DNS CERT as Foundation of Trust for Zero Trust Deployments

Secure Trust Anchor Management using DNS

The Domain Name System (DNS) is essential for the proper functioning of the internet, serving as the foundational pillar of trust for every digital transaction. Each web page visited, email sent, and digital communication relies on DNS to translate human-friendly names into destination addresses.

To enhance authentication and validation of DNS responses, the Internet Engineering Task Force (IETF) introduced DNS Security Extensions (DNSSEC). DNSSEC uses digital signatures based on public key cryptography to sign responses by the domain owner. It serves two primary functions:

Data Origin Authentication: This allows resolvers/clients to cryptographically verify that the responses actually originate from the owner of the DNS name.

Data Integrity Protection: This enables resolvers/clients to verify that the data has not been altered during transit.

Certificates are another form of trust used to validate and verify endpoints like websites and servers, leveraging Public Key Cryptography or Public Key Infrastructure (PKI). Public keys or Certificate Authorities (CAs) are embedded in device trust stores or browsers to verify endpoint certificates deployed on servers or websites. The root CA certificate is used to authenticate and validate the certificates it issues, much like trusting a country’s passport if you trust the country’s government to securely issue passports to its citizens.

Currently, browsers include over 160+ CAs in their trust stores. Consequently, any website with a certificate signed by any of these CAs will be trusted by the browser. However, the internet is inherently insecure and open, and relying on over 160 CAs does not instill confidence in its security, especially when some of these CAs are owned by nation states.

Using DNS as the foundation of trust

Using DNS as the foundation of trust, explicit trust or Zero Trust is possible where the DNS domain owner publishes the Public Certificate used to sign their website or server certificate. With DNSSEC and using DNS CERT records, the owner can authoritatively validate and publish a CA issued public certificate with integrity and verifiable legitimacy.This enables verification of the DNS domain to the actual server. In turn, application level verification of the certificate is directly from the DNS name owners and ensures that the DNS names have the correct CAs verifying the certificates.

Trust Anchor Management

TLS clients can look up DNS for the domain CERT DNS record (RFC 4398) to retrieve the Trust Anchor that can be updated with a short Time-to-Live (TTL) value enabling short lived certificate authority support. The complete list of trusted certificates can be published with multiple CERT records based on application or enterprise top level domain.?

Publishing Certificate Authority Public Keys enables explicit trust with agility to switch and reduce Certificate Authority and Certificate validity aimed at reducing future Quantum computing? threats and enabling Zero Trust.?

What are DNS CERT Records?

DNS CERT records are DNS resource records used to associate certificates with domain names. They provide a way to distribute certificates or public keys via DNS, leveraging DNSSEC to ensure authenticity and integrity. When a DNS query is made for a CERT record, the DNS server returns the associated certificate or public key. DNSSEC ensures that the response is signed and verified, providing an additional layer of security. This record can be used in traditional hierarchical PKI to publish the CA record to validate the trust.?

Comparing Traditional PKI with DNS-based Authentication of Named Entities (DANE)

Traditional PKI: Relies on a hierarchical CA model, with potential trust issues due to multiple CAs.

DANE:? Uses TLSA records for certificate association, providing flexibility but requiring DNSSEC and validation it supports parallel certificate association validation.

DNS CERT Records: Directly binds certificates or CAs to domain names, simplifying the trust model and enhancing security. Optionally, it can also support hierarchical PKI trust model or simplified or distributed trust model per domain.?

Benefits of Using DNS CERT Records

Enhanced Security

By binding certificates directly to domain names, DNS CERT records reduce the risk of certificate spoofing and man-in-the-middle attacks. Short-lived certificates reduce the window of opportunity for attackers to exploit compromised keys.

Simplified Certificate Management

Organizations can manage certificates more efficiently, reducing dependency on multiple CAs and streamlining operations.

Reduced Overhead

Automating certificate distribution and validation through DNS can reduce operational overhead and improve scalability.

Dynamic Trust Anchor Updates

Using DNS CERT records, trust anchors can be updated dynamically with short e TTL values, providing flexibility and agility in certificate management. This is particularly beneficial in responding to security threats or adapting to new cryptographic standards.Frequent updates allow organizations to respond quickly to emerging threats and vulnerabilities.

Pulling vs. Pushing Trust Anchors

In the realm of IoT, devices are often distributed across various networks and locations, sometimes with intermittent connectivity. A common challenge is managing trust anchors efficiently. While the Trust Anchor Management Protocol (TAMP) works well for always-connected devices by pushing updates, a pull model using DNS CERT records is more effective for distributed devices.

Pull Model Using DNS CERT Records

Considering a smart meter deployment across a vast geographic area, where meters are installed in locations with intermittent internet connectivity, pushing trust anchor updates to each smart meter is impractical due to connectivity issues. In this case, you can use DNS CERT records to enable smart meters to pull the latest trust anchors when they connect to the internet. Smart meters are configured to perform DNS queries for CERT records during their periodic internet connectivity. This ensures that each device can independently retrieve and validate the latest trust anchors, enhancing security and reducing administrative overhead.

Addressing Post-Quantum Threats

Quantum computing poses a significant threat to current cryptographic standards. IoT deployments, in particular, need to adapt by adopting shorter-lived trust anchors that can be updated frequently. Regular updates ensure that trust anchors can be adapted to post-quantum cryptographic algorithms as they become available.

Sample DNS CERT record with DNSSEC validation

ca.appviewx.com . 296 IN CERT 0 0 0 (

MIIB8zCCAZmgAwIBAgITQMvCiTnXkcxee5eiUrzKJIna

8TAKBggqhkjOPQQDAjA+MREwDwYDVQQKEwhBcHB2aWV3

eDELMAkGA1UECxMCSVQxHDAaBgNVBAMTE0lULUFWWC1S

b290LUdDQVMtRUMwHhcNMjMwNTExMDc1MDIyWhcNMzMw

NTA4MDc1MDIxWjA+MREwDwYDVQQKEwhBcHB2aWV3eDEL

MAkGA1UECxMCSVQxHDAaBgNVBAMTE0lULUFWWC1Sb290

LUdDQVMtRUMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC

AATkccapehNjCA3Hwgjj+XLxFQayMtDUUHi3BxP+fO5O

gGa36llwn6QPWKhXxNNK+xGs+Y3QrDWPq0IK8j0jopoB

o3YwdDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw

AwEB/zAdBgNVHQ4EFgQUNPcUdSNHNjLULpkUME4J4sUj

btIwHwYDVR0jBBgwFoAUNPcUdSNHNjLULpkUME4J4sUj

btIwEQYDVR0gBAowCDAGBgRVHSAAMAoGCCqGSM49BAMC

A0gAMEUCIQCZ6ZgBMr+ir2Fzu192hYH+RFMuLqV973Ka

iDvSOVuf2gIgXkcYJB79bIqBvzJFssuAanoEBLhGF+O9

grlxPNNeLdU= )

ca.appviewx.com . 296 IN RRSIG CERT 13 3 300 (

20240522233005 20240520213005 34505 appviewx.com .

ZttZh6XV3HbFYWyztXOQrznMlphJzlmuFmObE1JqXCBE

mh14MC69bxxsjsE5fX6kGkmTn4gaNR01kLg+z1Jl7A== )

Real-World Examples and Case Studies

Enterprise Deployments

Enterprises can implement DNS CERT records to secure their services with their internal DNS service to securely issue and distribute trust instead of using a centralized trust anchor and hierarchical PKI for the enterprise.

Scenario: A multinational enterprise with multiple subsidiaries and remote offices needs to implement a Zero Trust security model across its IT infrastructure.

Challenge: Traditional hierarchical PKI systems rely on a central CA, which can be a single point of failure and a bottleneck for certificate distribution.

Solution: Deploy DNS CERT records to distribute trust across the enterprise.

Implementation: Each subsidiary publishes its own DNS CERT records, enabling local control and validation of certificates.

Benefits: Decentralized trust management, reduces dependency on a central CA, and enhances security through localized certificate validation.

Outcome: The enterprise achieves a Zero Trust model with efficient and secure certificate management across its global infrastructure.

IoT Deployments

Smart Meter Deployments

Challenge: Managing trust anchors for thousands of smart meters with limited or intermittent connectivity.

Solution: Use DNS CERT records to allow meters to pull trust anchors as needed.

Outcome: Improved security and efficiency in managing trust anchors across a distributed network of devices.

IIoT Deployments

Challenge: Ensuring the security of IIoT sensors deployed in remote locations and air gapped environments with limited connectivity.

Solution: Configure IIoT sensors to pull dynamic trust anchors via DNS CERT records, ensuring up-to-date security.

Outcome: Enhanced security for critical infrastructure and reduced risk of compromise.

Conclusion

DNS CERT records offer a promising solution for enhancing certificate management and security in both enterprise and IoT environments. By leveraging DNS and DNSSEC, organizations can achieve a more streamlined and secure certificate infrastructure. As the digital landscape evolves, adopting DNS CERT records can help mitigate risks and ensure robust security for all connected devices and services.

Explore the potential of DNS CERT records in your organization and consider integrating them into your security strategy. Embrace this innovative approach to enhance your certificate management and trust anchor infrastructure.

Please share your thoughts, suggestions and challenges to this approach.