We launched the first ever DNS-over-QUIC resolver about 18 months ago. In this presentation I'll talk about our experience running it and share some data on how it performs.
QUIC might become mainstream transport for future DNS, including recursive to authoritative. The benefits are: privacy by encryption, low latency by zero-RTT handshake, no a-priori response size limit, no source address spoofing.
With previous implementation of XDP stack in Knot DNS for UDP and TCP, the authoritative server can be resilient to many types of resource exhaustion attacks....
ExternalDNS is an open-source application to make Kubernetes resources discoverable via public DNS servers.
We have deployed ExternalDNS on AWS in a large scale: externalDNS updates zones of more than 8000 resource records. During the external DNS development and deployment, we encountered challenges regarding AWS service limits, e.g. Route53 API frequency, Route53 resource record...
Nominet operate around 50 GTLDs some as a registry and some as an operator on behalf of other registries. During the X years we have been operating in this space we have undertaken several projects to transition in and transition out many GTLDs. This has led us to develop a process (and some automation), this presentation will talk about the process we follow, the automation we use and further...
We discuss standard and non-standard mechanisms for protecting DNS queries against cache poisoning attacks between resolvers and name servers. The techniques covered include DNS cookies, 0x20 bit munging, nonce prefixes and DNS over TLS/QUIC. We present data from implementing these techniques in Google Public DNS and some interesting behaviors observed during the implementation.
The talk...
At Salesforce, to provide better resilience and performance, we host multiple zones containing millions of DNS records across many DNS providers. However, this increases the complexity for client applications, the operations teams, and even the DNS admin managing DNS records. The client applications would need to know which provider hosts which zone and make API calls for DNS CRUD to the...
Traditionally DNSSEC how-tos start with a variation of:
Be prepared for higher resource consumption when you enable DNSSEC validation.
Is that still true in 2022? According to our measurements - not really.
In this talk, we compare answer latency, resolver CPU usage, memory consumption, and network bandwidth between validating and non-validating configurations of a busy ISP resolver...
One of the stated goals of people asking for root server instances to be added near their resolvers is to get better round trip times. These requests are made without knowing any specific metric of what a good round trip time is, or knowing what round trip times typical resolvers are currently seeing. The research in this presentation focuses on the second question.
Many root server...
Last year the IETF published RFC 8976, titled "Message Digest for DNS Zones." It describes a protocol and new DNS record that provides a cryptographic message digest over DNS zone data. When used in combination with DNSSEC, it allows recipients to verify zone data for integrity and origin authenticity, providing assurance that received zone data matches published data, regardless of how it was...
- [nsec3-guidance][1] is going to be a BCP RFC soon
- nsec3-guidance affects both zone publishers (authoritative DNS side) and DNSSEC validator operators (full resolver side), but timing of when they will follow nsec3-guidance may differ
- Due to the timing difference, possibility of name resolution failure of TLDs (large outages) is highly concerned
- Explain possibility of the large...
