Post-Quantum DNSSEC with Faster TCP Fallbacks

Aditya Singh Rawat; Mahabir Prasad Jhanwar

Paper 2025/003

Post-Quantum DNSSEC with Faster TCP Fallbacks

Aditya Singh Rawat, Ashoka University

Mahabir Prasad Jhanwar, Ashoka University

Abstract

In classical DNSSEC, a drop-in replacement with quantum-safe cryptography would increase DNS query resolution times by $at least$ a factor of $2 \times$ . Since a DNS response containing large post-quantum signatures is likely to get marked truncated ( $TC$ ) by a nameserver (resulting in a wasted UDP round-trip), the client (here, the resolver) would have to retry its query over TCP, further incurring a $minimum$ of two round-trips due to the three-way TCP handshake. We present : a backward-compatible protocol that eliminates round-trips from the preceding flow by 1) sending TCP handshake data in the initial DNS/UDP flight itself, and 2) immediately streaming the DNS response over TCP after authenticating the client with a cryptographic cookie. Our experiments show that DNSSEC over , with either Falcon-512 or Dilithium-2 as the zone signing algorithm, is practically as fast as the currently deployed ECDSA P-256 and RSA-2048 setups in resolving DNS queries.

Metadata

Available format(s): PDF
Category: Cryptographic protocols
Publication info: Published elsewhere. INDOCRYPT 2024
DOI: 10.1007/978-3-031-80311-6_11
Keywords: DNSSEC
Contact author(s): aditya rawat_phd21 @ ashoka edu in
mahavir jhawar @ ashoka edu in
History: 2025-01-01: approved; 2025-01-01: received; See all versions
Short URL: https://ia.cr/2025/003
License: CC BY

BibTeX

@misc{cryptoeprint:2025/003,
      author = {Aditya Singh Rawat and Mahabir Prasad Jhanwar},
      title = {Post-Quantum {DNSSEC} with Faster {TCP} Fallbacks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/003},
      year = {2025},
      doi = {10.1007/978-3-031-80311-6_11},
      url = {https://eprint.iacr.org/2025/003}
}