Traditional DNS Security Extensions (DNSSEC) face challenges in highly dynamic and geo-distributed environments, particularly concerning the size of authenticated responses and the lack of inherent long-term auditability. While DNSSEC provides cryptographic authentication for DNS records, its reliance on transmitting all contributing resource records (RRs) for signature validation leads to inefficient data transfer and increased operational complexity. We propose a novel approach that enhances DNSSEC’s capabilities without altering its fundamental authentication mechanism, focusing on efficiency and verifiable data integrity. Our solution introduces a new DNS record type, Authenticated Proof of Existence (APEX), which leverages Verifiable Data Structures (VDS)–such as Merkle Trees–to provide concise, cryptographic proofs for individual DNS records. This method significantly reduces response sizes, improves authentication efficiency, and enables long-term auditable logs of DNS information through third-party verifiable storage. By extending DNS’s role in key management and service authentication, particularly in large-scale scenarios like IoT, APEX offers a scalable, secure, and auditable foundation for postquantum cryptography advent.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Next-Generation DNS Data Integrity: Compact Proofs and Long-Term Auditability for IoT and Distributed Cloud Networks

  • Daniel Diaz-Sanchez,
  • Florina Almenarez-Mendoza,
  • Celeste Campo-Vázquez,
  • Carlos García-Rubio,
  • Javier Blanco-Romero

摘要

Traditional DNS Security Extensions (DNSSEC) face challenges in highly dynamic and geo-distributed environments, particularly concerning the size of authenticated responses and the lack of inherent long-term auditability. While DNSSEC provides cryptographic authentication for DNS records, its reliance on transmitting all contributing resource records (RRs) for signature validation leads to inefficient data transfer and increased operational complexity. We propose a novel approach that enhances DNSSEC’s capabilities without altering its fundamental authentication mechanism, focusing on efficiency and verifiable data integrity. Our solution introduces a new DNS record type, Authenticated Proof of Existence (APEX), which leverages Verifiable Data Structures (VDS)–such as Merkle Trees–to provide concise, cryptographic proofs for individual DNS records. This method significantly reduces response sizes, improves authentication efficiency, and enables long-term auditable logs of DNS information through third-party verifiable storage. By extending DNS’s role in key management and service authentication, particularly in large-scale scenarios like IoT, APEX offers a scalable, secure, and auditable foundation for postquantum cryptography advent.