Next Article in Journal
Ensemble Learning with Stochastic Configuration Network for Noisy Optical Fiber Vibration Signal Recognition
Next Article in Special Issue
Edge Computing, IoT and Social Computing in Smart Energy Scenarios
Previous Article in Journal
Introducing Low-Cost Sensors into the Classroom Settings: Improving the Assessment in Agile Practices with Multimodal Learning Analytics
Previous Article in Special Issue
Systematic Literature Review of Food-Intake Monitoring in an Aging Population
Open AccessArticle

DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT

University Carlos III de Madrid, 28911 Leganés, Spain
University of Mannheim, 68161 Mannheim, Germany
Author to whom correspondence should be addressed.
This manuscript is extension version of the conference paper: Sánchez, D.; López, A.; Mendoza, F.; Cabarcos, P.A. DNS-Based Dynamic Authentication for Microservices in IoT. In Proceedings of the 12th International Conference on Ubiquitous Computing and Ambient Intelligence (UCAmI 2018), Punta Cana, Dominican Republic, 4–7 December 2018.
Current address: Av de la Universidad, 28911 Leganés, Spain.
Sensors 2019, 19(15), 3292;
Received: 31 May 2019 / Revised: 22 July 2019 / Accepted: 23 July 2019 / Published: 26 July 2019
IoT devices provide real-time data to a rich ecosystem of services and applications. The volume of data and the involved subscribe/notify signaling will likely become a challenge also for access and core networks. To alleviate the core of the network, other technologies like fog computing can be used. On the security side, designers of IoT low-cost devices and applications often reuse old versions of development frameworks and software components that contain vulnerabilities. Many server applications today are designed using microservice architectures where components are easier to update. Thus, IoT can benefit from deploying microservices in the fog as it offers the required flexibility for the main players of ubiquitous computing: nomadic users. In such deployments, IoT devices need the dynamic instantiation of microservices. IoT microservices require certificates so they can be accessed securely. Thus, every microservice instance may require a newly-created domain name and a certificate. The DNS-based Authentication of Named Entities (DANE) extension to Domain Name System Security Extensions (DNSSEC) allows linking a certificate to a given domain name. Thus, the combination of DNSSEC and DANE provides microservices’ clients with secure information regarding the domain name, IP address, and server certificate of a given microservice. However, IoT microservices may be short-lived since devices can move from one local fog to another, forcing DNSSEC servers to sign zones whenever new changes occur. Considering DNSSEC and DANE were designed to cope with static services, coping with IoT dynamic microservice instantiation can throttle the scalability in the fog. To overcome this limitation, this article proposes a solution that modifies the DNSSEC/DANE signature mechanism using chameleon signatures and defining a new soft delegation scheme. Chameleon signatures are signatures computed over a chameleon hash, which have a property: a secret trapdoor function can be used to compute collisions to the hash. Since the hash is maintained, the signature does not have to be computed again. In the soft delegation schema, DNS servers obtain a trapdoor that allows performing changes in a constrained zone without affecting normal DNS operation. In this way, a server can receive this soft delegation and modify the DNS zone to cope with frequent changes such as microservice dynamic instantiation. Changes in the soft delegated zone are much faster and do not require the intervention of the DNS primary servers of the zone. View Full-Text
Keywords: IoT; microservices; DNSSEC; DANE; chameleon signatures IoT; microservices; DNSSEC; DANE; chameleon signatures
Show Figures

Figure 1

MDPI and ACS Style

Díaz-Sánchez, D.; Marín-Lopez, A.; Almenárez Mendoza, F.; Arias Cabarcos, P. DNS/DANE Collision-Based Distributed and Dynamic Authentication for Microservices in IoT . Sensors 2019, 19, 3292.

Show more citation formats Show less citations formats
Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Article Access Map by Country/Region

Back to TopTop