[Resource Topic] 2025/003: Post-Quantum DNSSEC with Faster TCP Fallbacks

Welcome to the resource topic for 2025/003

Title:
Post-Quantum DNSSEC with Faster TCP Fallbacks

Authors: Aditya Singh Rawat, Mahabir Prasad Jhanwar

Abstract:

In classical DNSSEC, a drop-in replacement with quantum-safe cryptography would increase DNS query resolution times by \textit{at least} a factor of 2\times. Since a DNS response containing large post-quantum signatures is likely to get marked truncated (\texttt{TC}) by a nameserver (resulting in a wasted UDP round-trip), the client (here, the resolver) would have to retry its query over TCP, further incurring a \textit{minimum} of two round-trips due to the three-way TCP handshake.

We present \mathsf{TurboDNS}: a backward-compatible protocol that eliminates \textit{two} round-trips from the preceding flow by 1) sending TCP handshake data in the initial DNS/UDP flight itself, and 2) immediately streaming the DNS response over TCP after authenticating the client with a cryptographic cookie. Our experiments show that DNSSEC over \mathsf{TurboDNS}, with either Falcon-512 or Dilithium-2 as the zone signing algorithm, is practically as fast as the currently deployed ECDSA P-256 and RSA-2048 setups in resolving \texttt{QTYPE} \texttt{A} DNS queries.

ePrint: https://eprint.iacr.org/2025/003

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .