In this section, you will find the notes of the panel held on PQNet2022 around transitioning DNSSEC to post-quantum cryptography. The panel was held with:

• Andrew Fregly from Verisign
• Paul Hoffman from ICANN
• Moritz Müller from SIDN Labs
• Christian Elmerot from Cloudflare
• Roland M. van Rijswijk-Deij from University of Twente
• Sofía Celi from Brave

Prior to the panel, there was a presentation from Roland M. van Rijswijk-Deij around DNSSEC and PQ. The slides can be found here.

In this section, you will find the notes of the panel held on PQNet2022 around transitioning DNSSEC to post-quantum cryptography. The panel was held with:

What are the biggest challenges we face for transitioning DNSSEC to post-quantum cryptography?

There are two types of challenges:

• Protocol level
• Operational

On the protocol level, we don’t know if substituting classical algorithms for post-quantum ones will be 'just enough'. We have a strong intuition (and research) that it is not going to be the case.

Isogeny-based cryptography and hash-based cryptography constructions (as seen here) might be the path forward for DNSSEC.

On the operational level, there are bigger challenges. We are unsure of what operational problems there will be. We are unsure if, for example, DNS attacks occur in the wild (at what level and with what regularity) and if DNSSEC as it is still makes sense to prevent them. We are also unsure of what specific challenges there are on migrating, maintaining and configuring DNSSEC, and how much DNSSEC is used in practice.

The biggest challenge is also to get the ecosystem prepared, as it is a very complex one. The DNS community is different from the TLS one. The latter has a handful of libraries that are used in practice, while DNS (and DNSSEC) is a much more complex system.

Prior to thinking on a post-quantum DNSSEC, perhaps we should think on: does DNSSEC still make sense today (and in the future)?

An conversation around some of these points can be found here.

What properties/opportunities of DNSSEC do we still want to provide?

Authentication is still an important property (specifically, end-point authentication or as the property of the responses). DNS-based Authentication of Named Entities (DANE) is very important as well.

It is very unclear (with data to backup) how much DNSSEC protects against DNS-cache poisoning as we are unclear on how much the attack happens in the wild. We have been trying to create a survey of how much those attacks occur in practice.

What will be the operational problems facing a migration of DNSSEC to post-quantum on the top of our head?

• Migrating root servers will be very difficult and requires being very careful. The same for HSMs.
• There could be a possibility of adding/increasing denial of service attacks due to the sizes or operational costs of post-quantum cryptography.
• We should be careful with fragmentation as falling to TCP is not the greatest option.
• It is unclear if UDP as it is will still work, or we should think of a flavor of DNSEC over QUIC. Perhaps, this might be the future of the protocol and an increase in general of the usage of QUIC.

What do we need to make the migration to a new (PQ)DNSSEC work?

We need proper tests/specs of what works and what doesn’t: this could translate into performing more experiments. We need real data and test beds that run constantly. We need to map out the operational challenges prior to a “real” migration.

We need general documents of what post-quantum cryptography will bring as challenges.

Looking ahead for new workshops/proposals

Our action items are:

• We need to create a live document of the operational problems, properties and limitations of DNSSEC from the practical perspective.
• Data on how much is cache poisoning attack (or other attacks) seen in the wild.
• More tests and real world data of what can work.
• Good measurements metrics of post-quantum algorithms.
• Propose a way forward for the IETF: perhaps as part of the BoF?

---