September 2017

Relevant DNSSEC Concepts and Basic Building Blocks

The trust infrastructure developed by the LIGHTest project makes use of the existing global Domain Name Service (DNS) for discovering information relevant for validation of trust. As a distributed database both in terms of organization of data as well as responsibility for operation and management, the DNS is very suitable for an infrastructure that aims to support integration and interoperation of various trust schemes

The original design of the DNS did not consider a number of attacks allowing miscreants to alter information retrieved via the DNS . The Domain Name Service Security Extensions (DNSSEC) have been developed to mitigate this problem. They allow users of the DNS to verify that the data they received is indeed the data intended. This ability for verification is vital for use of DNS in the context of a trust infrastructure.

 

Within the infrastructure, the DNS can be used for two specific tasks: verification of identity and retrieval of trust related data.

When communicating with a network resource or retrieving remote documents, certificates are used to prove the identity of the resource or authenticity of the document. The DANE protocol associates these identities with domain names and stores information under this domain name that can be used to limit the certificates allowed to be used with the identity. The concepts from DANE can be used in the LIGHTest architecture to limit the certificates in use by a trust scheme both as issuer certificates as well as for signing trust related information such a s trust lists. Some new procedures need to be developed to apply the concepts to these specific use cases.

In order to verify trust, however, additional information needs to be queried, such as rules describing

trust association, trust translation, and trust delegation. As such rule sets can become rather large, the DNS isn’t suited for storing them. Instead, pointers should be stored that direct interested parties to retrieve this information using other, more appropriate protocols such as HTTP. These protocols will also allow limiting access based on authentication, whereas DNS’s data is available publicly.

Such pointers are best provided in the form of URIs. Two DNS extensions are currently defined for storing URIs for a given domain name: the Dynamic Delegation Discovery System (DDDS), an extensive system for translating application-defined strings into URIs using the DNS as a database, and a much simpler concept that simply stores URIs for a given domain name. Use of either would require the definition of some usage rules as part of the LIGHTest project. 

When implementing the resulting architecture as part of the project’s pilots, various software may be necessary. There are three categories: DNS server software that operates as part of the global DNS

system, DNS provisioning libraries and tools that can be used to manage the data to be stored as part of the LIGHTest project, and DNS libraries for querying the DNS as part of trust verification.

The full public deliverable can be accessed here