A new proposal from researchers at Azure Research aims to embed confidential computing into the core of the internet’s naming system. Known as attested DNS (aDNS), the system binds domain names not just to owners, but to verifiable, hardware-protected implementations of services. By leveraging Trusted Execution Environments (TEEs), the paper suggests aDNS allows users to confirm that a service is running trusted software on secure hardware—without requiring custom applications or protocols.
Verifiing trust: The system, called attested DNS (aDNS), reimagines how trust is established online. Instead of merely verifying that a service has a valid TLS certificate—as today’s browsers do—aDNS binds a domain name directly to a TEE-verified implementation of the service. In other words, when a user connects to `service.conf`, they can be confident not just about who owns the site, but also about the software and hardware it runs on.
Attestation records: aDNS works by extending traditional DNS protocols, including DNSSEC and DANE, with attestation records that confirm a service complies with security policies defined by its domain owner. These records are stored in a transparent, append-only log and validated by aDNS servers running inside TEEs themselves—ensuring that both the service and the naming authority are secure.
To ease adoption, the system supports legacy web clients via integration with public certificate authorities and is backed by an open-source browser extension for attestation-aware browsing. The team demonstrated the feasibility of their model using services built on Intel SGX, AMD SEV-SNP, and confidential containers, all while maintaining minimal latency overhead.
Source: https://circleid.com/
