Quantum-safe Signatureless DNSSEC

Aditya Singh Rawat; Mahabir Prasad Jhanwar

Paper 2024/1319

Quantum-safe Signatureless DNSSEC

Aditya Singh Rawat, Ashoka University

Mahabir Prasad Jhanwar, Ashoka University

Abstract

We present $SL - DNSSEC$ : a backward-compatible protocol that leverages a quantum-safe KEM and a MAC to perform signature-less $(SL)$ DNSSEC validations in a single UDP query/response style. Our experiments targeting NIST level I security for QTYPE A query resolution show that $SL - DNSSEC$ is practically equivalent to the presently deployed RSA-2048 in terms of bandwidth usage and resolution speeds. Compared to post-quantum signatures, $SL - DNSSEC$ reduces bandwidth consumption and resolution times by up to $95 %$ and $60 %$ , respectively. Moreover, with response size $<$ query size $\leq 1232$ bytes, $SL - DNSSEC$ obviates the long-standing issues of IP fragmentation, TCP re-transmits and DDoS amplification attacks.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. ACM AsiaCCS'25
DOI: 10.1145/3708821.3710837
Keywords: DNSSEC
Contact author(s): aditya rawat_phd21 @ ashoka edu in
mahavir jhawar @ ashoka edu in
History: 2025-06-10: last of 2 revisions; 2024-08-23: received; See all versions
Short URL: https://ia.cr/2024/1319
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1319,
      author = {Aditya Singh Rawat and Mahabir Prasad Jhanwar},
      title = {Quantum-safe Signatureless {DNSSEC}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1319},
      year = {2024},
      doi = {10.1145/3708821.3710837},
      url = {https://eprint.iacr.org/2024/1319}
}