Negotiating PQC for DNSSEC

Domain Name System Security Extensions (DNSSEC) provides authentication and integrity to Domain Name System (DNS) through the use of digital signatures based on public-key cryptography. Quantum computers threaten public key cryptography and DNSSEC is unprepared. As the process to change algorithms in DNSSEC involves a lot of overhead, requires significant investment and takes many years, we advocate for deployment of long term cryptography for DNSSEC. In this work we explore the challenges and obstacles towards deployment of post-quantum signatures and explain that smooth adoption towards quantum-safe ciphers can be achieved with cipher-suite negotiation for DNSSEC.Cipher-suite negotiation, which DNSSEC currently does not support, ensures that the best cryptographic algorithms supported by the server and the resolver are used. Servers usually do not deprecate old algorithms because they are unaware whether resolvers support new algorithms. The signals in cipher-suite negotiation inform the servers and the resolvers of algorithm support that creates a feedback loop that could accelerate adoption of post-quantum signatures and the deprecation of old algorithms while preventing packet fragmentation. As a consequence, cipher-suite negotiation can contribute towards a greater adoption of DNSSEC.