We present the Internet Key Service (IKS), a distributed architecture for authenticated distribution of public keys, layered on Secure DNS (DNSSEC). Clients use DNSSEC to securely discover the identities of the relevant IKS servers, and send key lookup or management requests directly to these servers using a special-purpose protocol. Clients authenticate keys retrieved from IKS servers using key commitments published in DNSSEC. IKS derives its authentication authority from the authority DNS domains have over Internet names. The IKS architecture is loosely coupled with DNS to minimize overhead on DNS servers. We also present RIKS, a prototype IKS implementation.
John P. Jones, Daniel F. Berger, Chinya V. Ravisha