Reliable and Decentralized Certificate Revocation via DNS: The Case for RevDNS

Abstract

The Online Certificate Status Protocol’s long slide—after 25 years of soft-fail rules, privacy leakage, and shaky infrastructure—exposes a deeper failure in web-PKI revocation. Certificate Authorities increasingly route OCSP traffic through CDNs for speed, yet this recentralizes trust: our measurements show Akamai serves 62 percent of all revocation responses, creating single points of failure and betraying PKI’s decentralized ideals. We present RevDNS, a DNS-based revocation scheme that drops CDN dependence while preserving real-time guarantees. Revoked serial numbers live in DNSSEC-signed TXT records; NSEC proofs allow aggressive negative caching, so recursive resolvers answer 99.8 percent of checks without bothering a CA. From 1.1 billion certificates and 5 million revocations, we find a large CA such as Let’s Encrypt can publish data for 612 million certificates in a 345 MB zone, with resolvers shouldering nearly every lookup. Because answers piggyback on ordinary DNS lookups, RevDNS adds no latency and discloses no more about users than standard DNS traffic. By keeping revocation authority with CAs and avoiding fragile hacks like short-lived certificates, RevDNS delivers a durable, decentralized path for TLS revocation—one that finally aligns operational practicality with the web’s security ambitions.