Paper 2024/1320

Post-Quantum DNSSEC over UDP via QNAME-Based Fragmentation

Aditya Singh Rawat, Ashoka University
Mahabir Prasad Jhanwar, Ashoka University
Abstract

In a typical network, a DNS(SEC) message over 1232 bytes would either be fragmented into several UDP/IP packets or require a re-transmit over TCP. Unfortunately, IP fragmentation is considered unreliable and a non-trivial number of servers do not support TCP. We present $\texttt{QNAME}$-Based Fragmentation ($\mathsf{QBF}$): a DNS layer fragmentation scheme that fragments/re-assembles large post-quantum DNS(SEC) messages over UDP in just 1 round-trip while using only standard DNS records. Our experiments show that DNSSEC over $\mathsf{QBF}$, with either Falcon-512, Dilithium-2 or SPHINCS$^{+}$ as the zone signing algorithm, is practically as fast as the currently deployed ECDSA-P256 and RSA-2048 setups in resolving $\texttt{QTYPE}$ $\texttt{A}$ queries.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. SPACE
DOI
https://doi.org/10.1007/978-3-031-51583-5_4
Keywords
DNSSEC
Contact author(s)
aditya rawat_phd21 @ ashoka edu in
mahavir jhawar @ ashoka edu in
History
2024-08-26: revised
2024-08-23: received
See all versions
Short URL
https://ia.cr/2024/1320
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1320,
      author = {Aditya Singh Rawat and Mahabir Prasad Jhanwar},
      title = {Post-Quantum {DNSSEC} over {UDP} via {QNAME}-Based Fragmentation},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1320},
      year = {2024},
      doi = {https://doi.org/10.1007/978-3-031-51583-5_4},
      url = {https://eprint.iacr.org/2024/1320}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.