PQC Plugin Secures DNSSEC Against Attacks

The security of the internet’s fundamental infrastructure faces an evolving threat as quantum computers become increasingly powerful, potentially breaking the cryptographic algorithms that underpin secure communications. Julio Gento Suela, Javier Blanco-Romero, and Florina Almenares Mendoza, all from the Telematic Engineering Department at the University Carlos III of Madrid, alongside Daniel Díaz-Sánchez and colleagues, address this challenge by integrating quantum-resistant cryptographic algorithms into CoreDNS, a widely used DNS server. Their work demonstrates the first practical implementation of post-quantum DNSSEC, enhancing the security of the Domain Name System against future attacks. By developing a plugin supporting multiple new signature schemes, the researchers show it is possible to upgrade existing DNS infrastructure and maintain compatibility while preparing for a post-quantum world, even though this introduces performance trade-offs that require careful consideration.\n\n

Quantum Threat Drives Post-Quantum Cryptography Transition

\n\nThe internet relies on secure communication, and cryptography is fundamental to that security. Current cryptographic methods, like RSA and ECC, face a potential threat from future quantum computers, which could compromise online security within the next decade.\n\nThis vulnerability demands a proactive shift towards post-quantum cryptography (PQC), developing new algorithms resistant to attacks from both conventional and quantum computers. Organizations like the National Institute of Standards and Technology (NIST) are leading this transition, standardizing new PQC algorithms to ensure continued data security.\n\nA critical component of internet infrastructure is the Domain Name System (DNS), which translates website addresses into numerical addresses computers use. DNSSEC adds a layer of security to DNS, authenticating data and protecting against manipulation.\n\nIntegrating PQC into DNSSEC is crucial given the vulnerabilities of current implementations. Integrating PQC into DNSSEC presents challenges, particularly concerning the increased size of PQC signatures and keys compared to traditional methods. This larger size impacts data transmission efficiency and server memory requirements.\n\nResearchers are addressing this challenge by integrating PQC algorithms into CoreDNS, a widely-used DNS server often deployed in modern containerized environments. Their work focuses on implementing several PQC signature algorithm families, including FALCON, ML-DSA, SPHINCS+, MAYO, and SNOVA, within CoreDNS, extending its functionality while maintaining compatibility with existing DNS resolution processes.\n\nThis allows for on-the-fly signing of DNS data using quantum-resistant signatures, paving the way for a more secure DNS infrastructure. The research demonstrates that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.\n\nBy testing these algorithms within a real-world DNS server environment, the team provides valuable empirical data for algorithm selection and deployment planning, helping to ensure a smooth and secure transition to a post-quantum internet.\n\n

DNSSEC Transition, Increased Signature and Key Sizes

\n\nExperimental support for Post-Quantum (PQ) algorithms is currently limited in widely-used DNS software like BIND9. This presents unique challenges for the transition to post-quantum cryptography in DNSSEC, particularly regarding the size of post-quantum signatures and keys.\n\nThese signatures and keys can be significantly larger than those generated with traditional algorithms, impacting the efficient transmission of data and increasing memory requirements for servers and DNS resolvers, often necessitating the use of TCP, which introduces additional latency. Before large-scale deployment, testing tools are needed to evaluate the performance and compatibility impact of integrating these new algorithms into real systems.\n\nControlled testing environments help identify potential issues and ensure that migration to PQ algorithms does not compromise system security or operability. This paper describes the integration of standard and candidate algorithms from the second NIST round for signatures, of post-quantum algorithm families (FALCON, ML-DSA, SPHINCS+, MAYO, and SNOVA) into CoreDNS, a widely-used DNS server in Kubernetes environments developed in Go.\n\nThis implementation extends existing work by providing empirical performance data across a broader range of PQC algorithms, enabling comparative analysis for algorithm selection and deployment planning in containerized DNS environments.\n\n

Viable Quantum-Resistant DNSSEC Algorithms Identified

\n\nResults indicate that several PQC candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography. The performance evaluation demonstrates that these algorithms, despite their computational demands, present feasible options for enhancing DNS security and achieving quantum resistance.\n\nThis work contributes to the ongoing effort of securing digital signatures and critical internet infrastructure against future quantum computing threats.\n\n

Post-Quantum DNSSEC Plugin for CoreDNS

\n\nTraditional algorithms like RSA and ECDSA are being evaluated alongside post-quantum candidates to determine the best path forward for secure DNS resolution. A dnssec_pqc plugin was developed for CoreDNS to integrate post-quantum cryptographic algorithms, extending the existing dnssec plugin while maintaining compatibility and minimizing interference.\n\nThis plugin leverages the liboqs library through Go bindings, enabling access to a range of post-quantum primitives. Eighteen algorithms were evaluated, including 13 post-quantum (Falcon-512, ML-DSA-44, SPHINCS+-SHA2-128s-simple, MAYO-1, Falcon-1024, ML-DSA-65, SPHINCS+-SHAKE-128s-simple, MAYO-3, Falcon-padded-512, ML-DSA-87, Falcon-padded-1024, SNOVA_24_5_4, SNOVA_24_5_4_SHAKE) and 5 traditional (RSA-2048, RSA-4096, ECDSA-P256, ECDSA-P384, Ed25519), measuring signing time, resolution latency, CPU usage, memory consumption, and DNS response size.\n\nTesting was conducted on an Ubuntu 24.04.2 LTS system with an Intel Core i7-10870H processor and 16 GB of RAM. Functional tests confirmed correct DNS response generation with post-quantum signatures. Key findings include: SNOVA, MAYO-1, and ML-DSA-44 exhibited competitive signing times (below 25 ms), while SPHINCS+ variants were significantly slower, reaching up to 2.6 seconds for SPHINCS+-SHAKE-128s-simple.\n\nAll post-quantum algorithms required TCP due to exceeding UDP size limits, resulting in latencies around 101.5 ms, with SPHINCS+ algorithms exhibiting the highest latencies. ECDSA-P256 and Ed25519 demonstrated the lowest CPU consumption, while SPHINCS+ variants were the most CPU-intensive.\n\nPost-quantum algorithms increased memory consumption by approximately 3-4 MB compared to traditional algorithms. SNOVA produced the smallest responses, followed by Falcon-512 and MAYO-1, while ML-DSA-87 and Falcon-1024 generated the largest responses. This work demonstrates the feasibility of integrating post-quantum cryptography into a widely used DNS server.\n\nAlgorithms like SNOVA, MAYO-1, and Falcon-512 offer a balance between performance and security, while SPHINCS+ variants present significant performance challenges. The need for TCP due to increased response size is a critical consideration for deployment.\n\nFuture research should focus on algorithm optimization to reduce signing time, CPU usage, and response size, investigating hybrid cryptographic schemes, conducting comprehensive network impact analysis, exploring hardware acceleration, and contributing to standardization efforts.\n\n