Post-Quantum DNSSEC over UDP via QNAME-Based Fragmentation

Aditya Singh Rawat; Mahabir Prasad Jhanwar

Paper 2024/1320

Post-Quantum DNSSEC over UDP via QNAME-Based Fragmentation

Aditya Singh Rawat, Ashoka University

Mahabir Prasad Jhanwar, Ashoka University

Abstract

In a typical network, a DNS(SEC) message over 1232 bytes would either be fragmented into several UDP/IP packets or require a re-transmit over TCP. Unfortunately, IP fragmentation is considered unreliable and a non-trivial number of servers do not support TCP. We present $QNAME$ -Based Fragmentation ( $QBF$ ): a DNS layer fragmentation scheme that fragments/re-assembles large post-quantum DNS(SEC) messages over UDP in just 1 round-trip while using only standard DNS records. Our experiments show that DNSSEC over , with either Falcon-512, Dilithium-2 or SPHINCS as the zone signing algorithm, is practically as fast as the currently deployed ECDSA-P256 and RSA-2048 setups in resolving queries.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. Major revision. SPACE
DOI: https://doi.org/10.1007/978-3-031-51583-5_4
Keywords: DNSSEC
Contact author(s): aditya rawat_phd21 @ ashoka edu in
mahavir jhawar @ ashoka edu in
History: 2024-08-26: revised; 2024-08-23: received; See all versions
Short URL: https://ia.cr/2024/1320
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1320,
      author = {Aditya Singh Rawat and Mahabir Prasad Jhanwar},
      title = {Post-Quantum {DNSSEC} over {UDP} via {QNAME}-Based Fragmentation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1320},
      year = {2024},
      doi = {https://doi.org/10.1007/978-3-031-51583-5_4},
      url = {https://eprint.iacr.org/2024/1320}
}