Paper 2025/003
Post-Quantum DNSSEC with Faster TCP Fallbacks
Abstract
In classical DNSSEC, a drop-in replacement with quantum-safe cryptography would increase DNS query resolution times by $\textit{at least}$ a factor of $2\times$. Since a DNS response containing large post-quantum signatures is likely to get marked truncated ($\texttt{TC}$) by a nameserver (resulting in a wasted UDP round-trip), the client (here, the resolver) would have to retry its query over TCP, further incurring a $\textit{minimum}$ of two round-trips due to the three-way TCP handshake. We present $\mathsf{TurboDNS}$: a backward-compatible protocol that eliminates $\textit{two}$ round-trips from the preceding flow by 1) sending TCP handshake data in the initial DNS/UDP flight itself, and 2) immediately streaming the DNS response over TCP after authenticating the client with a cryptographic cookie. Our experiments show that DNSSEC over $\mathsf{TurboDNS}$, with either Falcon-512 or Dilithium-2 as the zone signing algorithm, is practically as fast as the currently deployed ECDSA P-256 and RSA-2048 setups in resolving $\texttt{QTYPE}$ $\texttt{A}$ DNS queries.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. INDOCRYPT 2024
- DOI
- 10.1007/978-3-031-80311-6_11
- Keywords
- DNSSEC
- Contact author(s)
-
aditya rawat_phd21 @ ashoka edu in
mahavir jhawar @ ashoka edu in - History
- 2025-01-01: approved
- 2025-01-01: received
- See all versions
- Short URL
- https://ia.cr/2025/003
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2025/003,
author = {Aditya Singh Rawat and Mahabir Prasad Jhanwar},
title = {Post-Quantum {DNSSEC} with Faster {TCP} Fallbacks},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/003},
year = {2025},
doi = {10.1007/978-3-031-80311-6_11},
url = {https://eprint.iacr.org/2025/003}
}
