DNSSEC and PQC: Practical Impact of Increased TCP in DNS

• PQC signatures far larger than ECDSA, causing DNSSEC responses to exceed UDP size limits. • Exceeding UDP limits forces more DNS queries to use TCP, increasing server load. • Real‑world tests on .nl zone show CPU usage rises but overall impact remains modest. • Adoption of new PQC algorithms takes ~10 years, so early preparation is critical. • EDNS0 buffer size advertising helps mitigate but cannot fully prevent TCP fallback. • Testing across NSD, Knot, BIND, PowerDNS demonstrates consistent behavior across major servers.

Article Summaries:

• Post‑quantum cryptography (PQC) will enlarge DNSSEC signatures, potentially forcing more DNS responses to use TCP instead of UDP. In a study of the Dutch .nl zone, Eline Stehouwer from SIDN Labs replayed real traffic against several authoritative servers (NSD, Knot, BIND, PowerDNS). The results show that the shift to TCP would raise CPU usage but has a limited overall impact on server performance. Currently only 1-2 % of .nl queries use TCP; even with PQC‑based signatures the increase is modest. The work also highlights the roughly ten‑year lag between algorithm introduction and widespread adoption.

Sources:

• https://labs.ripe.net/author/eline-stehouwer/dnssec-and-pqc-practical-impact-of-increased-tcp-in-dns/