Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Overcoming DNSSEC Islands of Security: A TLS and IP-Based Certificate Solution

Aduma Rishith, Aditya Kulkarni, Tamal Das, Vivek Balachandran

TL;DR

The paper tackles Islands of Security in DNSSEC by proposing a decentralized TLS/IP-based certificate mechanism that authenticates child nameservers via IP bindings, reducing reliance on DS records and registrar-driven DNSSEC deployment. It describes a TLS-based bridge between resolvers and authoritative servers, outlines scope for partially deployed DNSSEC scenarios, and analyzes trade-offs versus centralized DLV approaches and DNS-over-TLS. The approach aims to strengthen DNS integrity while enabling gradual adoption of DNSSEC, with practical considerations for implementation in common DNS software and future evaluation. Overall, it offers a path toward more flexible and robust DNS security without mandating full, immediate DNSSEC saturation across the hierarchy.

Abstract

The Domain Name System (DNS) serves as the backbone of the Internet, primarily translating domain names to IP addresses. Over time, various enhancements have been introduced to strengthen the integrity of DNS. Among these, DNSSEC stands out as a leading cryptographic solution. It protects against attacks (such as DNS spoofing) by establishing a chain of trust throughout the DNS nameserver hierarchy. However, DNSSEC's effectiveness is compromised when there is a break in this chain, resulting in "Islands of Security", where domains can authenticate locally but not across hierarchical levels, leading to a loss of trust and validation between them. Leading approaches to addressing these issues were centralized, with a single authority maintaining some kind of bulletin board. This approach requires significantly more infrastructure and places excessive trust in the entity responsible for managing it properly. In this paper, we propose a decentralized approach to addressing gaps in DNSSEC's chain of trust, commonly referred to as "Islands of Security". We leverage TLS and IP-based certificates to enable end-to-end authentication between hierarchical levels, eliminating the need for uniform DNSSEC deployment across every level of the DNS hierarchy. This approach enhances the overall integrity of DNSSEC, while reducing dependence on registrars for maintaining signature records to verify the child nameserver's authenticity. By offering a more flexible and efficient solution, our method strengthens DNS security and streamlines deployment across diverse environments.

Overcoming DNSSEC Islands of Security: A TLS and IP-Based Certificate Solution

TL;DR

The paper tackles Islands of Security in DNSSEC by proposing a decentralized TLS/IP-based certificate mechanism that authenticates child nameservers via IP bindings, reducing reliance on DS records and registrar-driven DNSSEC deployment. It describes a TLS-based bridge between resolvers and authoritative servers, outlines scope for partially deployed DNSSEC scenarios, and analyzes trade-offs versus centralized DLV approaches and DNS-over-TLS. The approach aims to strengthen DNS integrity while enabling gradual adoption of DNSSEC, with practical considerations for implementation in common DNS software and future evaluation. Overall, it offers a path toward more flexible and robust DNS security without mandating full, immediate DNSSEC saturation across the hierarchy.

Abstract

The Domain Name System (DNS) serves as the backbone of the Internet, primarily translating domain names to IP addresses. Over time, various enhancements have been introduced to strengthen the integrity of DNS. Among these, DNSSEC stands out as a leading cryptographic solution. It protects against attacks (such as DNS spoofing) by establishing a chain of trust throughout the DNS nameserver hierarchy. However, DNSSEC's effectiveness is compromised when there is a break in this chain, resulting in "Islands of Security", where domains can authenticate locally but not across hierarchical levels, leading to a loss of trust and validation between them. Leading approaches to addressing these issues were centralized, with a single authority maintaining some kind of bulletin board. This approach requires significantly more infrastructure and places excessive trust in the entity responsible for managing it properly. In this paper, we propose a decentralized approach to addressing gaps in DNSSEC's chain of trust, commonly referred to as "Islands of Security". We leverage TLS and IP-based certificates to enable end-to-end authentication between hierarchical levels, eliminating the need for uniform DNSSEC deployment across every level of the DNS hierarchy. This approach enhances the overall integrity of DNSSEC, while reducing dependence on registrars for maintaining signature records to verify the child nameserver's authenticity. By offering a more flexible and efficient solution, our method strengthens DNS security and streamlines deployment across diverse environments.

Paper Structure

This paper contains 8 sections, 4 figures.

Table of Contents

  1. Introduction
  2. DNS Taxonomy
  3. Related Work
  4. Proposed Work
  5. Building Bridges
  6. Scope
  7. Discussion
  8. Conclusion And Future Scope

Figures (4)

  • Figure 1: DNS Hierarchy
  • Figure 2: DNSSEC Hierarchy
  • Figure 3: DNSSEC Lookaside Validation (DLV)
  • Figure 4: The Figure \ref{['fig4a']} shows the high-level view of DNS hierarchy and presence of keys, while Figure \ref{['fig4b']} gives a detailed view into TLS communication when DS record in parent is missing. Numbered labels are used to highlight important steps in the process. The labels in both the diagrams correspond to detailed explanations provided in section \ref{['Our work']}.