DNSSEC as a service – A prototype implementation

Abstract

Domain Name System (DNS) plays a massive role in today’s technological era. While initially designed to facilitate communications over the Internet and over networks, the DNS in itself is not secure enough considering the type and criticality of information being shared today. Considering its worldwide acceptance and popularity, securing the DNS without breaking its operation has become vital. DNSSEC is seen as a viable option to protect the integrity of the data and prevent on the fly modifications. However, its adoption rate is not encouraging. Research shows that complexity associated with currently proposed solutions were major turn off for organizations. This paper proposes the creation of a DNSSEC signing service whereby customers register themselves with the service provider and the latter deploys a signing environment for them which includes a DNSSEC signer, a database and web services for access purposes. Customers will only have to use the web services to create and manage their zones and the zone signing can be done automatically or with a simple click of a button. Signed zones are sent back to customer authoritative DNS servers securely using Transaction SIGnature (TSIG) and incoming DNS requests are signed. This solution involves open-source tools and service providers make use of Linux containers for customer environment and space for resource efficiency. All the complexity and additional maintenance involving the system are taken off the customer’s shoulders and managed by the provider while also facilitating their tasks through GUI operations.