Feb 16 – 17, 2023 Workshop
Atlanta Marriott Marquis
US/Eastern timezone

Guaranteeing the integrity of DNS records using PKIX Certificates

Feb 17, 2023, 10:05 AM
Imperial Ballrom (Atlanta Marriott Marquis)

Imperial Ballrom

Atlanta Marriott Marquis

265 Peachtree Center Ave NE Atlanta GA 30303 United States
Remote Standard Presentation Main Session OARC 40 - Day 2


Hyeonmin Lee (Seoul National University)


DNSSEC has been standardized over a couple of decades to ensure the integrity of DNS messages. However, over two decades, DNSSEC has been deployed only around 4% of second-level domains in .com, .net, and .org. Moreover, the process of uploading DNSSEC-related records to parent zones is turned out to be difficult in practice, which results in pervasive mismanagement.
To provide the integrity of DNS messages without such complexities, we propose a new way that enables individual DNS zones to guarantee the integrity of their DNS records without any dependencies on other entities in the DNS infrastructure (e.g., parent zones or registrars).
We propose to leverage a PKIX certificate issued by a certificate authority (CA), from which a domain generates signatures for its resource records using its private key (corresponding to its public key in the certificate). For this purpose, we reuse existing DNS record types (i.e., DNSKEY, RRSIG and CERT records).

Primary authors

Hyeonmin Lee (Seoul National University) Sangyoon Seok (Seoul National University) Prof. Taekyoung Kwon (Seoul National University)

Presentation materials