Abstract
The Domain Name System Security Extensions (DNSSEC) provide authentication of DNS responses using digital signatures. DNS operates primarily over UDP, which leads to several constraints: notably, DNS packets should be at most 1232 bytes long to avoid problems during transmission. Larger DNS responses would either need to be fragmented into several UDP responses or the request would need to be repeated over TCP, neither of which is sufficiently reliable in today’s DNS ecosystem. While RSA or elliptic curve digital signatures are sufficiently small to avoid this problem, even for DNSSEC packets containing both a public key and a signature, this problem is unavoidable when considering the larger sizes of post-quantum schemes.
We propose ARRF, a method of fragmenting DNS resource records at the application layer (rather than the transport layer) that is request-based, meaning the initial response contains a truncated fragment and then the requester sends follow-up requests for the remaining fragments. Using request-based fragmentation avoids problems identified for several previously proposed—and rejected—application-level DNS fragmentation techniques. We implement our approach and evaluate its performance in a simulated network when used for the three post-quantum digital signature schemes selected by NIST for standardization (Falcon, Dilithium, and SPHINCS+) at the 128-bit security level. Our experiments show that our request-based fragmentation approach provides substantially lower resolution times compared to standard DNS over UDP with TCP fallback, for all the tested post-quantum algorithms, and with less data transmitted in the case of both Falcon and Dilithium. Furthermore, our request-based fragmentation design can be implemented relatively easily: our implementation is in fact a small daemon that can sit in front of a DNS name server or resolver to fragment/reassemble transparently. As well, our request-based application-level fragmentation over UDP may avoid problems that arise on poorly configured network devices with other approaches for handling large DNS responses.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Data Availability Statement
The software implementing the daemon and experiment is available at https://github.com/Martyrshot/ARRF-experiments/.
Notes
- 1.
Modifications to BIND9 were required as the maximum DNS message size BIND9 supports is 4096.
References
The Open Quantum Safe project (2022). https://openquantumsafe.org
Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022). https://doi.org/10.6028/NIST.IR.8413
Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 348–373. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_13
Beullens, W.: Breaking Rainbow takes a weekend on a laptop. Cryptology ePrint Archive, Report 2022/214 (2022). https://eprint.iacr.org/2022/214
Casanova, A., Faugère, J.C., Macario-Rat, G., Patarin, J., Perret, L., Ryckeghem, J.: GeMSS. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Ding, J., et al.: Rainbow. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
DNS-Violations: DNS flag day 2020 (2020). https://dnsflagday.net/2020/
Fregly, A., van Rijswijk-Deij, R.: Stateful hash-based signatures for DNSSEC. Internet-Draft draft-afrvrd-dnsop-stateful-hbs-for-dnssec-00, Internet Engineering Task Force, March 2022. https://datatracker.ietf.org/doc/draft-afrvrd-dnsop-stateful-hbs-for-dnssec/00/
Heftrig, E., Shulman, H., Waidner, M.: Poster: the unintended consequences of algorithm agility in DNSSEC, pp. 3363–3365. ACM (2022). https://doi.org/10.1145/3548606.3563517
Hoffman, P.E., McManus, P.: DNS Queries over HTTPS (DoH). RFC 8484, RFC Editor, October 2018. https://doi.org/10.17487/RFC8484, https://www.rfc-editor.org/info/rfc8484
Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D., Hoffman, P.E.: Specification for DNS over Transport Layer Security (TLS). RFC 7858, RFC Editor, May 2016. https://doi.org/10.17487/RFC7858,https://www.rfc-editor.org/info/rfc7858
Huelsing, A., Butin, D., Gazdag, S.L., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle Signature Scheme. RFC 8391, RFC Editor, May 2018. https://doi.org/10.17487/RFC8391, https://www.rfc-editor.org/info/rfc8391
Huitema, C., Dickinson, S., Mankin, A.: DNS over Dedicated QUIC Connections. RFC 9250, RFC Editor, May 2022. https://doi.org/10.17487/RFC9250, https://www.rfc-editor.org/info/rfc9250
Hulsing, A., et al.: SPHINCS+. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Internet Systems Consortium: BIND 9 (2021). https://www.isc.org/bind
Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Mao, J., Rabinovich, M., Schomp, K.: Assessing support for DNS-over-TCP in the wild. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds.) PAM 2022. LNCS, vol. 13210, pp. 487–517. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-98785-5_22
McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali Hash-Based Signatures. RFC 8554, RFC Editor, April 2019. https://doi.org/10.17487/RFC8554,https://www.rfc-editor.org/info/rfc8554
Müller, M., de Jong, J., van Heesch, M., Overeinder, B., van Rijswijk-Deij, R.: Retrofitting post-quantum cryptography in internet protocols: a case study of DNSSEC. ACM SIGCOMM Comput. Commun. Rev. 50(4), 49–57 (2020)
National Institute of Standards and Technology: Call for additional digital signature schemes for the post-quantum cryptography standardization process, September 2022. https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/call-for-proposals-dig-sig-sept-2022.pdf
Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
van Rijswijk, R.M., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34(6), 1877–1888 (2016)
Rose, S., Larson, M., Massey, D., Austein, R., Arends, R.: Dns. RFC 4033, RFC Editor. https://rfc-editor.org/rfc/rfc4033.txt
Shrishak, K., Shulman, H.: Negotiating PQC for DNSSEC. In: 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S), pp. 9–10 (2021). https://doi.org/10.1109/DSN-S52858.2021.00015
da Silva Damas, J., Graff, M., Vixie, P.A.: Extension Mechanisms for DNS (EDNS(0)). RFC 6891, April 2013. https://doi.org/10.17487/RFC6891, https://www.rfc-editor.org/info/rfc6891
Sivaraman, M., Kerr, S., Song, L.: DNS message fragments, July 2015. https://datatracker.ietf.org/doc/draft-muks-dns-message-fragments/00/
Song, L., Wang, S.: ATR: Additional Truncation Response for Large DNS Response, March 2019. https://datatracker.ietf.org/doc/draft-song-atr-large-resp/03/
Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_2
Vixie, P.: Re: [dnsop] call for adoption: draft-song-atr-large-resp (2019). https://mailarchive.ietf.org/arch/msg/dnsop/JdhkwdWT2hGzIwfVx6CrX15KCfk/
Acknowledgments
We gratefully acknowledge helpful discussion with Roland van Rijswijk-Deij, Andrew Fregly and Burt Kaliski, Sofía Celi, and Michael Baentsch. D.S. was supported by Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grants RGPIN-2016-05146 and RGPIN-2022-0318, and a donation from VeriSign, Inc.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix – Performance Graphs
A Appendix – Performance Graphs
Figures 3, 4, 5, and 6 visualize the performance of ARRF in batched and sequential mode in various network scenarios and at different maximum UDP packet sizes compared with standard DNS with TCP fallback or UDP only mode.
Mean resolution times in milliseconds with 10 ms latency and 128 kilobytes per second bandwidth
Mean resolution times in milliseconds with 10 ms latency and 50 megabytes per second bandwidth
Mean resolution times in milliseconds with 10 ms latency and 50 megabytes per second bandwidth
Mean resolution times in milliseconds with 0 ms latency and unlimited bandwidth
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Goertzen, J., Stebila, D. (2023). Post-Quantum Signatures in DNSSEC via Request-Based Fragmentation. In: Johansson, T., Smith-Tone, D. (eds) Post-Quantum Cryptography. PQCrypto 2023. Lecture Notes in Computer Science, vol 14154. Springer, Cham. https://doi.org/10.1007/978-3-031-40003-2_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-40003-2_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-40002-5
Online ISBN: 978-3-031-40003-2
eBook Packages: Computer ScienceComputer Science (R0)