Schedule Meeting

Post-Quantum DNSSEC and PKI: Securing the Future of Trust for .Bank and .Insurance

An abstract, metallic cube with digital screens sits on a dark, rocky landscape.

By fTLD Registry Services and DNSimple

Quantum computing is moving from theory to reality.

While it promises remarkable innovation, it also threatens the cryptographic foundations that secure the Internet.

Algorithms such as RSA (Rivest-Shamir-Adleman) and ECDSA (Elliptical Curve Digital Signature Algorithm), which underpin Domain Name System Security Extensions (DNSSEC) and Transport Layer Security (TLS), could eventually be broken by quantum attacks.

That means the internet’s trust chain, from domain validation to encrypted communications, must evolve.

At IETF 123, held in Madrid in July 2025, the Internet Engineering Task Force (IETF) advanced this effort through new research and draft standards for post-quantum DNSSEC (PQC DNSSEC) and next-generation Public Key Infrastructure (PKI).

These developments will shape the future of secure domains, particularly for verified TLDs such as .Bank and .Insurance, where security and compliance are non-negotiable.

The Coming Cryptographic Transition

For decades, DNSSEC has protected users by verifying that DNS responses are authentic. PKI has ensured that web sessions are encrypted and tied to legitimate organizations.

Both rely on classical public-key algorithms that will eventually be vulnerable to quantum computing.

Regulatory and standards bodies, including NIST and the European Union under the NIS2 Directive, have set 2030 as a key target for adopting quantum-resistant cryptography.

For operators of high-assurance domains such as .Bank and .Insurance, which already enforce DNSSEC, HTTPS-only connections, and verified registrant identities, this transition will be an essential next step in maintaining end-to-end trust.

What Happened at IETF 123

The recent IETF meeting focused heavily on post-quantum readiness in the DNS ecosystem:

  • SIDN Labs evaluated the new post-quantum algorithms Falcon-512 and MAYO-2 for DNSSEC signing, analyzing performance and the effect on zone sizes. For example, a 1 GB unsigned .nl zone expanded to 12 GB when signed with Falcon-512.
  • NLnet Labs demonstrated how Merkle Tree Ladder (MTL) mode can compress large PQC signatures down to a few hundred bytes, making post-quantum signing practical for most DNS records.
  • Verisign proposed a “diversity strategy” for DNSSEC that uses multiple PQC algorithms in parallel to avoid reliance on a single cryptographic assumption.

These efforts represent a coordinated global move to ensure that DNS, the internet’s first point of trust, remains verifiable and secure in a post-quantum world.

How Post-Quantum Impacts DNSSEC and PKI Together

DNSSEC and PKI form a continuous chain of trust:

  • DNSSEC signs and authenticates DNS data, the “address book” of the Internet.
  • PKI validates ownership and secures encrypted sessions through TLS certificates.

The IETF’s ongoing work on DNS-based domain control validation (DCV) highlights how these systems are linked. Certificate Authorities (CAs) rely on DNS records to verify control before issuing certificates.

As quantum-safe algorithms emerge, both layers must evolve simultaneously. A quantum-secure DNSSEC without quantum-secure certificates, or the reverse, would still leave the overall trust chain vulnerable.

Why .Bank and .Insurance Are Leading the Way

Because .Bank and .Insurance operate with mandatory Security Requirements, they are expected to be among the first top-level domains to adopt PQC once standards stabilize.

As NIST finalizes algorithms such as Falcon, Dilithium, and Kyber, and the IETF defines their DNS and TLS implementations, the fTLD community will likely move to adopt practices and modify its Security Requirements to:

  • Require post-quantum or hybrid DNSSEC signing for registrants.
  • Support dual-signature certificates that include both classical and PQC keys.
  • Align with emerging FFIEC, NIST, and NIS2 cybersecurity guidance for critical systems.

For banks, insurers, and producers, these changes are not just technical. They are central to maintaining consumer trust and regulatory compliance as cryptographic standards shift.

The Role of DNSimple: Automation and Readiness

DNSimple has long focused on simplifying complex infrastructure for secure domains. Its automated DNSSEC and certificate management features are designed for exactly this kind of transition.

  • Cryptographic agility: DNSSEC automation can adapt to new signing algorithms as they are standardized and deployed by TLDs.
  • Seamless upgrades: Customers will not need to manually rotate keys or reconfigure records when PQC algorithms are introduced.
  • API-driven compliance: Through DNSimple’s APIs, enterprises can integrate automated certificate renewals and DNSSEC management into their CI/CD and compliance workflows.

DNSimple is actively monitoring IETF progress and working with registry operators such as fTLD to ensure that .Bank and .Insurance registrants remain ahead of evolving requirements.

Preparing for the Post-Quantum Future

While PQC adoption is still in transition, organizations can start preparing now:

  1. Enable DNSSEC on all domains and verify that signatures are active.
  2. Automate certificate issuance using trusted ACME providers integrated with DNS-based validation.
  3. Monitor fTLD’s and CA communications for PQC rollout schedules.
  4. Engage early with your registrar or DNS provider as standards are deployed to ensure they support hybrid DNSSEC and certificate algorithms.

As PQC standards move from draft to deployment, automation will be key to maintaining both compliance and operational simplicity.

The Road Ahead

The internet’s trust model is evolving, but its mission is not changing. Security, authenticity, and consumer trust remain foundational.

By collaborating on research and readiness, fTLD and DNSimple are helping ensure that .Bank and .Insurance remain not only the most secure domains today, but also the most future-proof in the post-quantum era.

As the industry prepares for a quantum-safe Internet, fTLD and DNSimple are working together so registrants in .Bank and .Insurance can move confidently into the next era of trust.

About fTLD Registry Services

fTLD Registry Services operates the .Bank and .Insurance top-level domains, the most trusted and only exclusive domains for banks, insurers, and producers. They are industry created and governed, and designed to shield institutions against cyberattacks and fraud. 

Learn more at fTLD.com.

About DNSimple

DNSimple provides secure and automated domain management and DNS hosting for developers, teams, and enterprises. With features such as DNSSEC automation, enterprise billing, and advanced API integration, DNSimple simplifies domain security and reliability. Learn more at dnsimple.com/bank-hosting.

Don't miss out

Sign up for the .Bank newsletter and receive handpicked insights and ideas directly into your inbox.

Related Articles

An abstract, metallic cube with digital screens sits on a dark, rocky landscape.

Post-Quantum DNSSEC and PKI: Securing the Future of Trust for .Bank and .Insurance

Stay ahead of quantum computing threats with expert insights from fTLD and DNSimple.
Professional headshot of Dave Piscitello.

Executive Interview Series: Dave Piscitello

Experience, wisdom, and advocacy are just a few words that describe Dave Piscitello’s take on DNS exploiting, cybercrime, and everything in between.
A set of four baseball caps on a shelf in the colors of black, gray, red, and white.

What Are the Different Types of Hackers?

Hackers come in a lot of flavors, some are criminals, some are heroes, some are neither. This article will help you understand the difference.
.Banker Stories
Schedule Meeting