We scanned the list of .gov delegations for several months to look for algorithm usage, NSEC/NSEC3 usage, and NSEC3 parameters. We also looked at previous years for signing algorithm usage and detect algorithm rollovers. It appears that algorithm usage is fairly stable through the last three years in .gov delegations with only a few zones changing algorithms in any given year. RSA/SHA-256 seems to be the largest deployed algorithm and was the algorithm of choice for most changes. Only a few zones have changed to ECDSA as a signing algorithm, which is recommended by federal guidelines since 2015.
NSEC3 usage is fairly stable in .gov and is the preferred choice for denial of existence proof. The choice of values for salt and iterations seems to also fall within a narrow range of choices. These parameter values rarely change no matter how many times the zone is resigned, which does not follow guidance. Given the (believed) wide use of automated tools and appliances for DNSSEC in .gov zones, these issues could be addressed by changing tools or promoting best common practices.
|Talk Duration||15 Minutes|