DNSSEC has been standardized over a couple of decades to ensure the integrity of DNS messages. However, over two decades, DNSSEC has been deployed only around 4% of second-level domains in .com, .net, and .org. Moreover, the process of uploading DNSSEC-related records to parent zones is turned out to be difficult in practice, which results in pervasive mismanagement.
To provide the integrity...
Since version 4.5 PowerDNS Recursor implements an aggressive NSEC/NSEC3 cache, as described in RFC8198. Other recursive resolvers also have an aggressive NSEC/NSEC3 cache implementation.
We will discuss the effectiveness of an aggressive cache for both NSEC and NSEC3 zones. It turns out that especially the NSEC3 results need extra study.
The security extensions of the DNS (DNSSEC) are the only effective measure to protect the integrity of the naming system of the Internet. More than 17 years after the publication of the current DNSSEC standards, deployment at domain names and recursive resolvers still leaves room for improvement. Some report that only 30% of the Internet's population rely on validating resolvers. The reasons...
The Domain Name System (DNS) provides a scalable name resolution service. It uses extensive caching to improve its resiliency and performance; every DNS record contains a time-to-live (TTL) value, which specifies how long a DNS record can be cached before being discarded. Since the TTL can play an important role in both DNS security (e.g., determining a DNSSEC-signed response’s caching period)...
ICANN recently launched the RFC Annotations project to help DNS developers, protocol developers, and security researchers see annotated versions of the DNS-related RFCs. The annotations include in-line descriptions of how RFCs have been updated and where there has been errata, but they also allow people in the DNS community to add comments to the RFCs for others to see. Such comments could...
Drink is an authoritative name server intended for dynamic content, such as returning the IP address of its client. It is experimental but features a lot of things such as cookies, NSID, ability to fetch answers from REST services, etc. It is robust and has reasonable performances. Of course, it is not a replacement for NSD or Knot, but it can be used to deploy funny services.
This talk will...
DNS exfiltration and tunneling tools exploit DNS to evade
surveilance and masquerade online behavior. Identifying these events
in real-time proves challenging because efficent techniques are required
to crack an encrypted message without impacting performance
of a resolver, which must also resolve non-malicious query volumes
at a magnitude of up to millions of queries per second. In this...
Operators expect DNS servers to respond within microseconds if all the data to answer a given query are locally available. Some BIND operators have reported suspicions that their production servers sometimes pause query responses.
When we attempted to reproduce this in a lab environment, we found that standard benchmarking tools like dnsperf, resperf, and flamethrower do not provide...
In august 2017 the ICANN Root Server System Advisory Committee (RSSAC) published a “Technical Analysis of the Naming Scheme Used For Individual Root Servers”, looking into different naming schemes for the root servers (including DNSSEC signing of the set) and doing risk analysis on them, as RSSAC028.
The first recommendation in the report: “Stick with the current scheme”. The report also...
Shorter DS TTLs=> shorter Mean Time to Recovery
DS RRsets need to be rolled back or updated promptly
No 24-hour or more downtime after emergency DS updates
Note: Cached validated child RRsets keep their existing TTLs!
No expected impact on child zone query volume
We’re studying expected effect on parent (eTLD) zone query volumes
A quick look at measurements providing insight into the level of centralisation of DNS service at resolver and authoritative servers. The resolver view is presented at the APNIC Labs website whereas the authority view is an initial snapshot of upcoming results
