PQC for DNSSEC: a format size analysis on Falcon signatures

Falcon is a post-quantum signature algorithm recently chosen for standardization by the National Institute of Standards and Technology (NIST). Its official implementation has two different signature formats that differ in size. In this paper, we measure the impact of the two different formats of Falcon signatures on DNSSEC-signed zones and on DNSSEC queries, based on real-world traffic for a large country-code Top Level Domain (ccTLD). We take into consideration Falcon's two signature formats, called padded and compressed, and evaluate their effects on DNSSEC signature sizes. We provide a signature size distribution for each format, using data obtained from a DNSSEC-signed ccTLD zone and queries for this zone. We use the results to study whether there are advantages to choosing one of the two signature formats. Our results show that the difference in DNS message size between padded and compressed signatures is small. Therefore, while in theory smaller signatures are favorable, the use of the compressed signature format does not have tangible real-world benefits. As our results show, the use of compressed signatures does not lead to a significant shift in message size such that more DNSSEC answers would fit within MTU limits. These results provide useful input for the discussion on Falcon signature standardization in DNSSEC, concluding that standardization of a fixed-size padded format may be preferable for its predictability and to avoid potential implementation errors.