Navigating DNS Security in a Quantum-Powered World
Insider Brief
- Ulrich Wisser, speaking at the Netnod Tech Meeting 2024, reassured that quantum computers are not yet capable of breaking encryption but emphasized the importance of preparing for future threats, as quantum advancements progress steadily.
- Wisser highlighted the vulnerability of DNSSEC, which relies on public-key cryptography, to future quantum attacks, and stressed the need for long-term preparations, including crypto agility and transitioning to quantum-safe algorithms like Falcon.
- While immediate action isn’t required, Wisser urged the community to monitor developments closely, as preparing the entire DNS ecosystem for quantum-safe encryption will take significant time and effort.
“Quantum computers will break encryption, but not today,” stated Ulrich Wisser, Regional Technical Engagement Manager at ICANN, kicking off his keynote at the Netnod Tech Meeting 2024. His presentation on DNS and quantum computing explored the evolving quantum landscape, grounded in practicality, while raising crucial questions about the future of cybersecurity and DNS cryptography.
Wisser was quick to dispel fears of imminent quantum threats. While quantum computers possess the potential to break public-key encryption, they are far from achieving that capability. He explained: “The state is very limited right now. The highest number they’ve factored is 35.” This, he noted, is far from the level required to breach encryption algorithms like RSA, a cornerstone of internet security.
However, Wisser urged the audience to look ahead, noting that quantum computers are improving at a steady pace.
“If quantum computers would improve like in Moore’s Law, doubling the number of transistors every other year, that would be 26 years from now,” said Wisser. While breakthroughs are possible, he argued that it’s unlikely a quantum computer capable of breaking RSA will emerge within the next decade. Yet, for long-term security — especially in defense sectors — this timeline is critical.
“Sweden’s defense, for example, probably wants a lot of this to be secret longer than fifty years,” Wisser pointed out, underlining the need for forward-looking measures.
The DNS (Domain Name System) is a vital component of the internet’s infrastructure, and its reliance on public-key cryptography makes it vulnerable to future quantum attacks.
“DNSSEC uses public-key cryptography, so if a quantum computer could break it, it would break DNSSEC,” Wisser explained. Although immediate concerns are minimal — quantum computers are not expected to compromise DNSSEC in the near term — preparations are essential. The challenge lies not only in upgrading encryption but also in ensuring that the entire DNS ecosystem, from top-level domains to resolvers, can adapt swiftly.
Crypto agility, or the ability to change cryptographic algorithms seamlessly, is another significant hurdle.
“It took us five years to roll the root key,” Wisser noted, stressing how slow and complex such transitions can be. Transitioning to quantum-safe cryptographic algorithms across the DNS will require even more effort, spanning not just the root but all second-level domains and resolvers. Wisser said the clock is ticking: “Suddenly, a decade seems like a very short time.”
As researchers work on finding quantum-resistant algorithms, Wisser pointed to Falcon, an algorithm with promise for DNS.
“Falcon is one of the best bets we have for DNS right now,” he explained, highlighting that it offers a reasonable balance between security and performance. While Falcon still has challenges — such as large signatures that can lead to packet fragmentation — Wisser expressed cautious optimism, noting that researchers are actively testing and refining these algorithms.
Wisser’s final message was one of preparedness and patience. While the immediate threat posed by quantum computing is limited, the time to start preparing is now.
“The community doesn’t need to do anything yet,” he stated, referring to the ongoing research and standards development. However, he underscored the importance of following developments closely, particularly as organizations like ICANN, IETF, and IRF work toward quantum-safe solutions.
As Wisser concluded, his words carried a clear call to action: while quantum computers capable of breaking current cryptography may still be years away, the need to plan for their arrival is already here.