 0.000107s 0.000007s   9302.9 146937.3
>         rsa 1024 bits 0.000034s 0.000002s  29785.5 467587.8  (4x MP)
>         rsa 1024 bits 0.000025s 0.000002s  40302.4 564390.1  (8x MP)
> 
>         rsa 1280 bits 0.000388s 0.000012s   2575.4  83000.6
>         rsa 1280 bits 0.000124s 0.000004s   8058.4 256073.9  (4x MP)
>         rsa 1280 bits 0.000091s 0.000003s  10937.2 349880.0  (8x MP)
> 
>         ecdsa p256    0.0000s   0.0001s    36479.8  12455.2
>         ecdsa p256    0.0000s   0.0000s   124877.2  40733.4  (4x MP)
>         ecdsa p256    0.0000s   0.0000s   167358.6  52250.6  (8x MP)
> 
>     4.  However, as you can see above, signature *verification* with
>         P256 is ~7 times slower than with 1280-bit RSA (or ~12 times
>         slower than with 1024-bit RSA).
> 
> So if you're optimizing for higher security and lower packet size (and
> perhaps much faster zone signing time), P256(13) is the way to go.  If
> however, you're concerned about resolver performance, then rsa1280 has
> an advantage.
> 
> Thus my 25W server running flat out can do ~350K rsa1280 signature
> checks per second, vs. ~52K P256 signature checks per second.
> 
> When the DANE/DNSSEC survey is running, unbound is keeping 1 core pretty
> busy handling O(5K) cache misses a second.
> 
> I don't know what fraction of the CPU cost is in the crypto vs. all the
> other costs of processing the traffic.  I am reluctant to increase
> concurrency, lest my queries be throttled by upstream nameservers.
> 
> The survey already has to deal with a large fraction of the domains
> using P256, so these likely already dominate any crypto impact on CPU
> cost, and yet I can do ~5K validated qps on a low power server also
> running a Postgres database and the survey engine.  The system is
> somewhat less than 50% utilized while running the survey.

Anecdotal evidence:
When benchmarking Knot Resolver on realistic "ISP scenarios", amount of CPU time spent on DNSSEC validation is dwarfed by all the rest. It has two reasons:
- In practive most of the traffic is cache-hit.
- You would be surprised how slow UDP packet processing in kernel can be ;-)

Based on this anecdote RSA has no practical performance-advantage over P256.

-- 
Petr Špaček  @  CZ.NIC

More information about the dns-operations mailing list