OARConline 35a

Brett Carr (Nominet), Jan Včelák (NS1), Keith Mitchell (DNS-OARC)

OARConline 35a will be a short format online Workshop.

DNS-OARC is a non-profit, membership organization that seeks to improve the security, stability, and understanding of the Internet's DNS infrastructure. Part of these aims are achieved through workshops.

DNS-OARC Workshops are open to OARC members and to all other parties interested in DNS operations and research.

Social Media hashtag: #OARC35a and #OARConline

Mattermost Chatroom: Workshops on chat.dns-oarc.net (sign-up here)



Sponsorship opportunities for OARConline 35a are available. Details at:




Your company name here?

Annual Workshop Patrons for 2022 - Next year - are available. Details at:




  • Abdulkareem Ali
  • Alden Hilton
  • Alexey Terentiev
  • Ali Saleh
  • Amanda Swain
  • Anand Buddhdev
  • Andreas Taudte
  • Andrey Bobyshev
  • Andy Seabolt
  • Anthony Lieuallen
  • Barbara Schleckser
  • Barbara Strom
  • Barry Greene
  • Benno Overeinder
  • Bill Snow
  • Brantly Millegan
  • Brett Carr
  • Brian Dickson
  • Brian King
  • Brian Somers
  • Bryan Hughes
  • Casey Deccio
  • Cathy Almond
  • Cedrick Adrien Mbeyet
  • Chris Cherry
  • Christian Elmerot
  • Christian Huitema
  • Christian Simmen
  • Clodagh Durkan
  • Cricket Liu
  • Damian Menscher
  • Darryl Wohlt
  • Dave Knight
  • Davey Song
  • David Clark
  • David Lawrence
  • Denesh Bhabuta
  • Dipa Thakkar
  • Dmitry Kohmanyuk
  • Duane Wessels
  • Eduardo Mercader
  • Emmanuel Bretelle
  • Erik Kline
  • Everett Fulton
  • Fatema Bannat Wala
  • Felipe Barbosa
  • Gaetan Gautier
  • Gary Lu
  • Gautam Akiwate
  • Gavin Brown
  • Geoffrey Huston
  • Gonzalo Romero
  • Greg Choules
  • Hazel Smith
  • Hiro Hotta
  • Isidro Hegouaburu
  • Ivan Laktyunkin
  • Jacob Zack
  • Jacques Latour
  • Jakob Dhondt
  • James Richards
  • Jan Horak
  • Jan Včelák
  • Jarle Fredrik Greipsland
  • Jaromír Talíř
  • Jean-Robert Hountomey
  • Jeffrey Damick
  • Jerry Lundström
  • Jessica Schumacher
  • Jessy Vetter
  • Jim Mozley
  • Jim Troutman
  • Joacim Sørheim
  • Joao Damas
  • Joe Abley
  • John Todd
  • Jonas Andersson
  • Josh Simpson
  • Karl Reuss
  • Kazunori Fujiwara
  • Kc Claffy
  • Keith Mitchell
  • Ken Renard
  • Klaus Darilion
  • Larry Campbell
  • Lars-Johan Liman
  • Lee Howard
  • Leo Liang
  • Leslie Osei
  • Maarten Bosteels
  • Maarten Wullink
  • Magnus / Mem Sandberg
  • Marc Dacier
  • Marc Groeneweg
  • Marcel Parodi
  • Marco Diaz
  • Marco Giuliani
  • Martin Mettig
  • Masa Sekimura
  • Masanori Yajima
  • Mat Ford
  • Matt Calder
  • Matthew Pounsett
  • Maung Han
  • Mauricio Vergara Ereche
  • Meir Kraushar
  • Michael Braunöder
  • Michael Daly
  • Michael De Frees
  • Miguel Alktun
  • Mike Zhang
  • Miklos Pasztor
  • Moritz Müller
  • Nicolai Leymann
  • Nils Wisiol
  • Oli Schacher
  • Omokorede Fatile
  • Ondřej Surý
  • Pallavi Aras-Mathai
  • Patrick Mevzek
  • Paul Duffy
  • Paul Ebersman
  • Paul Hoffman
  • Paul Muchene
  • Paul Radford
  • Peter Devries
  • Peter Hessler
  • Peter Janssen
  • Peter Koch
  • Peter Thomassen
  • Petr Špaček
  • Pierre Grie
  • Prashanth Suvarna
  • Priya Mohan
  • Puneet Sood
  • Ralf Weber
  • Reatrey Pich
  • Ricardo Schmidt
  • Richard Fisher
  • Richard Seabrook
  • Rick Olsen
  • Robert Story
  • Rocío De La Fuente
  • Roger Murray
  • Roland Dobbins
  • Roy Arends
  • Sam Weiler
  • Samaneh Tajalizadehkhoob
  • Shane Kerr
  • Shinta Sato
  • Shumon Huque
  • Sidan Qi
  • Sile Yang
  • Steve Dejong
  • Steve Dickinson
  • Steve Sullivan
  • Suzanne Woolf
  • Sven Van Dyck
  • Tamas Csillag
  • Tejas Karandikar
  • Terry Bernstein
  • Thibaud Duble
  • Thomas Koch
  • Tijay Chung
  • Tim April
  • Tim Wicinski
  • Traci Birckhead
  • Ulrich Wisser
  • Victor Cheburkin
  • Vincent Levigneron
  • Vittorio Bertola
  • Vladimir Cunat
  • Vladimir Suse
  • Vyto Grigaliunas
  • Warren Kumari
  • Wayne Maclaurin
  • Wes Hardaker
  • Willem Toorop
  • Yann Kerherve
  • Yaroslav Kolomiiets
  • Yohanes Santoso
  • Yong Ma
  • Yoshiro Yoneya
  • Yoshitaka Aharen
    • 2:45 PM
      Webinar room opens - while waiting, grab a drink and mingle with your peers at https://chat.dns-oarc.net
    • OARConline 35a: Session 1
      • 1
        Speaker: Mr Keith Mitchell (DNS-OARC)
      • 2
        How prevalent is the operation of DNS security mechanisms?

        The threat of attacks targeting a DNS, such as DNS cache poisoning attacks and DNS amplification attacks, continues unabated. In addition, attacks that exploit the difficulty in determining the authenticity of domain names, such as phishing sites and fraudulent emails, continue to be a significant threat.Various DNS security mechanisms have been proposed, standardized, and implemented as effective countermeasures against DNS-related attacks.However, it is not clear how widespread these security mechanisms are in the DNS ecosystem and how effectively they work in the wild.With this background, this study targets the major DNS security mechanisms deployed for the DNS name servers, DNSSEC, DNS Cookies, CAA, SPF, DMARC, MTA-STS, DANE, and TLSRPT, and a large-scale measurement analysis of their deployment is conducted.Our results quantitatively reveal that, as of 2021, the adoption rate of most DNS security mechanisms, except SPF, remains low, and the adoption rate is lower for mechanisms that are more difficult to configure.These findings suggest the importance of developing easy-to-deploy tools to promote the adoption of security mechanisms.

        Speaker: Masanori Yajima
      • 3
        More Mysterious Root Query Traffic from a Large Recursive Operator

        While performing an analysis of query names seen at the ICANN Managed Root Server (IMRS), ICANN staff discovered a significant amount of strange query traffic coming from one of the datacenters of a large, well-known recursive DNS operator. While this traffic was hitting a single IMRS instance, Verisign staff confirmed the odd traffic is observed at some of their root server instances as well. In this joint presentation, we present the findings, hoping to shed some light on its purpose, and eventually understand if it is strictly necessary.

        Speakers: Duane Wessels (Verisign), Mr Christian Huitema
      • 4
        Measurement of DNSSEC Validation with Edwards Curve Cryptography

        This is a report on a measurement conducted in May 2021 on the level of DNSSEC validation supoport for the Ed25519 Edwards Curve digital signature algorithm

        Speaker: Geoff Huston (APNIC)
    • 3:45 PM
      15 Minutes Break
    • OARConline 35a: Session 2
      • 5
        Anycast, Inflation, and Efficiency in the Root DNS

        Anycast is used to serve content including root DNS. However, prior work examining
        root DNS suggests anycast deployments incur significant inflation, with users often routed to suboptimal sites especially for larger deployments. These results are surprising, given the importance and growth of production anycast deployments. We reassess anycast performance -- using new methodology we show root DNS latency hardly matters to users because caching is so effective. We then show inflation in the root DNS is not as poor as previously thought, since recursives can preferentially query their best performing root letter. We conclude with a discussion of how deployment size relates to efficiency and latency, and present survey results from root DNS operators elucidating reasons for expansion of the root DNS.
        These results demonstrate the importance of context and coverage when measuring system performance.

        Speaker: Thomas Koch (Columbia University)
      • 6
        Authenticated Bootstrapping of DNSSEC Delegations

        We introduce and discuss an authenticated in-band method for automatic signaling of a DNS zone's delegation signer information from the zone's DNS operator. In standard (single-signer) setups, the zone's registrar or registry may subsequently use this signal for automatic DS record provisioning in the parent zone. In multi-signer scenarios (RFC 8901), the method may be used to securely distribute a new signing party's keying material to existing parties. Finally, we discuss prospects and practicality of the protocol by measuring and analyzing the prevalence of the prerequisites needed for deployment.

        Speaker: Peter Thomassen (deSEC)
      • 7
        DNS DDoS: Challenges and Mitigations

        Denial-of-Service (DoS) attacks target thousands of victims every day, often resulting in small outages. Those same attacks can also target unprotected endpoints of larger businesses, often causing out-sized impact. We review the DoS risks for DNS servers, and explore the challenges and mitigation options.

        About the speaker:
        Damian Menscher is responsible for DDoS defense at Google, where he has studied hundreds of attacks over more than a decade. He uses his experience to design automated defenses for common attacks. Damian has a Ph.D. in physics from UIUC.

        Speaker: Dr Damian Menscher (Google)
    • 5:00 PM
      Let's Chat! - BYOD OARC Social Event