A Metapolicy Framework for Enhancing Domain Expressiveness on the Internet
This addresses the issue of policy management for domain owners on the Internet, but it is incremental as it builds on existing DNS and trust infrastructures.
The paper tackles the problem of dispersed, insecure, and hard-to-manage security policies for DNS domains on the Internet by proposing a metapolicy framework that allows domain owners to specify and publish domain-level policies using existing infrastructure, with initial measurements showing benefits for a fraction of the Internet and quantified deployment overheads.
Domain Name System (DNS) domains became Internet-level identifiers for entities (like companies, organizations, or individuals) hosting services and sharing resources over the Internet. Domains can specify a set of security policies (such as, email and trust security policies) that should be followed by clients while accessing the resources or services represented by them. Unfortunately, in the current Internet, the policy specification and enforcement are dispersed, non-comprehensive, insecure, and difficult to manage. In this paper, we present a comprehensive and secure metapolicy framework for enhancing the domain expressiveness on the Internet. The proposed framework allows the domain owners to specify, manage, and publish their domain-level security policies over the existing DNS infrastructure. The framework also utilizes the existing trust infrastructures (i.e., TLS and DNSSEC) for providing security. By reusing the existing infrastructures, our framework requires minimal changes and requirements for adoption. We also discuss the initial results of the measurements performed to evaluate what fraction of the current Internet can get benefits from deploying our framework. Moreover, overheads of deploying the proposed framework have been quantified and discussed.