Welcome to the resource topic for 2025/003
Title:
Post-Quantum DNSSEC with Faster TCP Fallbacks
Authors: Aditya Singh Rawat, Mahabir Prasad Jhanwar
Abstract:In classical DNSSEC, a drop-in replacement with quantum-safe cryptography would increase DNS query resolution times by \textit{at least} a factor of 2\times. Since a DNS response containing large post-quantum signatures is likely to get marked truncated (\texttt{TC}) by a nameserver (resulting in a wasted UDP round-trip), the client (here, the resolver) would have to retry its query over TCP, further incurring a \textit{minimum} of two round-trips due to the three-way TCP handshake.
We present \mathsf{TurboDNS}: a backward-compatible protocol that eliminates \textit{two} round-trips from the preceding flow by 1) sending TCP handshake data in the initial DNS/UDP flight itself, and 2) immediately streaming the DNS response over TCP after authenticating the client with a cryptographic cookie. Our experiments show that DNSSEC over \mathsf{TurboDNS}, with either Falcon-512 or Dilithium-2 as the zone signing algorithm, is practically as fast as the currently deployed ECDSA P-256 and RSA-2048 setups in resolving \texttt{QTYPE} \texttt{A} DNS queries.
ePrint: https://eprint.iacr.org/2025/003
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .