English

Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS

Cryptography and Security 2025-07-15 v1 Networking and Internet Architecture

Abstract

The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.

Keywords

Cite

@article{arxiv.2507.09301,
  title  = {Implementing and Evaluating Post-Quantum DNSSEC in CoreDNS},
  author = {Julio Gento Suela and Javier Blanco-Romero and Florina Almenares Mendoza and Daniel Díaz-Sánchez},
  journal= {arXiv preprint arXiv:2507.09301},
  year   = {2025}
}
R2 v1 2026-07-01T03:57:59.376Z