Domain registries manage the entire lifecycle of domain names within TLDs and interact with domain registrars through the Extensible Provisioning Protocol (EPP) specification. Although they adhere to standard policies, EPP implementations and operational practices can vary between registries. Even minor operational flaws at registries can expose their managed resources to abuse. However, the...
Hardware memory may suffer bit flips. Previous research has shown that if a bit flip happens in the right place, host names may be be contorted, enabling MITM attacks. This study looks at consequences of bit flips occurring for root-servers.net, such as hijacking resolver priming queries. After introducing the experimental setup, selected instances of observed resolution cascades will be...
Since RFC 1034, DNS specifications have mandated that recursive resolvers must "bound the amount of work" performed per query. However, the definition of "work" has remained ambiguous, leading to a class of intrinsic risks that differ fundamentally from traditional volumetric reflection attacks. In practice, the resolution process involves complex interactions among delegations, aliases,...
Different DNS resolver implementations handle delegation from parent to child zones in different ways: some resolvers are strictly parent-centric, while others use whatever information is currently available in the local DNS cache, or offer a child-centric mode that always fetches authoritative NS records. In theory, this difference should not affect the ability to resolve domains, since the...
Synchronizing globe-wide Authoritative DNS Anycast with traditional DNS Zone Transfers might not be optimal. Can versatile Database backend be used in narrow use-case just for transferring the zone contents over long distance, and is it faster? Multiple diverse setups, measurements, results and takeaways.
DNS is a globally distributed system where even a minor configuration mistake can cause immediate and widespread disruption. Yet most of the existing tools rely on static validation of planned DNS changes.
In this presentation, I’ll introduce the concept of CheckMate, an AI-powered assistant that performs real-time pre-validation of proposed DNS zone updates to prevent costly mistakes....
Gonemaster is a Go implementation of Zonemaster that began life as a near 1:1 port of the original software—and then evolved into something that is purpose-built for modern, large-scale DNS measurement work.
At its core, Gonemaster provides robust tests of DNS delegation quality, helping operators and researchers identify misconfigurations and edge cases that impact resolution,...
We have recently built an open dashboard called Rootviz, which visualizes in real-time measurement data produced by all Ripe Atlas probes.
It allow users to visualize real-time reachability between the probes and each Root Server, for both IPv4 and IPv6.
It complements DNSMON...
An update on the status of the development and release planning for our new DNSSEC hidden signer "Cascade", first introduced at OARC 45. Highlights include the new incremental signing and IXFR-out functionality and how they relate to one another, performance/resource usage improvements, TSIG support, Prometheus metrics, ods2cascade migration tooling, re-designed memory and state models and more.
Eight years ago at IMC'17, Verfploeter was introduced by De Vries et al.
This technique allowed anycast operators to perform active catchment mappings at large-scale (using millions of ping-responsive hosts on the Internet).
In this talk we introduce MAnycastR, an open-source tool that improves upon Verfploeter; allowing for IPv6 mappings, increased coverage using transport-layer probing,...
The DITL dataset serves as an invaluable resource for DNS research. The author gratefully acknowledges the data providers and DNS-OARC for permitting access to the Root DITL dataset. Because data collection methodologies vary significantly—with each Root Server Operator (RSO) capturing traffic to the best of their respective capabilities—it is essential to characterize the attributes of each...
Placeholder for lightning talks.
We will accept up to five 5-minute lightning presentations from in-person presenters for Day 2, Session 4. The call for abstracts will be open from 09:00 to 16:00 UTC (10:00–17:00 local time) on Saturday, May 16.
"I never set out to be a DNS practitioner, but working with it has been a rewarding if unavoidable theme of my 40 year career.."
From a 1980s student seminar on the fresh RFC882/883, through an early stub resolver implementation, becoming the DNS sysadmin at an SME and early ISP, then co-founder of a ccTLD registry, this talk traces the author's experience of working with the DNS....
