The Domain Name System Security Extensions (DNSSEC) help protect the integrity of DNS data, supporting both online navigation and other uses of domain names as identifiers in applications. In the time since DNSSEC was first introduced in 2005, both the RSA algorithm and elliptic curve cryptography have served as the primary signature algorithms for DNSSEC. But with the potential of large-scale quantum computing on the horizon, there may soon come a time when those algorithms no longer suffice.
The internet community has recognized this challenge, and preparations are underway to adapt DNSSEC to post-quantum cryptography (PQC). At Verisign, we are working alongside researchers, operators, and standards bodies to develop solutions that balance cryptographic strength with the operational realities of the DNS.
This blog builds on our earlier discussions of new DNSSEC algorithms on the horizon, hash-based signatures, and next steps in preparing for PQC DNSSEC.
The Challenge Ahead
Transitioning DNSSEC to PQC is shaped by two realities. On the one hand, algorithm rollovers are rare and require global coordination—the root KSK rollover, for example, took years of planning. At the same time, PQC algorithms such as the National Institute of Standards and Technology’s (NIST’s) SLH-DSA produce much larger signatures than today’s DNS was designed to handle. Large signatures risk packet fragmentation, performance bottlenecks, and operational complexity for DNS operators.
The transition is therefore not just a cryptography problem—it is equally an engineering and operations challenge.
A Strategy for Resilience
Along with colleagues in the DNS community, Verisign has been pursuing a diversity strategy for DNSSEC: pairing one algorithm that delivers efficient performance in everyday use with another that provides a conservative fallback. We do not yet have a recommendation for a routine performance algorithm but a promising candidate for the fallback is SLH-DSA, a hash-based algorithm with strong security assurances.
To make SLH-DSA practical for DNSSEC, Verisign developed Merkle Tree Ladder (MTL) mode, which uses a Merkle tree structure to amortize the cost of large signatures. Instead of signing each record individually with a post-quantum signature algorithm, MTL mode signs an evolving “ladder” that authenticates multiple messages. Short Merkle tree inclusion proofs are included in place of conventional signatures on the individual DNS records, thus reducing size while preserving security. And while MTL mode can be applied to other signature algorithms, we started with SLH-DSA because it was the most conservatively designed and also had the largest signatures.
Research, Open Source, and Community Collaboration
Progress on PQC DNSSEC has been driven by collaboration across the community, with Verisign actively contributing at every stage. Efforts have spanned research and experimentation, presentations and hackathons at organizations like the Internet Engineering Task Force (IETF), NIST, DNS Operations Analysis and Research Center (DNS-OARC), and collaborations with academic entities.
The IETF is responsible for the DNS and DNSSEC standards. The IETF’s PQC DNSSEC mailing list and side meetings have been productive venues where participants can come together to share their evaluations of various PQC algorithms, experiences implementing SLH-DSA with MTL mode, and related resolver behaviors, as summarized in A Post-Quantum Cryptography Strategy for DNSSEC. IETF Hackathons and independent experiments have extended resolvers such as BIND, NSD, and CoreDNS to support PQC algorithms—including ML-DSA, Falcon, SLH-DSA, and SLH-DSA-MTL—producing real-world data described in PQC DNSSEC Implementation, presented at IETF 123.
NIST’s annual PQC conferences have been valuable opportunities for cryptographers to come together on PQC algorithm research. For this reason, Verisign selected this venue for its first presentation on MTL mode. Engagement has continued through panels on pre-hashing and presentations on strategies for Post-Quantum Cryptography in DNSSEC that support NIST’s ongoing evaluation of additional PQC signature algorithms, some of which may prove useful for DNSSEC long-term as the “routine performance” choice.
Academic and industry researchers have also played a major role. Researchers from Universidad Carlos III de Madrid, University of Ostrava, University of Twente, Virginia Tech, and University of Waterloo (along with SIDN Labs) have conducted feasibility studies and performance evaluations, often in collaboration with Verisign researchers. To make experimentation possible, Verisign has published Internet-Drafts and released open-source implementations of MTL mode, including a reference library and integrations into ldns and the Unbound resolver. By openly publishing IETF Internet-Drafts and making this code available under a royalty-free license, Verisign has supported independent testing and validation of its practicality.
Lastly, but surely not least, the DNS Operator community has a large stake in the ultimate selection and deployment of PQC DNSSEC. Research from the above groups has also been brought to DNS-OARC for further discussion among the operator community.
This ecosystem approach—spanning research, open source, standards, and operator feedback—ensures that multiple perspectives are shaping the future of PQC DNSSEC.
Looking Forward
Introducing PQC algorithms into DNSSEC will take time and coordination. By engaging early, the community is laying the groundwork for a smooth transition. As part of this effort, we recently introduced an IETF Internet-Draft on the Routine Performance, Resilient Fallback strategy which the community has agreed to be the framework for the collaboration going forward.
At Verisign, we are proud to contribute to long-term internet security and stability by introducing technologies like MTL mode, publishing open source implementations, and working through the IETF to ensure DNSSEC remains strong and resilient in a post-quantum world. And by making implementations and intellectual property of MTL mode broadly available with royalty-free licenses, we hope to encourage widespread adoption of tools and techniques that better prepare our critical systems for the post-quantum era.
