You are here :
-
Public Consultations
-
Reference
-
Statistics
-
Publications
-
Blog
- Brands answer the call to the 2nd ‘Cercle des .marque’ event
- Analysis of the .RE
- About the attack on French ISPs’ DNS resolvers
- Using Afnic open data : example with the term COVID
- Hosting a domain name with compound characters
- Eligibility of a holder located in the United Kingdom post Brexit
- Can compound characters be used in a domain name?
- Functioning of Afnic during lockdown
- Which Top Level Domains have an IP address?
- Lala Andriamampianina, may you rest in peace
- Resolutions for 2020: Afnic goes elliptic
- 6 tips to prevent your website from being hacked
- In search of low-cost nTLDs
- Exploring the city through the .paris community
- .org - an alternative perspective
- Looking back on the success of the first meeting of the Cercle des .marque
- Key success factors for Internet extensions: an evaluation grid
- [Video] Conclusions on the Internet Governance Forum (IGF) France 2019
- A brief example of using Afnic Open Data
- Food for thought on the "new TLD" business models
- 30 years of success and danger: the Web, URLs and the future
- [Success stories] Strengthen your infrastructure to suit your ambitions
- February 1, 2019: is the DNS going to shake?
- [Success stories] They chose to have their own TLD
- [Success stories] .museum, how a historic Internet suffix was revived
- The main steps in effectively launching your .brand
- 6 secrets on how to improve the renewal of domain names
- [Video] Back to IGF 2018 in Paris
- A .BRAND to enhance customer experience
- Afnic commits to DNS security at the international level
- Replacement of the KSK of the root zone: Are you ready?
- How the SNCF implemented its new digital strategy with oui.sncf
- Franco-Dutch research project on automatic classification of domain name abuse
- The auditive memorization of domain names
- What are the possible actions against domain name abuses?
- Identity theft by domain name: what Afnic does
- Cybersquatting, Spam, Phishing… the different types of domain name abuses
- [Video] Review of the French Internet Governance Forum 2018
- Custom Internet extensions: the opportunities for brands
- How to avoid inadmissibility in the SYRELI procedure
- Which English terms are most used in .FR domain names?
- Domain name security, the example of cryptocurrencies
- What are the terms most used in .fr domain names?
- Personality test: Are you ready for GDPR?
- Do GeoTLDs like .alsace have an effect on local SEO?
- The 11 vital locations to display your domain name!
- What means of action for a Right-holder ineligible under the Naming Policy?
- Domain name litigation: the recognition of an AOC rights in the SYRELI procedure
- Why choose a domain name under a geoTLD?
- Afnic, a community first and foremost!
- The defense of personality rights in the SYRELI procedure
- When will the next round of the new gTLDs take place?
- A million good reasons for coming to the Afnic Forum...
- Yeti DNS-over-TLS public resolver
- 2016, the beginning of a new cycle for Afnic
- .fr has just passed the 3 million domain names milestone
- My experience inside the Afnic Legal Department
- Future of ICANN Privatization? Internationalization? Supervision?
- Excellence at Afnic - Our coming-out
- Speech at the transmittal of the IANA Stewardship Transition Plan
- Exclusive offer: 100% money back on your domain name*!
- 8 tips for choosing the right domain name
- IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges?
- L.45-2 paragraph 1 of the CPCE: When a domain name disrupts the French law
- How to avoid getting your domain name stolen by email?
- Accountability and IANA transition: behind the scenes
- Stop selling domain names!
- abc.xyz : erratum.xyz
- A comprehensive approach to French regional branding
- abc.xyz : Meanwhile, back in France…
- abc.xyz: Why not alphabet.com? (The conspiracy theory version)
- abc.xyz : The controversial success of .xyz
- Corporate Communications, Constant Crisis
- abc.xyz : Why not alphabet.com ?
- alphabet.xyz : How Alphabet got its domain name
- abc.xyz : Don't worry, we're still getting used to the name too!
- IANA transition crosses a major milestone in Buenos Aires
- A day in the life of the Icann empowered community
- IANA transition : the machine is moving, but the deadline is approaching
- Corporate Social Responsibility and the DNA of ccTLDs
- China Changing in Leaps and Bounds
- Towards a less intrusive DNS
- ICANN: what does accountability stand for?
- ICANN Singapore. A debate at the other end of the world
- ICANN Reform, or opening Pandora's box
- Internet Governance Forum: What is to be done?
- Slam spam!
- Icann : freeze !
- Scams and identity theft, the experience of a SYRELI reporter
- French Regional Reform Does Not Mean the End of GeoTLDs
- Lessons Learnt from NETmundial
- Suggestions for a successful IANA transition
- Wind of change at Afnic!
- Back to the future of the Afnic Legal Service
- The US Backs ICANN for Internet Governance
- Should the registrars streamline their gTLD strategy?
- The IANA elephant in the room
- 2014 : change of course for the naming system
- Why do regions want a place online?
- What can Afnic do?
- Internet governance: let’s get to work!
-
FAQ
-
Glossary
-
Certificates
Resolutions for 2020: Afnic goes elliptic
30 January 2020 - By Vincent Levigneron
10 years... 10 years that Afnic has been using DNSSEC technology for all the TLDs it operates. It must be admitted, although some adjustments have been made to the size of the keys, their role and the generation of salts throughout this period, no visible radical change for the user had been undertaken until now. We have of course strengthened our infrastructure and our processes in order to minimise the impact of the ever greater number of registrations to be signed, made sure that no incidents occur during the delicate key replacement phases (every two years for KSKs, every two months for ZSKs) and kept an active watch on developments in the field of cryptography in order to make sure we always offered pertinent key algorithms. But for some time now we had been thinking of moving away from RSA (the algorithm currently used for our ZSKs and KSKs) in order to limit the volume impact of DNSSEC without diminishing the cryptographic strength of the keys and signatures generated.
Specifically, here are some figures for the .fr zone (by far our TLD with the most DS resource records and therefore data to sign).
- Approximately 3.5 million domain names
- Just over 400,000 of them are signed
- The unsigned zone file is about 280 Mo, the signed version nearly 800 Mo (even though Afnic uses the 'opt out' option which minimises the number of signatures).
At present the keys used for the .fr zone (and for our other zones) are of the RSA type (RSA-SHA256/8 to be exact) and their size is 2,048 bits (both KSKs and ZSKs). We therefore wish to find an algorithm that will provide at least the same level of security but with less impact on the size of the files for the zone and for responses to DNS requests.
What would be the advantages of having a smaller zone file and smaller responses?
- Firstly, with operations requiring the complete generation of a zone file and its distribution, transfer operations would be faster, and so would reloading the zone in the servers, and as a result the synchronisation of the various anycast clouds that host the TLDs we manage would also be faster.
- Having significantly smaller responses would reduce the impact of DDoS type attacks using DNSSEC as their amplification vector. • Less recourse to IP fragmentation (which is a way of contributing to DNS Flag Day 2020). In fact the reduction in response times to requests improves the UX.
- Having fewer data to transmit and using fewer resources is a way, albeit modest, of reducing the carbon footprint of the DNS activity.
Which algorithm to choose, and why?
For some years we have had our eye on elliptic curve-based algorithms. Their adoption (RFC 6605 on ECDSA dates from 2012 for example, that on EdDSA, RFC 8080 from 2017) and their implementation in the various links of the chain have taken time. Until recently there were concerns about the behaviour of resolvers which it was feared might not be up to date in the face of this type of algorithm. There are several elliptic curve based algorithms, but we have decided to go for ECDSA (more specifically “ECDSA Curve P-256 with SHA-256”). This “modern” algorithm promises superior security to that which we currently have in place but with far smaller key and signature size (the experts consider that an ECDSA key has a level of resistance equivalent to an RSA key of 3,072 bits). On average, a signed response to a DNS question will be just one third the size of its equivalent with a 2,048 bit RSA key. The estimated gain in the size of the signed file for the .fr zone would be 33%.
There are several reasons for our having decided to make this change now:
- RFC 8624, which acquired ‘standard’ status in June 2019, places this algorithm on the shortlist (2) of those that must be implemented at the level of signature software applications (the other one being the one we use).
- While RSA is predominant in the small world of TLDs, at the level of the registrars, it is ECDSA that is now offered and that has become the default algorithm for many of them.
- While we were conducting our surveillance, a message broadcast by Viktor Dukhovni at the beginning of the year on an electronic mailing list caught our attention. Here is the content:
With daily updates at https://stats.dnssec-tools.org I decided some time back that it no longer made sense to post monthly updates to this list, but perhaps a short annual note is not out of place. Some highlights for this year are:
- 10.70 million signed delegations, up from ~8.77 million a year ago. + 1.50 million signed .COM delegations, up from ~973 thousand. + 97 TLDs with 1000+ signed delegations, up from 76.
- 1.73 million DANE SMTP domains, up from ~775 thousand a year ago. + DANE MX hosts in 5.0 thousand zones, up from ~3.8 thousand.
- ECDSA P256 (13) now most common KSK algorithm, ahead of RSASHA256 (8). + Last year: 4,005,976 alg 8; 1,908,218 alg 13. + This year: 3,798,256 alg 8; 3,937,115 alg 13.
Viktor Dukhovni makes a number of measurements which are hosted on https://stats.dnssec-tools.org, a website maintained by Wes Hardaker. These two people are well known in the DNS community of TLDs. Here is a graph, which is not on the website, showing how the various algorithms have evolved (legend: alg-8 is the RSA algorithm that we use, alg-13 is the ECDSA algorithm. The horizontal axis shows dates in year/month format).
At the level of TLDs, the findings are somewhat different, since of the approximately 1,500 TLDs announced by their root, 1,000 use RSA, 140 are not yet signed and only eight use ECDSA, the remainder (275) using algorithms now considered obsolete.
We no longer see any impediment to this evolution and have therefore decided on effective transition. Our infrastructure, both hardware and software, has been progressively updated. This is a long-haul project which started more than a year ago and which will be completed this month. Some zones that we manage have already been migrated (dnssec.fr, nic.fr, nic.re, afnic.fr and afnic.re) enabling us to validate all the elements of our system. We propose to migrate six ccTLDs that we manage (.fr, .re, .pm, .tf, .yt and .wf) during this first quarter. Once this stage has been completed it will be time to consider this evolution for the gTLDs managed by Afnic (.paris, .ovh, etc.)
Is this domain
available ?
News
- December 10, 2020 Three major projects on the roadmap of the Afnic International College
- November 23, 2020 Lucien Castex has been reappointed as a member of the Multistakeholder Advisory ...
- November 17, 2020 Marianne Georgelin joins Afnic's Executive Committee as Legal Director
- November 16, 2020 ‘Je passe au numérique’: the Afnic initiative for VSEs/SMEs
- November 12, 2020 The Afnic Foundation announces its 2020 winners promoting an inclusive Internet ...