Oct 22 – 23, 2022 Workshop
Golden Tulip Zira
Europe/Belgrade timezone

Fourteen Years in the Life: A Root Server’s Perspective on DNS Resolver Security

Oct 22, 2022, 4:40 PM
Mykonos / Rodos (Golden Tulip Zira)

Mykonos / Rodos

Golden Tulip Zira

Ruzveltova 35 11000 Belgrade Republic of Serbia
Standard Presentation Main Session OARC 39 - D1


Casey Deccio (Brigham Young University)


We consider how the DNS security and privacy landscape has evolved over time, using data collected annually at A-root between 2008 and 2021. We consider issues such as deployment of security and privacy mechanisms, including source port randomization, TXID randomization, DNSSEC,and QNAME minimization. We find that achieving general adoption of new security practices is a slow, ongoing process. Of particular note, we find a significant number of resolvers lacking nearly all of the security mechanisms we considered, even as late as 2021. Specifically, in 2021, over 4% of the resolvers analyzed were unprotected by either source port randomization, DNSSEC validation, DNS cookies, or 0x20 encoding. Encouragingly, we find that the volume of traffic from resolvers with secure practices is significantly higher
than that of other resolvers.

Presentation delivery Remotely (online)

Primary author

Alden Hilton (Sandia National Laboratories)


Casey Deccio (Brigham Young University) Jacob Davis (Sandia National Laboratories)

Presentation materials