Implementing DNSSEC soft delegation for microservices

Andres Marin-Lopez, Patricia Arias-Cabarcos, Thorsten Strufe, Gabriel Barceló-Soteras, Florina Almenares-Mendoza, Daniel Díaz-Sánchez


Securing DNS in Edge- and Fog computing, or other scenarios where microservices are offloaded, requires the provision of zone signing keys to the third parties who control the computing infrastructure. This fundamentally allows the infrastructure provider to create novel signatures at their discretion and even arbitrarily extend the certificate chain.
Based on our proposal on soft delegation for DNSSEC, which curtails this vulnerability, we report on our proof-of-concept: a C-implementation of chameleon hashes in OpenSSL, a server side implementation of the mechanism in the ldns server, and an offline client that validates the signed records, in this paper. We also discuss different approaches for generating DNSSEC RRSIG records, and the behavior of a resolver to verify the credentials and securely connect to an end point using TLS with SNI and DANE.

Full Text:




Hosted By Universitätsbibliothek TU Berlin.