The DNS protocol is the Internet’s phonebook, typically providing an IP address for domain names of interest. To prevent malicious actors from tampering with DNS responses, the DNSSEC technology can be used. It allows resolvers like DNS4EU to validate DNS responses based on cryptographic signatures.
However, once quantum computers become available, the cryptography used to sign domain name/IP address pairs – known as records – will be vulnerable. Just like other applications, DNSSEC thus faces a complex transition to post-quantum cryptography (PQC).
Even if estimates for Q-day (potentially within a decade or two[1]) might seem optimistic, rolling out new DNSSEC signing schemes is a complex and lengthy process. The PQC algorithms themselves are on the cusp of being standardised, but have much larger signatures and keys which could cause delivery issues if the DNS protocol is not adapted for these needs. To spot and address issues early on, and researchers have started to investigate[2] how to ready DNSSEC for the quantum threat and how DNSSEC would behave if PQC algorithms were deployed today.
For the past year, our consortium member deSEC[3] has been evaluating how PQC would behave if it were deployed in the DNS with no additional adjustments. This involved deploying DNS zones – portions of the DNS namespace managed by a specific organisation – signed with Falcon, Dilithium, SPHINCS+, as well as the stateful hash-based signature scheme XMSS. In a collaborative effort, Jason Goertzen[4] from SandboxAQ[5] has modified BIND 9[6] and PowerDNS[7] to support all of these algorithms, which were used to conduct an Internet-wide measurement.
Repeating these measurements with the DNS4EU resolver, deSEC found that the resolver's behaviour is exactly as it should be: When PQC signatures (which are not yet officially standardised and thus unsupported) are present, responses are treated as if those signatures were absent, and look-ups proceed normally. No abnormal behaviour was observed, and it seems like PQC algorithms can be added to DNS4EU without much effort once they are ready.
Only in one case of XMSS-based signatures, a failure was returned under certain circumstances (for a non-existing subdomain with NSEC3). This failure, however, is caused by the sheer size of the response, which exceeds the admissible DNS message size limit (64 KB), and is thus of a kind that a resolver cannot work around. It merely indicates that the XMSS signature scheme is not suitable for DNSSEC.
Looking more broadly at DNS resolvers as used on the Internet today[8] (typically provided by Internet access providers), it turns out that the investigated PQC signing schemes lead to failures for about half of devices on the Internet. While the exact behaviour of course depends on a number of details (such as whether UDP or TCP transport is used for the DNS query), the take-away is that things are far from perfect.
This is a concerning result, and indicates that there lies a set of technical challenges ahead that need to be solved before deploying PQC algorithms for DNSSEC, so that the new signatures do not disrupt the functionality of legacy resolvers. At least, DNS4EU can help make this problem smaller.
This blog post was written by Peter Thomassen, CTO at deSEC, a member of DNS4EU consortium.
Sources:
[2]: https://datatracker.ietf.org/doc/draft-fregly-research-agenda-for-pqc-dnssec/
[3]: https://desec.io/
[6]: https://www.isc.org/blogs/2024-pqc-study/
[7]: https://blog.powerdns.com/2024/07/15/more-pqc-in-powerdns-a-dnssec-field-study
[8]: https://pq-dnssec.dedyn.io/
Picture source: https://www.freepik.com/