Abstract
This disclosure addresses subdomain takeover vulnerabilities that can occur when a cloud resource is deprovisioned but its corresponding domain name system (DNS) record is not, potentially creating a dangling pointer. A described system utilizes a cryptographic tombstone record, where upon resource deletion, a new, digitally signed tombstone record can be published to the DNS. This tombstone may act as a persistent and verifiable signal of intentional absence, serving as an alternative to relying on the removal of a DNS record to signal de-authorization. Participating service providers can honor this signal via a verification protocol before permitting a new binding. This approach may facilitate a more secure state after resource deletion, potentially mitigating the risk of takeover by design and offering a possible basis for a cross-platform standard.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Liu, Mei Yue, "The Cryptographic DNS Tombstones for Subdomain Takeover Prevention", Technical Disclosure Commons, ()
https://www.tdcommons.org/dpubs_series/10121