Longstanding DNS infrastructure lacks a mechanism that simultaneously ensures security, privacy, and practical deployability between recursive resolvers and authoritative servers; existing solutions either suffer from deployment barriers or insufficient security and privacy guarantees. This paper proposes DNSSEC+, an enhanced DNS protocol achieving single-round-trip latency. Its core innovation is the “in-zone delegation replica” hierarchical trust model, enabling short-term renewable key delegation—eliminating the need for long-term private key distribution. DNSSEC+ integrates time-bound digital signatures, lightweight cryptographic verification, and standardized DNS protocol extensions. Experimental evaluation demonstrates that its server-side latency, resolution time, and CPU overhead are comparable to conventional DNS, while significantly outperforming DNS-over-TLS. For the first time, DNSSEC+ achieves strong authentication, forward secrecy, and query privacy in concert—without compromising efficiency.

The absence of security and privacy measures between DNS recursive resolvers and authoritative nameservers has been exploited by both on-path and off-path attackers. While many security proposals have been made in practice and in previous literature, they typically face deployability barriers and/or lack a compelling set of security and privacy properties, resulting in limited adoption. We introduce DNSSEC+, a novel DNS scheme designed to mitigate the security and privacy vulnerabilities of the DNS resolution process between resolvers and name servers, while preserving the efficiency of the resolution process by maintaining a single round-trip. DNSSEC+ takes advantage of a hierarchical trust model that does not rely on external entities to DNS zones, but delegates nameserver replicas within a zone to serve zone data securely for short but renewable time intervals, facilitating real-time security properties for DNS messages without requiring long-term private keys to be duplicated (thus exposing to risk) on such replicas. We implement a proof of concept of DNSSEC+ for evaluation and show that for server-side processing latency, resolution time, and CPU usage, DNSSEC+ is comparable to less-secure schemes but significantly outperforms DNS-over-TLS.