Post-Quantum Signatures in DNSSEC via Request-Based Fragmentation

by   Jason Goertzen, et al.

The Domain Name System Security Extensions (DNSSEC) provide authentication of DNS responses using digital signatures. DNS operates primarily over UDP, which leads to several constraints: notably, packets should be at most 1232 bytes long to avoid problems during transmission. Larger DNS responses either need to be fragmented into several UDP responses or the request would need to be repeated over TCP, neither of which is sufficiently reliable in today's DNS ecosystem. While RSA or elliptic curve digital signatures are sufficiently small to avoid this problem, even for DNSSEC packets containing both a public key and a signature, this problem is unavoidable when considering the larger sizes of post-quantum schemes. We propose ARRF, a method of fragmenting DNS resource records at the application layer (rather than the transport layer) that is request-based, meaning the initial response contains a truncated fragment and then the requester sends follow-up requests for the remaining fragments. Using request-based fragmentation avoids problems identified for several previously proposed (and rejected) application-level DNS fragmentation techniques. We implement our approach and evaluate its performance in a simulated network when used for the three post-quantum digital signature schemes selected by NIST for standardization (Falcon, Dilithium, and SPHINCS+) at the 128-bit security level. Our experiments show that our request-based fragmentation approach provides substantially lower resolution times compared to standard DNS over UDP with TCP fallback, for all the tested post-quantum algorithms, and with less data transmitted in the case of both Falcon and Dilithium. Furthermore, our request-based fragmentation design can be implemented relatively easily: our implementation is in fact a small daemon that can sit in front of a DNS name server or resolver to fragment/reassemble transparently.


Post-Quantum Hybrid Digital Signatures with Hardware-Support for Digital Twins

Digital Twins (DT) virtually model cyber-physical objects using Internet...

Signing Information in the Quantum Era

Signatures are primarily used as a mark of authenticity, to demonstrate ...

Winternitz stack protocols

This paper proposes and evaluates a new bipartite post-quantum digital s...

Quantum-Resistant Security for Software Updates on Low-power Networked Embedded Devices

As the Internet of Things (IoT) rolls out today to devices whose lifetim...

SPDH-Sign: towards Efficient, Post-quantum Group-based Signatures

In this paper, we present a new diverse class of post-quantum group-base...

Shorter Signatures from Proofs of Knowledge for the SD, MQ, PKP and RSD Problems

The MPC in the head introduced in [IKOS07] has established itself as an ...

Energy-Aware Digital Signatures for Embedded Medical Devices

Authentication is vital for the Internet of Things (IoT) applications in...

Please sign up or login with your details

Forgot password? Click here to reset