Implementing DNSSEC soft delegation for microservices

Authors

  • Andres Marin-Lopez Chair of IT Security https://ps.tm.kit.edu/ Karlsruhe Institute of Technology Telematics Engineering Department School of Engineering University Carlos III of Madrid
  • Patricia Arias-Cabarcos Chair of IT Security https://ps.tm.kit.edu/ Karlsruhe Institute of Technology
  • Thorsten Strufe Chair of IT Security https://ps.tm.kit.edu/ Karlsruhe Institute of Technology
  • Gabriel Barceló-Soteras
  • Florina Almenares-Mendoza Telematics Engineering Department School of Engineering University Carlos III of Madrid
  • Daniel Díaz-Sánchez Telematics Engineering Department School of Engineering University Carlos III of Madrid

DOI:

https://doi.org/10.14279/tuj.eceasst.80.1165

Abstract

Securing DNS in Edge- and Fog computing, or other scenarios where microservices are offloaded, requires the provision of zone signing keys to the third parties who control the computing infrastructure. This fundamentally allows the infrastructure provider to create novel signatures at their discretion and even arbitrarily extend the certificate chain.
Based on our proposal on soft delegation for DNSSEC, which curtails this vulnerability, we report on our proof-of-concept: a C-implementation of chameleon hashes in OpenSSL, a server side implementation of the mechanism in the ldns server, and an offline client that validates the signed records, in this paper. We also discuss different approaches for generating DNSSEC RRSIG records, and the behavior of a resolver to verify the credentials and securely connect to an end point using TLS with SNI and DANE.

Downloads

Published

2021-09-08

Issue

Vol. 80 (2021): Conference on Networked Systems 2021 (NetSys 2021)

Section

Articles