Overcoming DNSSEC Islands of Security: A TLS and IP-Based Certificate Solution
- URL: http://arxiv.org/abs/2509.08364v1
- Date: Wed, 10 Sep 2025 08:02:07 GMT
- Title: Overcoming DNSSEC Islands of Security: A TLS and IP-Based Certificate Solution
- Authors: Aduma Rishith, Aditya Kulkarni, Tamal Das, Vivek Balachandran,
- Abstract summary: We propose a decentralized approach to addressing gaps in DNSSEC's chain of trust.<n>We leverage TLS and IP-based certificates to enable end-to-end authentication between hierarchical levels.
- Score: 0.03262230127283452
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: The Domain Name System (DNS) serves as the backbone of the Internet, primarily translating domain names to IP addresses. Over time, various enhancements have been introduced to strengthen the integrity of DNS. Among these, DNSSEC stands out as a leading cryptographic solution. It protects against attacks (such as DNS spoofing) by establishing a chain of trust throughout the DNS nameserver hierarchy. However, DNSSEC's effectiveness is compromised when there is a break in this chain, resulting in "Islands of Security", where domains can authenticate locally but not across hierarchical levels, leading to a loss of trust and validation between them. Leading approaches to addressing these issues were centralized, with a single authority maintaining some kind of bulletin board. This approach requires significantly more infrastructure and places excessive trust in the entity responsible for managing it properly. In this paper, we propose a decentralized approach to addressing gaps in DNSSEC's chain of trust, commonly referred to as "Islands of Security". We leverage TLS and IP-based certificates to enable end-to-end authentication between hierarchical levels, eliminating the need for uniform DNSSEC deployment across every level of the DNS hierarchy. This approach enhances the overall integrity of DNSSEC, while reducing dependence on registrars for maintaining signature records to verify the child nameserver's authenticity. By offering a more flexible and efficient solution, our method strengthens DNS security and streamlines deployment across diverse environments.
Related papers
- Proving DNSSEC Correctness: A Formal Approach to Secure Domain Name Resolution [12.033681333491685]
This paper introduces DNSSECVerif, the first framework for comprehensive, automated formal security analysis of the DNSSEC protocol suite.<n>We formally prove four of DNSSEC's core security guarantees and uncover critical ambiguities in the standards.<n>Our work provides crucial, evidence-based recommendations for hardening DNSSEC specifications and implementations.
arXiv Detail & Related papers (2025-12-12T10:12:06Z) - ODoQ: Oblivious DNS-over-QUIC [0.03499870393443268]
Domain Name System (DNS) has advanced enhancements aimed at safeguarding DNS data and users' identity from attackers.<n>The recent privacy-focused advancements have enabled the IETF to standardize several protocols.<n>These protocols tend to focus on either strengthening user privacy (like Oblivious DNS and Oblivious DNS-over-HTTPS) or reducing resolution latency.<n>Our proposed protocol -- 'Oblivious DNS-over-QUIC' (ODoQ) -- leverages the benefits of the QUIC protocol and incorporates an intermediary proxy server to protect the client's identity.
arXiv Detail & Related papers (2025-09-14T06:29:08Z) - Blockchain-Based Decentralized Domain Name System [2.7438375433769457]
Current Domain Name System (DNS) infrastructure faces critical vulnerabilities.<n>Recent DNS poisoning attacks on ISP customers highlight need for resilient alternatives.<n>This paper presents a novel blockchain-based Decentralized Domain Name System (DDNS)
arXiv Detail & Related papers (2025-07-29T12:42:24Z) - Collusion Resistant DNS With Private Information Retrieval [42.34183823376613]
We propose PDNS, a DNS extension leveraging single-server Private Information Retrieval to strengthen privacy guarantees.<n>PDNS achieves acceptable performance (2x faster than DoH over Tor with similar privacy guarantees) and strong privacy guarantees today.
arXiv Detail & Related papers (2025-07-28T13:17:25Z) - Shh, don't say that! Domain Certification in LLMs [124.61851324874627]
Large language models (LLMs) are often deployed to perform constrained tasks, with narrow domains.<n>We introduce domain certification; a guarantee that accurately characterizes the out-of-domain behavior of language models.<n>We then propose a simple yet effective approach, which we call VALID that provides adversarial bounds as a certificate.
arXiv Detail & Related papers (2025-02-26T17:13:19Z) - Say No to Freeloader: Protecting Intellectual Property of Your Deep Model [52.783709712318405]
Compact Un-transferable Pyramid Isolation Domain (CUPI-Domain) serves as a barrier against illegal transfers from authorized to unauthorized domains.
We propose CUPI-Domain generators, which select features from both authorized and CUPI-Domain as anchors.
We provide two solutions for utilizing CUPI-Domain based on whether the unauthorized domain is known.
arXiv Detail & Related papers (2024-08-23T15:34:33Z) - ss2DNS: A Secure DNS Scheme in Stage 2 [1.8379423176822356]
We introduce ss2DNS, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities in the resolution process between resolvers and authoritative nameservers.<n>We show that for server-side processing latency, resolution time, and CPU usage, ss2DNS is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.
arXiv Detail & Related papers (2024-08-02T01:25:14Z) - TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain [8.38094558878305]
Domain Name System (DNS) is vulnerable to some malicious attacks, including DNS cache poisoning.
This paper presents TI-DNS, a blockchain-based DNS resolution architecture designed to detect and correct the forged DNS records.
TI-DNS is easy to be adopted as it only requires modifications to the resolver side of current DNS infrastructure.
arXiv Detail & Related papers (2023-12-07T08:03:10Z) - Model Barrier: A Compact Un-Transferable Isolation Domain for Model
Intellectual Property Protection [52.08301776698373]
We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain)
CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains.
We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
arXiv Detail & Related papers (2023-03-20T13:07:11Z) - Bridging the Source-to-target Gap for Cross-domain Person
Re-Identification with Intermediate Domains [63.23373987549485]
Cross-domain person re-identification (re-ID) aims to transfer the identity-discriminative knowledge from the source to the target domain.
We propose an Intermediate Domain Module (IDM) and a Mirrors Generation Module (MGM)
IDM generates multiple intermediate domains by mixing the hidden-layer features from source and target domains.
MGM is introduced by mapping the features into the IDM-generated intermediate domains without changing their original identity.
arXiv Detail & Related papers (2022-03-03T12:44:56Z) - Prototypical Cross-domain Self-supervised Learning for Few-shot
Unsupervised Domain Adaptation [91.58443042554903]
We propose an end-to-end Prototypical Cross-domain Self-Supervised Learning (PCS) framework for Few-shot Unsupervised Domain Adaptation (FUDA)
PCS not only performs cross-domain low-level feature alignment, but it also encodes and aligns semantic structures in the shared embedding space across domains.
Compared with state-of-the-art methods, PCS improves the mean classification accuracy over different domain pairs on FUDA by 10.5%, 3.5%, 9.0%, and 13.2% on Office, Office-Home, VisDA-2017, and DomainNet, respectively.
arXiv Detail & Related papers (2021-03-31T02:07:42Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.