This time on PING, Peter Thomassen from SSE and Jason Goertzen from Sandbox AQ discuss their research project on post-quantum cryptography in DNSSEC, funded by the NLNet Foundation. Peter’s work in this space is made possible by SSE’s generous support of his time working in IETF standards, and on deSEC, a not-for-profit freely available secure DNS hosting service.
Post Quantum Cryptography (PQC) is a response to the risk that a future quantum computer will be able to implement Shor’s Algorithm — a mechanism to uncover the private key in the RSA public-private key cryptographic mechanism, as well as Diffie-Hellman and elliptic curve methods. This would render all existing public/private key-based security useless because if a third party gains knowledge of the private key, the ability to uniquely sign things is lost. Although DNSSEC does not depend on the secrecy of messages, it does rely on RSA and elliptic curve signatures. Therefore, we would lose trust in the protections that DNSSEC provides through the private key.
PQC addresses this issue by using methods that are not vulnerable to the weaknesses exploited by Shor’s Algorithm. However, these PQC methods come with increased cost and complexity.
Peter and Jason have been exploring implementations of some of the NIST post-quantum candidate algorithms in Bind9 and PowerDNS code. Using the Atlas system, they have tested the reliability of viewing signed contents in the DNS. Their tests confirmed that, as things currently stand, issues with packet size in the DNS and the new algorithms will pose problems for deployment.
As they note, it’s too soon to move this work into the IETF DNS standards process but there is a continuing interest in researching the space, with other activity underway from SIDN, which we’ll also feature on PING.
Jason recorded a presentation on post-quantum cryptography in DNSSEC at PQ23, the 14th International Conference on Post-Quantum Cryptography, in 2023.
To test signing and validation in PowerDNS and Bind9, Peter and Jason have written a front end that you can try.
[Edit: this blog was updated to correct the attribution of funding and support from NLNet Labs to the NLNet Foundation, who have a web page about this project.]
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. Please let us know what you think of the podcast and the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.