Mr Jerry Lundström (DNS-OARC) , Mr Keith Mitchell (DNS-OARC)
Mr Keith Mitchell (DNS-OARC)
Mr Pavel Odintsov (Cloudflare)
Cloudflare hosts managed DNS infrastructure for over 5 million zones. In 2016 we began work on re-building a core part of our DNS Nameserver (rrDNS) and data provisioning software to better handle the scale as well as to improve reliability and performance, and pave the way for new features. DNS operations and systems are not immune from scaling bumps; things that work great for 100K domains...
Mr Ondrej Sury (CZ.NIC)
I would like to study and present the effect of parent (TLD) zone TTL changes based on behavior of different DNS resolvers implementations and how they handle the delegation NS TTLs. The presentation will include different scenarios where TTL matter, might matter, might not matter, or doesn't matter at all related to the DNS resolver implementations.
Mr Geoff Huston (APNIC)
There are 12 different root server anycast constellations, and they all serve the same root zone data. But do they all serve this data the same way? In particular, when the response size is large do all these root server systems respond in the same manner? This is a report on the different forms of responses that were observed when the root servers were coerced into offering a larger than...
Jan Včelák (NS1)
The vast majority of DNS traffic happens over UDP. We can pretty much predict how the resolvers will spread the load, deal with timeouts and server failures. But what will happen if we force the clients to use TCP? Is TCP a first-class citizen in modern resolvers or is it only a fallback mechanism. And can the resolvers use established TCP connections effectively? In this talk, I will try...
Santiago Ruano Rincón (IMT Atlantique)
In this presentation we show our ongoing work to develop a testbed --based on software and commodity hardware-- to research on flooding attacks against DNS infrastructure. We have currently developed two prototype components: a flooding DNS query generator, able to saturate 10GbE links with 11Mrps, and an online detector of overabundant queried domains at reception. Relying on DPDK and...
Mr Bert Hubert (PowerDNS)
Using techniques inspired by the HyperLogLog counting algorithm, it has proven possible to rapidly measure the number of DNSSEC-signed delegations worldwide for both NSEC and NSEC3 zones, using around 4096 queries per zone. In this presentation, I will briefly describe HyperLogLog & then how this maps to NSEC names and NSEC3 hashes. I will also discuss how reliable results from measuring...
Mr Ondrej Sury (CZ.NIC)
The DNS Violations effort has been kicked off few days ago. In this presentation, I am going to cover the most common types of DNS protocol violations with real world examples, recommendations, workarounds. I would also like to initiate a discussion about possible way how to move forward and whether we need and want to take a stand.
Mr Ray Bellis (Internet Systems Consortium, Inc.)
I will describe (and hopefully demonstrate) ISC's Performance Lab System, which we intend to release as Open Source by the time of the workshop. This system performs continuous builds and tests of multiple configurations of BIND9 and other DNS software for the purpose of tracking long term trends, identifying performance regressions, and for testing the effects on performance of...
Evan Thompson (CIRA)
While metrics comparing the query performance of various DNS software are readily available, similar metrics comparing provisioning performance are not as easily found. Over the last year CIRA’s secondary managed DNS platform, D-Zone, experienced large growth with the potential for even more expansion in the next year. Accordingly, we are required to reexamine our current DNS implementation...
Mr Petr Špaček (CZ.NIC)
All DNS resolver vendors face the same question: Is the new version going to upset users? This is a very hard question to answer because DNS resolvers have many use-cases and have to deal with variations in DNS protocol implementation. Opinions on best practices in software testing vary... but from the functional perspective the most important criteria is if users are able to resolve...
Matt Larson (ICANN)
ICANN would like to provide another update on the progress of the root zone KSK rollover. Since the rollover is scheduled for October 11, 2017, this DNS-OARC workshop could be the last one before the rollover takes place in the fall, so we would appreciate one more chance to reach the important segment of the DNS operational community that attends DNS-OARC workshops. Recent developments to...
Mr Geoff Huston (APNIC)
The forthcoming roll of the Root Zone KSK has prompted some studies of the behaviour of resolvers that ask questions of the root. Some of these studies use direct experimentation, where a large number of end users are given a DNS name to resolve in order to understand the behaviour of the DNS recursive resolvers that they use. The DNS responses they are given are intended to mimic the...
David Lawrence (Akamai Technologies) , Jan Včelák (NS1) , Shumon Huque (Salesforce)
NSEC5 is a proposed enhancement to DNSSEC that provably prevents zone enumeration. It does this by replacing the hashes used in NSEC3 with hashes computed by a verifiable random function (VRF), and requiring authoritative servers to perform a small amount of online cryptography for negative responses. This talk will give an overview of the latest NSEC5 protocol specification, and describe the...
Paul Hoffman (ICANN)
There is a lot of talk about the need for post-quantum cryptography (PQC) due to the possibility that quantum computers will be able to break the current cryptography in coming decades. If it becomes possible to build massive quantum computers, all cryptographic protocols will probably move to using PQC algorithms. It is expected that PQC algorithms for signatures use keys and/or signatures...
Shane Kerr (Oracle / Dyn)
EDNS Key Tag promises to provide much-needed information about the DNSSEC configuration of recursive resolvers. Sadly, this technology is not yet standardized or implemented. Luckily, we can fake it in a useful way. This presentation very briefly covers the EDNS Key Tag as well as a hack built to provide EDNS Key Tag functionality for systems that do not support it. Also, we learn that awk...
Mr Ólafur Guðmundsson (CloudFlare)
Cloudflare operates multiple DNS services in over 100 data centers around the globe, which makes troubleshooting with unstructured logs or packet captures impractical due to its storage and computational costs. In the first part of this talk we’ll go over our current data analytics architecture and how we got there, after a few false starts. This will cover logging infrastructure, that...
Merike Kaeo (Farsight Security)
This talk will provide updates on dnstap, including the latest code developments and operational use cases. It will detail the results of tests that compare performance characteristics of a dnstap enabled pDNS sensor versus those of a BPF pDNS sensor.
Mr Alexander Mayrhofer (nic.at GmbH)
Many DNS operators, particularly those of high volume authoritative servers (such as TLD operators) perform operational monitoring of incoming (and outgoing) DNS query load. Often, this entails capturing (and subsequently storing and analyzing) the query/response stream. With DNS query rates (and hence traffic) increasing year by year, operators face the challenge that capture, transport...
Matthew Pounsett (Rightside)
Dr Maciej Korczynski (Deflt University of Technology)
Domain names are a critical resource for legitimate users, but also for criminals. This has led to a variety of attacks on the underlying technology, the Domain Name System (DNS) infrastructure. Registrars have been hacked, attackers have set up malicious domain name resolution services and DNS caches have been poisoned. What most attacks share in common is that they compromise the resolution...
Dr Giovane Moura (SIDN Labs)
Please see paper at ,and blogpost at  But in short, this is a concise survey paper on the forms of DNS abuse and their relation with TLD operators. We show how we can use the datasets we have in hand to detect these sorts of abuse, and how each of them have different business models that leave distinct traces on our datasets. IMHO, I think other TLD operators may benefit from that....
Mr Jaeson Schultz (Cisco Systems)
1. **Data exfiltration using the DNS** A. Multigrain malware, and other examples of the use of DNS for data exfiltration 1. Detecting subdomain-type data exfiltration through statistical analysis of subdomain lengths B. Use of DNS 0x20 / XQID / IDN as a covert channel 1. Cisco Talos stats on malware’s use of mixed-case, XQID, and other queries C....
Dr Sara Dickinson (Sinodun IT)
The DPRIVE Working Group has recently produced several standards relating to DNS-over-TLS as a method for encrypting Stub to recursive communications. Whilst there are several implementations available, deployment is still in the early stages. Several experiment DNS-over-TLS servers have been running since 2016 and the dnsprivacy.net project is aiming to - Increase DNS-over-TLS...
Mr Willem Toorop (NLnet Labs)
Many transactions that need to be trustworthy, and possibly encrypted, start with a DNS query. If we consider security from the ground-up, we need to include end users DNS transactions with resolvers in the security realm. The minimal step is DNSSEC where the received data can be verified and validated to be correct and authentic. But if we want to take security and privacy a step further,...
Paul Hoffman (ICANN)
Dr Sara Dickinson (Sinodun IT)
Ralph Dolmans (NLnet Labs)
Mr Peter van Dijk (PowerDNS)