Alternative trust sources: Reducing DNSSEC signature verification operations with TLS

Sean Donovan, Nick Feamster

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

DNSSEC has been in development for 20 years. It provides for provable security when retrieving domain names through the use of a public key infrastructure (PKI). Unfortunately, there is also significant overhead involved with DNSSEC: verifying certificate chains of signed DNS messages involves extra computation, queries to remote resolvers, additional transfers, and introduces added latency into the DNS query path. We pose the question: is it possible to achieve practical security without always verifying this certificate chain if we use a different, outside source of trust between resolvers? We believe we can. Namely, by using a long-lived, mutually authenticated TLS connection between pairs of DNS resolvers, we suggest that we can maintain near-equivalent levels of security with very little extra overhead compared to a non-DNSSEC enabled resolver. By using a reputation system or probabilistically verifying a portion of DNSSEC responses would allow for near-equivalent levels of security to be reached, even in the face of compromised resolvers.

Original languageEnglish (US)
Title of host publicationSIGCOMM 2015 - Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication
PublisherAssociation for Computing Machinery, Inc
Pages353-354
Number of pages2
ISBN (Electronic)9781450335423
DOIs
StatePublished - Aug 17 2015
EventACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015 - London, United Kingdom
Duration: Aug 17 2015Aug 21 2015

Publication series

NameSIGCOMM 2015 - Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication

Other

OtherACM Conference on Special Interest Group on Data Communication, SIGCOMM 2015
Country/TerritoryUnited Kingdom
CityLondon
Period8/17/158/21/15

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Signal Processing
  • Electrical and Electronic Engineering
  • Communication

Fingerprint

Dive into the research topics of 'Alternative trust sources: Reducing DNSSEC signature verification operations with TLS'. Together they form a unique fingerprint.

Cite this