Public key validation for the DNS security extensions

The deployment of DNS Security (DNSSEC) can only succeed if there is an effective mechanism for DNS public key validation. This paper compares three potential approaches to DNS key validation. A tree based approach utilizes the existing structure of the DNS tree to form highly structured key signing rules. This makes following chains of trust simple, but it allows no flexibility for individual zones and makes incremental deployment impossible. A pure web of trust based approach imposes no structure what so ever on the key signing process. This lack of structure provides a high degree of local control, but also makes it difficult to find trusted chains or specify security policies. The third approach is a new proposal based on a the concept of a fault-tolerant mesh of trust. The mesh approach utilizes some structured elements from the tree-based approach while maintaining the local flexibility found in the web of trust. Our analysis shows the hybrid mesh approach has the best chance of succeeding in the Internet