While the digital locks protecting the Internet’s directory service (DNSSEC) are robust today, they are built on mathematical foundations that a future quantum computer could crumble in seconds. During the AIORI-2 Hackathon, our team—Code Crafters from GNIT, Kolkata—took a proactive leap into the future. We built a unified benchmarking framework to see how “Quantum-Resistant” algorithms actually perform when plugged into the real-world plumbing of the Internet.
1. The Looming “Q-Day” for DNS
DNSSEC relies on digital signatures (RSA and ECDSA) to prove that a website’s address hasn’t been hijacked. However, these are vulnerable to quantum attacks. The challenge is that Post-Quantum Cryptography (PQC) algorithms aren’t a simple “drop-in” replacement; they often come with massive keys or slow signing speeds that could choke global DNS traffic.
2. Our Testbed: PowerDNS in a Box
To ensure our results were reproducible and isolated, we used Podman to create a containerized “lab in a bottle.” We implemented four leading PQC candidates within the PowerDNS ecosystem:
- Falcon-512: Known for its compact signatures.
- Dilithium2: A balanced choice for speed and security.
- SPHINCS+: Extremely robust but notorious for its “heavy” signatures.
- SQIsign: The newcomer with the smallest keys but high computational cost.
3. Technical Implementation
Our sprint followed a strict automated workflow. We didn’t just sign zones; we measured the “stress” placed on the network.
| Component | Tool / Standard | Role |
| Server | PowerDNS (PQC-enabled) | The core DNS engine performing PQC signing. |
| Orchestration | Podman | Ensuring a clean, isolated test environment for every run. |
| Validation | dig / DNSSEC-Analyzer | Verifying that the PQC signatures were logically sound. |
| Standards | RFC 4033–4035 | Maintaining the baseline DNSSEC protocol framework. |
4. Key Findings: The Payload Problem
Our benchmarks revealed a stark reality: Size matters.
- Signature Explosion: SPHINCS+ signatures reached 40–50 KB. Standard DNS responses are usually under 512 bytes. This causes massive fragmentation and forces DNS to move from UDP to TCP, adding significant latency.
- The Sweet Spot: Falcon-512 and Dilithium2 emerged as the practical winners, with query times increasing by only 5–15% compared to traditional methods.
- Key Lengths: SQIsign lived up to its promise of having the smallest Base64 key size, which is critical for minimizing the size of the DNSKEY record.
5. Lessons from the Sprint: Engineering Precision
We learned that implementing PQC is as much about buffer management as it is about math. Large SPHINCS+ records frequently failed to parse until we optimized the memory handling within our containerized scripts.
“Integrating PQC algorithms into DNSSEC made us appreciate the importance of DNS payload optimization. We ended up with newfound respect for Internet engineering precision.” — Amanpreet Singh Gandhi, Team Lead
6. Future Work: The Hybrid Path
Our next step is exploring Hybrid Signing (documented in draft-ietf-lamps-pq-hybrid-sigs). By using both a classical (RSA) and a quantum-resistant key, we can provide security for today’s clients while being “Quantum-Ready” for tomorrow.
Read the full report
