SURF is one of the pioneers in the area of DNSSEC at both national and international level. In 2009, SURF implemented DNSSEC on its own infrastructure, and it has been offering DNSSEC signing as a service to its customers since 2010.
DNSSEC signing adds a digital signature to the requested IP address information, so that the recipient can be sure that the IP address is the correct one. The RSA encryption system is used for that purpose.
Encryption: from RSA to ECC
In 2017 SURF replaced RSA with ECDSA, an encryption algorithm based on elliptic curve cryptography (ECC). The new algorithm is intended to prevent a specific type of DDoS attack ‒ the DNSSEC amplification DDoS. The transition will not affect the users of the SURF network.
SURF shares its experiences with the transition to ECDSA with member institutions and shares technical information.
- Read de report on Deploying DNSSEC, Validation on recursive caching name servers (PDF)
- Read the blogpost Elliptic Curve Cryptography: the next big step for DNSSEC
- Watch a presentation by Roland van Rijswijk-Deij on Elliptic Curve Cryptography
- Read the article Making the Case for Elliptic Curves in DNSSEC (PDF) by Roland van Rijswijk-Deij