Support for public-key infrastructures in DNS

TL;DR

This paper proposes leveraging the DNS infrastructure to improve public key distribution, addressing the limitations of traditional certificate repositories which are not interconnected and lack automatic discovery mechanisms.

Contribution

It introduces a novel approach that integrates public key infrastructure support into DNS, enabling automatic discovery and retrieval of certificates across the Internet.

Findings

DNS-based certificate discovery is feasible.

Improved scalability and accessibility for PKI.

Potential for enhanced security in public key distribution.

Abstract

Traditionally, publicly available repositories of certificates offer the usual response to the problem of public key distribution. After issuing a public-key certificate a certification authority (CA) - in the frame of a particular public-key infrastructure (PKI) - will store and publish that certificate in a repository so that, at a later moment, end-users can search, find and retrieve public-key certificates. A known and still persisting drawback of this approach is that these repositories are not interconnected between each other on an Internet scale, therefore the search and retrieving of certificates on a wider scale turns out to be very difficult. In this scenario, end-users are supposed to know the Internet location of the repository before actually starting the procedure of search and retrieval. Currently, there are no means to perform automatic discovery of authoritative repositories for a particular certificate using as a search-key some information identifying an Internet entity. In this paper, we try to describe a different approach for solving the key distribution problem. This solution takes into account an already existing Internet-wide infrastructure: the domain name system (DNS).