Revocation of X.509 Certificates

The public‑key infrastructure (PKI) that underpins HTTPS has long wrestled with revocation scalability. Traditional Online Certificate Status Protocol (OCSP) queries require real‑time contact with certificate authorities, creating latency spikes and exposing a single point of failure. As the number of X.509 certificates balloons—Let’s Encrypt alone issued over 600 million active certs—operators seek mechanisms that can verify revocation status without overwhelming CAs or degrading user experience.

A novel approach outlined in a recent SIGCOMM ’25 paper reimagines revocation distribution through DNSSEC. By publishing only revoked serial numbers as signed TXT records and relying on NSEC‑based negative caching, resolvers can answer the vast majority of checks locally. The study reports a 99.8% cache‑hit rate, meaning almost every validation avoids a network round‑trip. Moreover, the entire revocation dataset for Let’s Encrypt compresses into a 345 MB signed zone, a size easily handled by modern authoritative DNS servers. This DNS‑centric model not only slashes latency but also distributes trust across the DNS hierarchy, aligning revocation with the same security guarantees that protect TLSA records.

Contrasting this technical innovation, operational data shows OCSP has quietly become centralized. A handful of content‑delivery networks now serve roughly 70% of all OCSP responses, funneling revocation data through a few edge points. While this concentration improves performance, it reintroduces a single‑point‑of‑failure risk and diminishes the decentralized ethos of the original PKI design. Stakeholders must weigh the efficiency gains against potential outages or targeted attacks on these CDN nodes. The emerging DNSSEC‑based revocation scheme offers a path to restore decentralization while preserving speed, suggesting a future where certificate status checks are both resilient and performant.