Fredrik Lindeberg
Fredrik Lindeberg
Banner ICANN - Ulrich Wisser

DNS Quantum Computing

Netnod Meeting
Ulrich Wisser, ICANN, discusses the impact of quantum computing on DNSSEC at the Netnod Tech Meeting 2024.

The problem posed by quantum computers

Quantum computers affect even core Internet standards such as DNSSEC. At its core, DNSSEC is dependent on public key cryptography, that is asymmetric cryptography based on a mathematical relationship between the private and public keys. This mathematical relationship can for most algorithms not realistically be broken by conventional computers. 

However, quantum computers can theoretically crack most asymmetric algorithms in use today. But implementations of quantum computers with that power are likely at least a decade away, if not several decades. 

Since changing the keys and algorithms used for the DNS system, and especially the root zone, is likely to take quite a long time, we need to get started today,

Just changing the keys for the root zone took five years, we have to get started with this already today.

Ulrich Wisser

ICANN Ulrich Wisser,

Longer keys are (possibly) needed

One of the more substantial issues with quantum resistant asymmetric cryptography is the key length necessary. In technical terms, it is inconvenient if DNS-packets with DNSSEC contents are longer than 1500 bytes including all headers. 1500 bytes with headers is the realistic limit for UDP packets over the Internet. For non-EDNS-compliant name servers the packet length is even shorter, just 512 bytes.

Longer keys would require DNS-request to be handled via TCP, which requires additional overhead compared to UDP. Also worth noting, in technical terms, the DNS protocol itself cannot handle DNS-packets longer than 64k bytes, which sets a hard limit for the size of the keys used in DNSSEC public key cryptography.

Today, most available quantum resistant ciphers have key lengths on the far end of 1500 bytes, so algorithms would have to be improved before large scale implementations to account for the increased efficiency of UDP queries. 

However, Ulrich argues that the DNSSEC community in general does not need to consider at this time, but notes that TLS- and QUIC-based DNS-protocols usage should be aligned with current best practice quantum resistant cryptography over time.

Summary

In the larger picture quantum cryptography is going to affect the way DNSSEC is done, but there is no need to hurry yet for the DNSSEC community. There is, however, a need to start thinking about shifting to quantum resistant algorithms over time. 

 

Link to presentation (Youtube) 

Link to presentation (PDF)

Related blog articles

Netnod Meeting
banner Arelion

Global trends - as seen by Arelion

Fredrik Lindeberg
Mattias Fridström, Vice President & Chief Evangelist, Arelion, went through the current trends seen from their global network at the Netnod Tech meeting in October 2024. The presentation covered how cyberattacks are becoming more common and larger over time.
Netnod Meeting
Akira - Ransomware-as-a-Service

Akira - Ransomware-as-a-Service

Fredrik Lindeberg
Heresh Zaremand (Truesec) and Viktor Sahin-Uppstömmer (Polismyndigheten) presented findings related to the use of Akira Ransomware-as-a-Service at the Netnod Tech meeting in the fall of 2024. The presentation illustrated and explained a typical Akira-attack on a victim environment, specifically a Cisco ASA.
Netnod Meeting
Is QKD or PQC ready to quantum secure optical networks?

Is QKD or PQC ready to quantum secure optical networks?

Fredrik Lindeberg
Jim Zou from Adtran presented the challenges and opportunities with regards to securing optical networks with quantum secure methods at the Netnod Tech meeting (October 2024). He explored the differences between Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD) and predicted a way forward.
Show all blog articles