Compact DNSSEC

Background DNSSEC has low adoption rate on SLD . The operation burden of fullzone DNSSEC deployment is heavy. DNS random subdomain attacks and amplification attacks are commonly used distributed denial-of-service (DDoS) attacks. The DDoS amplification power of the authoritative server of SLD will be larger after deploying DNSSEC .

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . Basic terms used in this specification are defined in the documents , , . Authoritative Server: Described in . Recursive Resolver: Described in .

Compact DNSSEC Scheme To encourge the DNSSEC deployment on resource-limited SLD, it is resonable to give it a compact DNSSEC deployment scheme.

The Resource-limited SLD Publishes Compact DNSSEC Records Resource-limited SLD should publish these DNSSEC records: the delegation signer (DS) record on TLD. the DNSKEY records. the RRSIGs for NS/A/AAAA/CNAME/TLSA records associated with NS. Resource-limited SLD doesn't publish other DNSSEC records on other subdomains. Resource-limited SLD doesn't deploy NSEC/NSEC3. For example:

Therefore, the zone file size of the compact DNSSEC scheme is approximate with plain-text DNS, with few RRSIGs.

The Authoritative Server of Resource-limited SLD Deploys Secure Service and defined the encrypted DoT/DoQ service for client-to-recursive. discussed the extended deployment of encrypted recursive-to-authoritative DNS. The authoritative server of resource-limited SLD deploys the DoQ/DoT service with self-signed PKI cerificate with TLS connection. The NS records of the resource-limited SLD should be written into the subjectAltName extension field of the self-signed PKI certificate. The public key information of the self-signed PKI cerificate is published on associated TLSA records of the NS. The associated TLSA records are DNSSEC-signed. An alternative secure channel solution is , embeded the raw public key into the NS records.

The Recursive Resolver Validates The Compact DNSSEC Records The recursive resolver validates the DNSSEC trust chain (Root -> TLD -> SLD), and gains the trustworthy A/AAAA records of the NS records of the SLD. The trustworthy A/AAAA records are the IP addresses of the authoritative server of the resource-limited SLD.

Setup Secure Channel for Recursive-to-Authoritative The Recursive Resolver setup secure DoQ/DoT channel with the authoritative server of the resource-limited SLD: The recursive resolver connects to the trustworthy IP addresses of the authoritative server of the resource-limited SLD. The recursive resolver receives the self-signed certificate from the authoritative server, and extract the public key from the self-signed PKI certificate. The recursive resolver validates the TLSA RRSIGs of the NS records of the SLD with the DNSSEC trust chain. The recursive resolver validates the digest of extracted public key match the TLSA record. The recursive resolver setup secure DoQ/DoT channel with the authoritative server of the resource-limited SLD successfully. The recursive resolver make DNS query with the authoritative server of the resource-limited SLD on the secure DoQ/DoT channel.

Security Considerations The compact DNSSEC scheme does not cover the entire zone and does not deploy NSEC/NSEC3.