DNS TAPIR is a Swedish project that builds a national DNS query analysis platform to monitor traffic and alert on suspicious events. All software is Open Source and has undergone a thorough analysis of privacy handling. The DNS TAPIR project has a few principles that we work hard to implement, with the core one being privacy, the need to protect individual user data.
This talk will...
In 2002 the IP address for j.root-servers.net was changed in order to provide the service from multiple locations using IP anycast. Since that time Verisign has continued to respond to queries sent to J-root's old IP address, 198.41.0.10.
A few months after the address was changed, the old address received approximately 1500 queries per second. Now, nearly 23 years later, the old address...
In this study, we examine DNS resolvers used by clients in the Nordic and Baltic countries, conducting active measurements to assess the adoption of security and privacy features. We utilize the RIPE Atlas network of volunteer-run probes for our measurements in July 2025 and analyzed 1066 unique probe-resolver pairs. We reveal that 92% supported IPv6, 87% were validating DNSSEC, 70%...
Cisco's resolver fleet infrastructure commonly experiences large scale distributed denial of service (DDOS) attacks. Under the normal circumstances these attacks are dealt with by distributing the traffic over the installed resolver capacity and rarely get to cause operational issues. However on two occasions these DDOS attacks did cause notable internal incidents: thankfully with very limited...
Historically we built cyber security the way we built cities: over time, without a long-term plan, on top of ruins. Now that we are applying Zero Trust DNS (Microsoft ZTDNS/adam:ONE Don’t Talk to Strangers) to require every outgoing IP connection to first be resolved by DNS, what is it that breaks?
In this presentation we offer insight into client side behaviour and the general readiness of...
Although DS provisioning automation (RFCs 7344, 8078, 9615) is well-defined on the wire, actual deployment faces various degrees of freedom, leading to non-uniform behavior across parents. For example, the presence of registration locks may (or may not) affect DS automation, and there are different ways to perform CDS/CDNSKEY input validation, report errors, or to handle priority of updates...
We would like to discuss challenges and opportunities with PQC DNSSEC by walking through a variety of measurement studies that the community has conducted till date.
I have two proposals for OARC45. This is the first.
There are presently two “mainline” paths towards deployment of DoT / DoQ for authoritative DNS service between auth server and resolver. The first is RFC 9539 (“blind probing”) and the second is “wait for DELEG”.
Both have problems.
In the RFC 9539 case it is about creating enough incentive to auth server and resolver operators to...
This presentation will showcase Verisign’s Transitive Trust tool, which maps DNS resolution dependencies based on delegation and name server host relationships. We use this tool to analyze all TLD delegations at the DNS root and construct a directed graph of resolution dependencies. The resulting structure reveals distinct subgraphs and dependency clusters associated with common operators or...
DNSSEC was introduced in 1999 to prevent DNS spoofing and on-path tampering attacks. However, due to the complexity of DNSSEC deployment and management, its popularity remains modest to this day. In this work, we deep dive into the post-deployment complexities of DNSSEC leveraging 1.4 million historical diagnostic snapshots for 319K SLDs and their subdomains obtained from the DNSViz...
Zone signing pipeline is the heart of large-scale authoritative operations. After the zone is signed, an automatic validator should continously check and block potential errors. Introduction and overview of available methods and tools with some examples.
OpenDNSSEC has served the DNS community for over 20 years now, and we at NLnet Labs are proud of its accomplishments. But DNS and DNSSEC have evolved significantly over the last decades and ODS no longer aligns with their requirements. Cascade is a new DNSSEC signer that learns from ODS and adapts to the modern needs of DNS / DNSSEC. We discuss the design requirements and architecture for...
