Abstract
DNS Security Extensions (DNSSEC) are designed to add cryptographic protection to the Internet's name resolution service. However the current design lacks a key revocation mechanism. In this paper we present Zone State Revocation (ZSR), a lightweight and backward compatible enhancement to DNSSEC. ZSR enables zones to explicitly revoke keys using self-certifying certificates, and enables DNS name-servers to opportunistically inform distributed caching resolvers of key revocations via lightweight control messages. Further, ZSR allows resolvers to distinguish between legitimate key changes and potential attacks when authentication chains are broken. ZSR is designed to work well with global-scale DNS operations, where millions of caches may need to be informed of a revocation, and where time is critical. Copyright 2007 ACM.