Abstract
The development of quantum computing poses a threat to many internet protocols because it undermines the security of current asymmetric cryptography. New types of algorithms, collectively known as post-quantum cryptography (PQC), are being developed and tested as potential replacements. Despite being engineered to counter quantum computers using Shor’s algorithm, these systems frequently demand larger keys or signatures and substantial computational resources. This complicates the implementation of these algorithms in higher-level protocols, which requires thorough studies of the transition consequences. This paper evaluates the usefulness of one such PQC algorithm, FALCON-512, in the DNSSEC protocol. Using a containerized testbed, simulated DNS traffic is analyzed with a focus on key performance metrics, namely network latency and error rates, as the number of DNS clients in the network increases. The results show that PQC-enabled DNSSEC introduces higher error rates compared to today’s algorithms, especially in NSEC responses used to deny the existence of DNS records, which represent a significant increase, resulting in the network’s overload. The main contribution of this article is the validation of previous theoretical assumptions on the practical implications of FALCON-512 signature sizes in the implementation to DNSSEC. The differences in latency observed between nameservers in the DNS hierarchy during this study may inform DNS operators during the transition to PQC.