Accessibility navigation

Beyond PKI: a DNSSEC delegation approach for scalable dynamic credential management in IoT

Tools
Lists

Diaz-Sanchez, D. ORCID: https://orcid.org/0000-0002-3323-6453, Almenarez, F. ORCID: https://orcid.org/0000-0002-5232-2031, Campo, C. ORCID: https://orcid.org/0000-0003-1788-890X, García-Rubio, C. ORCID: https://orcid.org/0000-0002-4635-722X and Sherratt, S. ORCID: https://orcid.org/0000-0001-7899-4445 (2025) Beyond PKI: a DNSSEC delegation approach for scalable dynamic credential management in IoT. IEEE Internet of Things Journal. ISSN 2372-2541

[thumbnail of Open Access]
Preview
 Text (Open Access) - Published Version
· Available under License Creative Commons Attribution.
· Please see our End User Agreement before downloading.
938kB

It is advisable to refer to the publisher's version if you intend to cite from this work. See Guidance on citing.

To link to this item DOI: 10.1109/jiot.2025.3600371

Abstract/Summary

Internet of Things (IoT) systems that manage data across cloud, fog, and edge environments—and the devices that consume those services—face substantial challenges in confidentiality, privacy, and authentication. However, traditional Public Key Infrastructure (PKI) is too rigid and costly for massive, ephemeral IoT deployments. Moreover, device authentication is often overlooked in favor of service authentication, neglecting the security of the entire ecosystem. DNSSEC combined with DANE introduces a new paradigm in which service authentication can be managed globally, extending trust to locally generated, type-agnostic credentials. This framework can accommodate PKI certificates, self-signed credentials, and local keys, all of which can be verified by any client, local or remote. However, DNSSEC’s signature proofs grow linearly with the number of secured records, inflating communication overhead and energy consumption—an issue aggravated by the larger sizes of postquantum signatures. Additionally, current DNSSEC delegation mechanisms lack the flexibility needed for secure load balancing and isolation. In this article, we present a collision-based DNSSEC signature-delegation mechanism designed to overcome these scalability limitations. By allowing a central DNS authority to delegate signing responsibilities to local DNS servers, our approach reduces certificate-management overhead and enables a dynamic, hierarchical trust model. It supports both service and device authentication in a unified DNS-name-based security context. Our evaluation shows that the proposed mechanism maintains a stable computational cost irrespective of credential count, a critical benefit for large-scale, resource-constrained IoT deployments. By leveraging existing DNS infrastructure and standards, this solution enhances scalability and efficiency compared to traditional PKI and DNSSEC, while promoting interoperability and ease of deployment. It also opens the adoption of future post quantum trapdoor systems still under research and development.

Item Type:Article
Divisions:Life Sciences > School of Biological Sciences > Department of Bio-Engineering
ID Code:124139
Publisher:Institute of Electrical and Electronics Engineers (IEEE)
Download Statistics

Downloads

Downloads per month over past year

Altmetric
Deposit Details

University Staff: Request a correction | Centaur Editors: Update this record

Page navigation

See also