Automating trusted key rollover in DNSSEC

Article type: Research Article

Authors: Guette, Gilles

Affiliations: IRISA/Université de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France. E-mail: gilles.guette@irisa.fr

Abstract: The Domain Name System (DNS) is a distributed tree-based database largely used to translate a human readable machine name into an IP address. The DNS security extensions (DNSSEC) has been designed to protect the DNS protocol using public key cryptography and digital signatures. Every secure DNS zone owns at least a key pair (public/private) to provide two security services: data integrity and authentication. To trust some DNS data, a DNS client has to verify the signature of this data with the right zone key. This verification is based on the establishment of a chain of trust. To build this chain of trust, a DNSSEC client needs a secure entry point: a zone key configured as trusted in the client. In this paper, we study the management problem of this kind of key also call the trusted key rollover problem. We propose a new resource record (RR) to automate this rollover and avoid the inconsistency problem between the resolver key set and the name server key set. Without our new record and solution, this problem needs an administrator action to be solved.

Keywords: DNSSEC, network security, key management, key rollover

DOI: 10.3233/JCS-2009-0343

Journal: Journal of Computer Security, vol. 17, no. 6, pp. 839-854, 2009