Speaker
Description
DNSSEC has been standardized over a couple of decades to ensure the integrity of DNS messages. However, over two decades, DNSSEC has been deployed only around 4% of second-level domains in .com, .net, and .org. Moreover, the process of uploading DNSSEC-related records to parent zones is turned out to be difficult in practice, which results in pervasive mismanagement.
To provide the integrity of DNS messages without such complexities, we propose a new way that enables individual DNS zones to guarantee the integrity of their DNS records without any dependencies on other entities in the DNS infrastructure (e.g., parent zones or registrars).
We propose to leverage a PKIX certificate issued by a certificate authority (CA), from which a domain generates signatures for its resource records using its private key (corresponding to its public key in the certificate). For this purpose, we reuse existing DNS record types (i.e., DNSKEY, RRSIG and CERT records).
