Trustworthy TCB for DNS Servers
A simple atomic relay function is proposed as a minimal Trusted Computing Base (TCB) for a Domain Name System (DNS) server. This TCB, composed of a fixed sequence of logical and cryptographic hash operations, can be amplified to ensure that a DNS server cannot violate rules. The paper also outlines elements of a TCB-DNS protocol that amplifies the simple TCB to secure the domain name sys-tem. The paper includes an extensive comparison of the proposed approach with DNSSEC, the current standard for securing DNS. The proposed approach is shown to overcome many issues associated with DNSSEC. Specifically, TCB-DNS demands substantially lower overhead for DNS servers and resolvers, eliminates the issue of zone enumeration, and is less susceptible to replay attacks.