11 August 2020
UTC timezone
Doors open at 12:45 UTC. Session starts at 13:00 UTC

The Current State of DNS Resolvers and RPKI Protection.

11 Aug 2020, 13:05
Standard Presentation Online Workshop


Willem Toorop (NLnet Labs)


The Border Gateway Protocol (BGP) is responsible for routing on the Internet. BGP has no security measures which makes it prone to IP prefix hijacking and route leaks. To defend against these threads, Resource Public Key Infrastructure (RPKI) has been developed by the IETF. RPKI secures the Internet’s routing infrastructure by signing & validating prefix origin data.

However, there are still situations that one may indirectly fall victim to prefix hijacks even if their own AS is RPKI protected. A good example of this is the Amazon Route 53 BGP hijack. In this example, the prefixes of the Amazon authoritative DNS servers were hijacked. Any AS with a DNS resolver not protected by RPKI would receive a valid but malicious response from the hijacked authoritative DNS server, even if the AS where the query originated from was RPKI protected. For end-users to be fully protected, in addition to the network in which they reside, they also need their DNS resolvers to be in RPKI protected networks.

In this talk we will present on a research on the state of RPKI protection of DNS resolvers. We used RIPE Atlas to send queries through the RIPE Atlas probe configured DNS resolvers. The queries resolution was through a CNAME referencing to a domain served on a invalid prefix. This enabled us to determine whether a probe’s DNS resolver was RPKI protected or not. Measurements have been done all DNS Resolvers on all RIPE Atlas probes, hourly since 23rd of January.

Talk Duration 20 minutes
Your consent for us to publish your name and<br />affiliation as a Speaker on the OARConline 32b website Yes

Primary author

Willem Toorop (NLnet Labs)


Marius Brouwer (University of Amsterdam (master student)) Erik Dekker (University of Amsterdam (master student))

Presentation Materials