DNSSEC trust chain breaks create “security islands,” preventing subordinate domains from being validated by their parent authorities and undermining cross-level trust. To address this, we propose DnTLS—a decentralized authentication mechanism that integrates TLS protocol semantics with IP-address-based certificates, introducing IP-based PKI identity verification for end-to-end inter-level DNS authentication for the first time. Unlike conventional approaches, DnTLS does not require full DNSSEC deployment nor mandatory involvement of certificate authorities, thereby circumventing traditional hierarchical trust constraints. Experimental evaluation demonstrates that DnTLS effectively bridges security islands, significantly improving cross-domain validation coverage and deployment flexibility while reducing infrastructure dependencies. The scheme enhances the security, resilience, and scalability of the DNS ecosystem without compromising compatibility or operational simplicity.

The Domain Name System (DNS) serves as the backbone of the Internet, primarily translating domain names to IP addresses. Over time, various enhancements have been introduced to strengthen the integrity of DNS. Among these, DNSSEC stands out as a leading cryptographic solution. It protects against attacks (such as DNS spoofing) by establishing a chain of trust throughout the DNS nameserver hierarchy. However, DNSSEC's effectiveness is compromised when there is a break in this chain, resulting in "Islands of Security", where domains can authenticate locally but not across hierarchical levels, leading to a loss of trust and validation between them. Leading approaches to addressing these issues were centralized, with a single authority maintaining some kind of bulletin board. This approach requires significantly more infrastructure and places excessive trust in the entity responsible for managing it properly. In this paper, we propose a decentralized approach to addressing gaps in DNSSEC's chain of trust, commonly referred to as "Islands of Security". We leverage TLS and IP-based certificates to enable end-to-end authentication between hierarchical levels, eliminating the need for uniform DNSSEC deployment across every level of the DNS hierarchy. This approach enhances the overall integrity of DNSSEC, while reducing dependence on registrars for maintaining signature records to verify the child nameserver's authenticity. By offering a more flexible and efficient solution, our method strengthens DNS security and streamlines deployment across diverse environments.