Blockchain Backed DNSSEC

  • Scarlett GourleyEmail author
  • Hitesh Tewari
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 339)


The traditional Domain Name System (DNS) does not include any security details, making it vulnerable to a variety of attacks which were discovered in 1990. The Domain Name System Security Extensions (DNSSEC) attempted to address these concerns and extended the DNS protocol to add origin authentication and message integrity whilst remaining backwards compatible. Yet despite the fact that issues with DNS have been well known since the late 90s, there has been very little adoption of DNSSEC. This paper proposes a new system using blockchain technology. Our system aims to provide the same security benefits as DNSSEC whilst addressing the concerns that led to its slow adoption.


Blockchain DNS DNSSEC Fragmentation Amplification attack X509 


  1. 1.
    Ali, M., Nelson, J.C., Shea, R., Freedman, M.J.: Blockstack: a global naming and storage system secured by blockchains. In: USENIX Annual Technical Conference, pp. 181–194 (2016)Google Scholar
  2. 2.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource records for the DNS security extensions. Technical report (2005)Google Scholar
  3. 3.
    Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: Recommendation for key management part 1: general (revision 3). NIST Spec. Publ. 800(57), 1–147 (2012)Google Scholar
  4. 4.
    CactusVPN: All you need to know about DNS hijacking (2017).
  5. 5.
    Communications, D.: DNSSEC deployment report (2018).
  6. 6.
    Internet System Consortium: Linux man page (2018).
  7. 7.
    Cooper, M., Dzambasow, Y., Hesse, P., Joseph, S., Nicholas, R.: Internet x. 509 public key infrastructure: certification path building. Technical report (2005)Google Scholar
  8. 8.
    Ford, W., Baum, M.S.: Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption. Prentice Hall PTR (2000)Google Scholar
  9. 9.
    Housley, R., Ford, W., Polk, W., Solo, D.: Internet x. 509 public key infrastructure certificate and CRL profile. Technical report (1998)Google Scholar
  10. 10.
    Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from DNS rebinding attacks. ACM Trans. Web (TWEB) 3(1), 2 (2009)Google Scholar
  11. 11.
    Mockapetris, P.: RFC 1035-domain names-implementation and specification, November 1987 (2004).
  12. 12.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)Google Scholar
  13. 13.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: Making the case for elliptic curves in DNSSEC. ACM SIGCOMM Comput. Commun. Rev. 45(5), 13–19 (2015)CrossRefGoogle Scholar
  14. 14.
    Son, S., Shmatikov, V.: The Hitchhiker’s guide to DNS cache poisoning. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 466–483. Springer, Heidelberg (2010). Scholar
  15. 15.
    Stevens, M., Bursztein, E., Karpman, P., Albertini, A., Markov, Y.: The first collision for full SHA-1. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 570–596. Springer, Cham (2017). Scholar
  16. 16.
    Tewari, H., Hughes, A., Weber, S., Barry, T.: X509cloud-framework for a ubiquitous PKI. In: Military Communications Conference (MILCOM), MILCOM 2017. IEEE, pp. 225–230. IEEE (2017)Google Scholar
  17. 17.
    Van Den Broek, G., van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC meets real world: dealing with unreachability caused by fragmentation. IEEE Commun. Mag. 52(4), 154–160 (2014)Google Scholar
  18. 18.
    Younglove, R.W.: Public key infrastructure. How it works. Comput. Control Eng. J. 12(2), 99–102 (2001)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Trinity College DublinDublinIreland

Personalised recommendations