Preparing the DNS for the Post-Quantum Cryptography transition

IS3C Webinar - 18 March 2026

Mar 24, 2026

Promotional webinar banner with a blue–purple gradient background featuring logos of the Internet Governance Forum (IGF) and the Internet Standards, Security and Safety Coalition (IS3C). The title reads: “Preparing the DNS for the Post-Quantum Cryptography transition.” Four speaker headshots are shown in circular frames: Wout de Natris – van der Borgh (IS3C), Caspar Schutijser (SIDN), Maarten Botterman (IS3C), and Benoit Ampeau (AFNIC). The date “18 March 2026” appears at the bottom center.

VIDEO | AUDIO | RECAP EN / ES / FR | ARCHIVE | PERMALINK

Speakers: Benoît Ampeau (Head, Afnic Labs); Caspar Schutijser (SIDN Labs); Maarten Botterman (IS3C)
Moderator: Wout de Natris – van der Borght (IS3C Coordinator)

This webinar, co-organized by Afnic and the IGF Dynamic Coalition on Internet Standards, Security and Safety (IS3C), focused on preparing the Domain Name System (DNS) for the transition to post-quantum cryptography (PQC). It builds on prior IS3C work examining the technical, political, and societal implications of quantum computing and represents the second in a three-part series addressing practical deployment challenges.

The discussion emphasized that DNS is a foundational Internet service, and its cryptographic protections—particularly DNSSEC—will be directly impacted by quantum computing advances that threaten current encryption methods such as RSA and elliptic curve cryptography.

Benoît Ampeau – Operational Reality and Technical Challenges

Benoît Ampeau framed PQC as both an immediate research priority and an operational necessity for Afnic. He highlighted the “harvest now, decrypt later” threat, where encrypted data collected today could be broken in the future once quantum capabilities mature. National timelines, such as France’s targets for PQC adoption between 2027 and 2035, reinforce the urgency.

He stressed that transitioning DNSSEC is not a simple algorithm swap but a systemic transformation affecting the entire DNS infrastructure. Testing at Afnic revealed significant performance impacts: PQC algorithms can increase signing times dramatically and expand zone file sizes multiple times over, affecting scalability and latency.

Ampeau also warned against premature adoption of unproven algorithms, citing the rapid classical break of the SIKE algorithm despite its quantum-resistant design. Key challenges include:

Lack of finalized IETF standards for PQC in DNS
No current resolver support for PQC validation
Performance uncertainties in Hardware Security Modules (HSMs)
Complex key rollover processes without a “flag day” transition
Increased DNS message sizes leading to more TCP fallback

He emphasized that DNS cannot be treated in isolation, as PQC impacts TLS, PKI, EPP, and broader Internet infrastructure. The transition requires coordinated global action across all stakeholders.

Caspar Schutijser – Research Findings and Ongoing Experiments

Caspar Schutijser presented SIDN Labs’ research on PQC algorithms (notably Falcon and Mayo) applied to DNSSEC. His findings reinforced that while computational performance can be manageable—especially with hardware acceleration (AVX2)—data size remains a major constraint.

Key observations included:

PQC can significantly increase zone file sizes (e.g., up to 12 GB vs. 3–4.5 GB today)
Larger zone files impact memory requirements for authoritative servers
Signing and validation performance is comparable to current algorithms only when optimized
DNS answer sizes increase, affecting network behavior and efficiency

Current research focuses on resolver impact, using anonymized real-world DNS traffic to simulate PQC conditions. This includes measuring CPU load, memory usage, latency, and TCP fallback rates.

Schutijser noted that PQC algorithms are still early in the DNSSEC lifecycle and have not yet been standardized or implemented in resolvers, making definitive recommendations premature.

Maarten Botterman – Governance, Coordination, and Roadmap Development

Maarten Botterman positioned PQC as a global, multistakeholder challenge requiring both technical and governance solutions. While awareness is growing, urgency remains insufficient across the community.

IS3C’s role is to bridge research and implementation by:

Mapping quantum-ready standards and proposals across Internet layers
Assessing migration strategies and identifying systemic risks
Producing actionable, phased roadmaps for stakeholders
Coordinating globally to avoid fragmentation and a “quantum security divide”

He stressed that disparities in resources across registries and operators must be addressed to ensure uniform Internet trust worldwide. The initiative aims to deliver not just theoretical outputs but practical guidance with broad adoption.

Discussion Highlights

Participants addressed several key questions:

Comparison to DNSSEC rollout: Unlike DNSSEC, PQC requires preemptive deployment before quantum threats materialize, as legacy signatures will become entirely insecure.
Algorithm selection: No clear recommendation yet; decisions depend on ongoing standardization and further performance testing.
Blockchain naming systems: Considered immature and not yet a viable alternative; focus should remain on adapting the existing DNS architecture.
Resolver readiness: Currently, no resolvers support PQC algorithms, and standardization is still in early stages.

Speakers also reflected on broader uncertainties around the concept of a “quantum Internet,” concluding that near-term efforts should focus on securing the existing Internet infrastructure.

Call to Action and Next Steps

The webinar concluded with a strong call for collective action. IS3C plans to launch two working groups (DNS and routing) to:

Develop transition roadmaps
Engage stakeholders globally
Provide practical guidance and outreach
Support coordinated implementation across the ecosystem

The initiative seeks both technical contributors and organizational support, with a multi-year timeline extending through 2028.

Speakers emphasized that the transition to PQC is inevitable and urgent: the key question is not whether it will happen, but how and when it can be achieved without undermining trust in the Internet.

Closing Message

The session underscored that preparing DNS for the quantum era is a complex, long-term effort requiring early action, continuous experimentation, and unprecedented coordination. Delay increases risk, while proactive collaboration offers the best chance to ensure a secure and resilient Internet in the post-quantum future.

RESOURCES

IS3C — Internet Standards, Security and Safety Coalition — IGF Dynamic Coalition coordinating this webinar series on PQC readiness
IS3C/Afnic PQC Report: Socio-Political and Technical Impacts of IoT and PQC Policies — the foundational report by Dr. Elif Kiesow Cortez and João Moreno Falcão that launched this webinar series
SIDN Labs: Evaluating PQC in DNSSEC Signing for TLD Operators — Caspar Schutijser’s peer-reviewed paper on Falcon and Mayo performance across .nl, .se, and .nu zone files
SIDN Labs PATAD Project — Post-Quantum Algorithm Testing and Analysis for the DNS — open-source testbed for evaluating PQC algorithms in DNSSEC, developed with SURF and University of Twente
Open Quantum Safe (OQS) — open-source project providing the liboqs library and OQS-BIND used by both Afnic and SIDN in their PQC testbeds
NIST Post-Quantum Cryptography Standardization — the standardization process producing FIPS 203–206, including Falcon (FN-DSA) and the algorithms central to this webinar
SIDN Labs: A Quantum-Safe Cryptography DNSSEC Testbed — overview of the PATAD testbed and collaborative resolver impact research with SURF
IS3C Working Groups — DNS and Routing PQC Working Groups — where to sign up to join the expert working groups launching in 2026

Discussion about this post

Ready for more?