A Metapolicy Framework for Enhancing Domain Expressiveness on the Internet

TL;DR

This paper proposes a secure, comprehensive metapolicy framework that enables domain owners to specify and manage security policies within DNS, leveraging existing trust infrastructures for enhanced domain expressiveness and security.

Contribution

It introduces a novel metapolicy framework that integrates with DNS, TLS, and DNSSEC, requiring minimal changes and improving policy management and security on the Internet.

Findings

Framework can be deployed with minimal infrastructure changes.

Initial measurements show significant potential benefits for current Internet.

Deployment overheads are manageable and quantified.

Abstract

Domain Name System (DNS) domains became Internet-level identifiers for entities (like companies, organizations, or individuals) hosting services and sharing resources over the Internet. Domains can specify a set of security policies (such as, email and trust security policies) that should be followed by clients while accessing the resources or services represented by them. Unfortunately, in the current Internet, the policy specification and enforcement are dispersed, non-comprehensive, insecure, and difficult to manage. In this paper, we present a comprehensive and secure metapolicy framework for enhancing the domain expressiveness on the Internet. The proposed framework allows the domain owners to specify, manage, and publish their domain-level security policies over the existing DNS infrastructure. The framework also utilizes the existing trust infrastructures (i.e., TLS and DNSSEC) for providing security. By reusing the existing infrastructures, our framework requires minimal changes and requirements for adoption. We also discuss the initial results of the measurements performed to evaluate what fraction of the current Internet can get benefits from deploying our framework. Moreover, overheads of deploying the proposed framework have been quantified and discussed.