The selection of which authoritative DNS server to use by a user's DNS resolver of choice greatly determines the user experience when accesing the Internet.
In the past, some studies have looked at the behaviour of a set of implementations describing how they perform authoritative server selection and how they re-evaluate their choices in time [1].
Other studies have leveraged the RIPE...
This talk presents a real DNS hijacking incident from last year and how my team traced the issue. We discovered that certain queries to root/.com servers were receiving random, forged responses. To address this, we developed “DNS Traceroute,” a tool that traces the path of DNS queries to identify the source of hijacking, inspired by how Traceroute functions.
This talk was first delivered at...
Using the multi-signer model can be challenging and can add complexity to your handling of zone maintenance and distribution.
The work shared in this presentation attempts to show examples or alternatives for improving DNSSEC monitoring and anticipating problems before users are affected.
This is a perspective from a ccTLD that has been adopting the multi-signer model for a long time.
This presentation deals with the fundamental design and evaluation of DNS anycast stacks for high performance and portable nameserver locations placed on cloud, prem or mixed infrastructure.
According to the challenges of our time, facing innovations in AI and cloud techniques as well as new geopolitcal crisis, marketing aspects and the increasing lack in DNS expert skills, this proposal...
Zone update performance in large-scale DNS installations can be an
important metric to pay attention to. Zone transfer performance
measurements get less attention than query performance because it is
less operationally acute, and because it is harder to measure, as has
been discussed in previous presentations. Benchmarking zone transfer
performance is the first and most important step,...
This talk will look into what the ECH uptake is both from a domain as well as from a client requestor perspective based on DNS data from authoritative and recursive name servers.
The HTTPS DNS resource record (RR), defined in RFC 9460, is a new DNS record designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. It can coexist with other record types (unlike the CNAME record) and thus allows name redirection at zone apexes and any arbitrary location in a zone where CNAME could not. It can also...
The presentation will include a brief explanation of the proposed Encrypted Client Hello (ECH) extension to TLS 1.3. The main focus will be on explaining why network operators need to be aware of the potential implications of ECH so that they are able to mitigate any negative impacts.
RFC 8767 "Serving Stale Data to Improve DNS Resiliency" defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data.
Should you enable this feature on your resolvers? If you do enable it, what are the advantages and disadvantages? Which serve-stale options are available on the most...
Using the DNS Flag Day 2020 limits for EDNS packet sizes from the IBM NS1 Connect servers resulted in resolvers increasing query load when faced with large apex TXT records.
Is this a no-win scenario?
