DNS Belgium modernises the algorithm for the security of .be, .vlaanderen and .brussels

With this upgrade, we are revamping the way we check the integrity of domain names at DNS Belgium. It provides certainty that the content and response between the end user and the domain name has not been altered. In this way, it confirms that the website or mail server you are consulting is the correct one.

It is comparable to a medieval wax seal on a letter: it does not provide direct security, but it does provide certainty about the sender and recipient and that the content has not been tampered with.

What does this security layer do?

An algorithm rollover is unfamiliar territory for most internet users. Yet it is a crucial part of our online security. ‘It is part of DNSSEC , which is the security layer of DNS data that guarantees integrity and authenticity by means of digital signatures. An algorithm rollover replaces the algorithm used to create and verify these digital signatures,’ explains Geert Verheyen, DNS operations engineer at DNS Belgium.

If that security key can be cracked, a malicious party can impersonate any .be domain. Traffic to and from websites or email addresses in the .be zone can then be intercepted or manipulated. By switching over, we are complying with global security standards and keeping domain names for .be, .vlaanderen and .brussels among the most secure in the world.

Smaller, but better

The upgrade brings the algorithm from version 8 to version 13. This has been carefully rolled out over the past few weeks across the three zones managed by DNS Belgium. .brussels and .vlaanderen were the first to be upgraded, followed by .be, the largest zone.

The main difference between algorithm 8 (RSA/SHA-256) and 13 (Elliptic Curve or, more technically, ECDSA Curve P-256) is that the new algorithm is about half the size in terms of data volume. Although this amounts to a few hundred bytes per domain name request, it also means that less data is sent and received by the servers involved. ‘The keys are smaller, but offer the same or better protection against brute force attacks,’ explains Stijn Niclaes, DNS infrastructure manager at DNS Belgium. ‘Compare it to a smaller combination lock with more combinations.’

When choosing such an algorithm, you weigh up three things: how large your package is, how much computing power is needed to create the digital signature, and how much computing power is needed to validate that signature. ‘It's a balance you have to strike. This version is smaller in package size, requires less computing power to create, but requires slightly more computing power to validate,’ says Thomas Dupas, Nameserver Coordinator at DNS Belgium.

However, the extra computing power is not to such an extent that other players need to adapt their infrastructure to facilitate visits to Belgian websites. ‘Modern infrastructure can handle this perfectly,’ according to Dupas.

Why is this happening now?

This process of renewal rarely occurs. Sven Van Dyck, DNS operations engineer at DNS Belgium: ‘The previous algorithm had been in use for 15 years and is still widely supported today. So the transition is happening well in advance.’

‘As a registry , you want to plan this transition well in advance and execute it carefully, long before support for a security standard ends. At the same time, you also want to be sure that a new algorithm is sufficiently supported worldwide before you start using it.’

In this respect, DNS Belgium is in the middle of the pack compared to other European ccTLDs. Our colleagues at SIDN, the administrators of .nl, made the switch back in 2023, but many internet extensions, including some neighbouring countries, have not yet made the switch.

How long the new standard will last depends largely on technological developments. There is a good chance that this algorithm will last five years or more, but a new upgrade could also happen sooner if new standards mature quickly or there are sudden major technological breakthroughs.

How does such an upgrade work in practice?

Upgrading the algorithm is a fixed process, although it does involve some work for our network engineers. First, the signing software is made compatible with dual signing. This software has many control mechanisms and must be able to process both algorithm 8 and algorithm 13 in the first phase. You don't want to temporarily disable any of these mechanisms, as this would create a security risk.

It is also not possible to simply remove one algorithm and replace it with another. Because a large part of internet traffic relies on caching , such an approach risks breaking part of the internet. ‘That's why, after making everything compatible with the new standard, we sign everything twice for a while,’ says Dupas.

This double signing means that when servers refresh their cache and reconnect to DNS Belgium's name servers, they retrieve information signed with algorithm 13. Once this has happened worldwide, algorithm 8 will be decommissioned and the upgrade will be complete.

Will this make my website faster or slower?

No. ‘The entire .be zone, some 1.7 million domain names, is signed in just under ten minutes. At times of double signing (by algorithms 8 and 13), this increases to 13 minutes, which drops again as soon as we switch to a single algorithm,’ explains Verheyen.

‘With the new standard, it takes just over ten minutes.’ But as an internet user, you won't notice this. After all, most internet addresses are already mapped in the cache of the name servers of your internet provider, among others.

Only those who own a domain name and make technical changes in the background could notice this during the double signing. Suppose you change the name servers behind your domain name (for example, to link your domain to Cloudflare), then it took longer for that to become visible during the double signing. But we are talking about a difference of a few minutes. Visiting or publishing something on a website remains as smooth as before, with a more modern layer to ensure the authenticity of a domain.