Double-Signed Fragmented DNSSEC: Enhancing Security During the Transition to Post-Quantum Cryptography

The increasing adoption of DNS over HTTPS (DoH) and DNS over TLS (DoT) will have a significant impact on the implementation and performance of double-signed DNSSEC, primarily due to their encryption and encapsulation of DNS traffic within HTTPS and TLS protocols respectively. Here's a breakdown of the potential impacts: Implementation: Reduced Visibility: DoH and DoT encrypt DNS traffic, making it difficult for on-path devices, including middleboxes implementing fragmentation strategies like the one proposed in the paper, to inspect and manipulate DNS messages. This could hinder the application-layer fragmentation and reassembly process crucial for double-signed DNSSEC. Increased Complexity: Integrating double-signed DNSSEC with DoH and DoT would require modifications to existing implementations of these protocols to handle the larger message sizes and fragmentation/reassembly procedures. This adds complexity to both client and server implementations. Potential for Incompatibility: Existing DoH and DoT clients and servers might not be compatible with the modified DNS message formats required for double-signed fragmented DNSSEC. This could lead to interoperability issues and hinder widespread adoption. Performance: Increased Overhead: Double-signed DNSSEC inherently increases message sizes due to the inclusion of two digital signatures. Encapsulating these larger messages within DoH or DoT would further increase the overall packet size, potentially leading to higher bandwidth consumption and latency, especially for networks with smaller MTUs. Added Processing Time: Decrypting and reassembling fragmented DNSSEC messages within the DoH or DoT layer would require additional processing on both client and server sides. This could increase the overall DNS resolution time, potentially impacting the user experience. Mitigation Strategies: Standardization and Implementation Support: Standardizing the fragmentation and reassembly mechanisms for double-signed DNSSEC and ensuring support in popular DoH and DoT libraries and implementations would be crucial for seamless integration. Optimizations for Message Size: Exploring techniques to minimize the size overhead of double signatures, such as signature compression or aggregation, could help mitigate the performance impact. Adaptive Fragmentation: Implementing adaptive fragmentation strategies that consider the underlying network conditions and MTU sizes could optimize the trade-off between message size and fragmentation overhead.

Yes, the use of double signatures in DNSSEC, while offering a temporary security enhancement, could potentially create a false sense of security and delay the full transition to post-quantum cryptography (PQC). Here's why: Reliance on Known Vulnerable Algorithms: Double signatures still rely on one known vulnerable algorithm (pre-quantum). If a breakthrough occurs in breaking these algorithms, even with classical computers, the entire system becomes vulnerable, regardless of the post-quantum signature. Reduced Incentive for Full Transition: The perceived security offered by double signatures might reduce the urgency and incentive for organizations to fully transition to PQC. This delay could leave systems vulnerable in the long run, especially as quantum computers advance. Complexity Leading to Complacency: The complexity of implementing and managing double-signed DNSSEC might lead to complacency in other areas of cybersecurity. Organizations might focus solely on this aspect while neglecting other crucial security measures. To avoid a false sense of security and ensure a timely transition to PQC: Clearly Communicate the Limitations: It's crucial to clearly communicate to stakeholders that double signatures are a temporary measure and not a replacement for full PQC adoption. Maintain Transition Roadmaps: Organizations should continue developing and executing their PQC transition roadmaps, prioritizing the complete replacement of pre-quantum algorithms. Promote PQC Research and Development: Continued investment in PQC research and development is essential to accelerate the standardization and deployment of robust and efficient post-quantum algorithms.

Transitioning to a significantly more complex cryptographic system for DNSSEC, like the double-signed approach, raises ethical concerns regarding accessibility, particularly for users in developing countries or with limited resources. Here's a breakdown of the potential ethical implications: Exacerbating the Digital Divide: Complex cryptographic systems often require more processing power and bandwidth, potentially making DNS resolution slower or inaccessible for users with older devices or limited internet connectivity. This could exacerbate the existing digital divide, disproportionately impacting marginalized communities. Unequal Security Posture: If the transition to more complex DNSSEC is not universally adopted due to resource constraints, users in developing countries might be left with weaker security guarantees, making them more vulnerable to attacks. This creates an unequal security posture across the globe. Hindering Access to Information: Slower or unreliable DNS resolution due to complex cryptography could hinder access to essential online services and information, particularly in regions with limited internet infrastructure. This could impact education, healthcare, and economic opportunities. To ensure an ethical and inclusive transition: Prioritize Lightweight Solutions: When designing and implementing complex cryptographic systems, prioritize lightweight solutions that minimize computational overhead and bandwidth consumption, ensuring accessibility for resource-constrained users. Provide Support and Resources: International organizations and technology providers should offer financial and technical support to developing countries to facilitate the adoption of secure DNSSEC implementations without compromising accessibility. Promote Open Standards and Interoperability: Encouraging open standards and interoperability in DNSSEC implementations can foster competition and drive down costs, making secure solutions more accessible globally. Raise Awareness and Education: Conducting awareness campaigns and educational programs about the importance of secure DNS and the potential impact of complex cryptography can empower users and policymakers to make informed decisions.