DNSSEC+: An Enhanced DNS Scheme Motivated by Benefits and Pitfalls of DNSSEC

The absence of security and privacy measures between DNS recursive resolvers and authoritative nameservers has been exploited by both on-path and off-path attackers. While many security proposals have been made in practice and in previous literature, they typically face deployability barriers and/or lack a compelling set of security and privacy properties, resulting in limited adoption. We introduce DNSSEC+, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities of the DNS resolution process between resolvers and name servers, while preserving the efficiency of the resolution process by maintaining a single round-trip. DNSSEC+ takes advantage of a hierarchical trust model that does not rely on external entities to DNS zones, but delegates nameserver replicas within a zone to serve zone data securely for short but renewable time intervals, facilitating real-time security properties for DNS messages without requiring long-term private keys to be duplicated (thus exposing to risk) on such replicas. We implement a proof of concept of DNSSEC+ for evaluation and show that for server-side processing latency, resolution time, and CPU usage, DNSSEC+ is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.

@article{jahromi2025_2408.00968,
  title={ DNSSEC+: An Enhanced DNS Scheme Motivated by Benefits and Pitfalls of DNSSEC },
  author={ Ali Sadeghi Jahromi and AbdelRahman Abdou and Paul C. van Oorschot },
  journal={arXiv preprint arXiv:2408.00968},
  year={ 2025 }
}