Paper 2019/889

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC

Anders Dalskov, Marcel Keller, Claudio Orlandi, Kris Shrishak, and Haya Shulman


Deployment of DNSSEC, although increasing, still suffers from many practical issues that results in a false sense of security. While many domains outsource zone management, they also have to outsource DNSSEC key management to the DNS operator, making the operator an attractive target for attackers. Moreover, DNSSEC does not provide any sort of protection in the case the operator itself decides to serve false information, for example, if it gets compromised. In this work, we show how to use techniques from threshold ECDSA: (1) to protect keys such that domains do not reveal their signing keys to a DNS operator, and (2) to protect the operational integrity of DNS operator. As a result of being highly specialized, prior work on threshold ECDSA has focused on a limited set of threat models, and none have so far considered techniques to amortize signature generation.creation. Our work takes a different approach and presents a generic technique for obtaining a threshold ECDSA protocol from any secure multiparty computation protocol that works over an appropriate finite field. We show how this technique lends itself to very efficient threshold signing protocols by comparing it against state-of-the-art protocols from both academia and industry. For similar threat models, our protocols are as fast as the previous best protocol in terms of signing, and up to an order of magnitude faster for key generation on a fast network. Finally, we show how to integrate our application into a widely used DNS management software and demonstrate through experiments the overhead compared to traditional DNSSECs.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.ESORICS 2020
Multiparty computationThreshold ECDSAHonest majorityDishonest majorityDNSSEC
Contact author(s)
anderspkd @ cs au dk
kris shrishak @ sit tu-darmstadt de
2020-09-15: last of 2 revisions
2019-08-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Anders Dalskov and Marcel Keller and Claudio Orlandi and Kris Shrishak and Haya Shulman},
      title = {Securing DNSSEC Keys via Threshold ECDSA From Generic MPC},
      howpublished = {Cryptology ePrint Archive, Paper 2019/889},
      year = {2019},
      doi = {10.1007/978-3-030-59013-0_32},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.