Quantum computers threaten classical public-key cryptosystems (e.g., RSA, ECDSA), undermining the security of critical infrastructure such as DNSSEC. To address this, we present the first systematic integration of five NIST-standardized post-quantum digital signature algorithms—ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA—into CoreDNS. We design a lightweight, modular plugin enabling dynamic algorithm selection and real-time signing while preserving full compatibility with existing DNS resolution protocols and deployment architectures—no protocol or infrastructure modifications are required. Experimental evaluation quantifies trade-offs among signing overhead, verification latency, and key size; ML-DSA and FALCON demonstrate practical deployability in DNSSEC contexts. This work establishes a reproducible, scalable technical pathway for the quantum-resilient evolution of DNSSEC and delivers the first open-source implementation validating this transition.

The emergence of quantum computers poses a significant threat to current secure service, application and/or protocol implementations that rely on RSA and ECDSA algorithms, for instance DNSSEC, because public-key cryptography based on number factorization or discrete logarithm is vulnerable to quantum attacks. This paper presents the integration of post-quantum cryptographic (PQC) algorithms into CoreDNS to enable quantum-resistant DNSSEC functionality. We have developed a plugin that extends CoreDNS with support for five PQC signature algorithm families: ML-DSA, FALCON, SPHINCS+, MAYO, and SNOVA. Our implementation maintains compatibility with existing DNS resolution flows while providing on-the-fly signing using quantum-resistant signatures. A benchmark has been performed and performance evaluation results reveal significant trade-offs between security and efficiency. The results indicate that while PQC algorithms introduce operational overhead, several candidates offer viable compromises for transitioning DNSSEC to quantum-resistant cryptography.