Adding experimental support for X25519Kyber768 to dns4all.eu
Experimenting with post-quantum cryptography in the DNS
Chose your color
Frequently visited
Frequently asked questions
The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.
On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.
To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.
To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.
When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.
One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.
Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.
Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.
Experimenting with post-quantum cryptography in the DNS
SIDN Labs is experimenting with post-quantum cryptography (PQC) to protect the DNS from future attacks using quantum computers. Although current quantum computers do not seem to be capable of breaking existing cryptography, it is likely that more advanced quantum computers will be able to do that sometime in the future. We therefore decided that it would be sensible to evaluate standardised and proposed PQC algorithms in different parts of the DNS.
Since Google has added support for X25519Kyber768 to the TLS implementations of their Chrome and Chromium browsers, we ran an experiment to see whether it is feasible to support that mechanism on our DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) servers.
Currently, most of the data you transmit on the internet is protected using TLS. TLS uses shared secrets that are established (between client and server) using the Elliptic Curve Diffie–Hellman (ECDH) protocol. ECDH can use different functions for curves, for example the widely used X25519. X25519 and other Diffie-Hellman functions based on the discrete logarithm problem are vulnerable to future quantum attacks.
Although such quantum attacks remain far in the future, experts are already developing new cryptographic protocols to protect your data in the future when the attacks do become feasible. Since post-quantum cryptography mechanisms are relatively new, they are still being extensively tested and their security properties are still being reviewed, such as in the NIST challenges. Therefore, there is a chance that such an algorithm will be broken or declared insecure during the review phase. This makes their use in production systems less attractive.
However, by using a hybrid method such as X25519Kyber768, an attacker needs to defeat both Kyber768 and X25519 to obtain the secret key and to eavesdrop on further traffic. The idea behind hybrid methods is that if the (relatively untested) Kyber768 key exchange mechanism is broken in the future, the shared secret will still be protected by the state-of-the-art X25519 function. The hybrid approach should protect your data against current eavesdropping and future decryption attacks without sacrificing security.
A detailed description of how TLS is protected by the X25519Kyber768 algorithm can be found in two excellent Cloudflareblogs.
Our anycast testbed and the dns4all.eu DoH and DoT resolvers are now among the first resolvers that support X25519Kyber768. DoH and DoT already prevent eavesdroppers from monitoring your DNS traffic, and X25519Kyber768 adds security against 'Harvest now, decrypt later' attacks.
Our resolvers rely on the experimental liboqs library and oqsprovider for OpenSSL 3.0 (and higher) to add support for X25519Kyber768 to our resolvers.
If you want to experiment with using a DNS resolver that supports X25519Kyber768, you can do so in a Chromium-based browser by configuring the browser to use our DNS resolver. You can do that as follows. In your Chromium-based browser, go to chrome://flags/
and make sure #enable-tls13-kyber
is enabled. At the time of writing, the option is available in browsers based on Chromium 115, such as the latest Google Chrome and Brave and Opera. However, we could not yet find X25519Kyber768 support in Safari or Microsoft Edge.
Dns4all.eu is an experimental DNS resolver provided on our anycast testbed; we do not log personal data. To configure dns4all.eu as the DNS provider in Chromium, go to Settings -> Privacy and security -> Security -> Use secure DNS, then select Customised and enter https://doh.dns4all.eu/dns-query
in the field below. Note that on other Chromium-based browsers this setting could be in a different place.
To verify that the connection is secured, you can open the security tab of the developer tools when visiting https://doh.dns4all.eu/
, as shown below, and look for X25519Kyber768Draft00
.
As SIDN Labs keeps experimenting with PQC algorithms, more blogs will follow that share our experiences with applying PQC to other parts of the DNS. If you are interested in more information or in collaborating on PQC in DNS, you can contact us on sidnlabs@sidn.nl.
Article by:
Share this article