Implementing DNSSEC soft delegation for microservices

Andres Marin-Lopez; Patricia Arias-Cabarcos; Thorsten Strufe; Gabriel Barceló-Soteras; Florina Almenares-Mendoza; Daniel Díaz-Sánchez

doi:10.14279/tuj.eceasst.80.1165

Authors

Andres Marin-Lopez Chair of IT Security https://ps.tm.kit.edu/ Karlsruhe Institute of Technology Telematics Engineering Department School of Engineering University Carlos III of Madrid
Patricia Arias-Cabarcos Chair of IT Security https://ps.tm.kit.edu/ Karlsruhe Institute of Technology
Thorsten Strufe Chair of IT Security https://ps.tm.kit.edu/ Karlsruhe Institute of Technology
Gabriel Barceló-Soteras
Florina Almenares-Mendoza Telematics Engineering Department School of Engineering University Carlos III of Madrid
Daniel Díaz-Sánchez Telematics Engineering Department School of Engineering University Carlos III of Madrid

DOI:

https://doi.org/10.14279/tuj.eceasst.80.1165

Abstract

Securing DNS in Edge- and Fog computing, or other scenarios where microservices are offloaded, requires the provision of zone signing keys to the third parties who control the computing infrastructure. This fundamentally allows the infrastructure provider to create novel signatures at their discretion and even arbitrarily extend the certificate chain.
Based on our proposal on soft delegation for DNSSEC, which curtails this vulnerability, we report on our proof-of-concept: a C-implementation of chameleon hashes in OpenSSL, a server side implementation of the mechanism in the ldns server, and an offline client that validates the signed records, in this paper. We also discuss different approaches for generating DNSSEC RRSIG records, and the behavior of a resolver to verify the credentials and securely connect to an end point using TLS with SNI and DANE.

Implementing DNSSEC soft delegation for microservices

Authors

DOI:

Abstract

Downloads

Published

How to Cite

Issue

Section

License

Information

Usage Statistics Information