Domain registries manage the entire lifecycle of domain names within TLDs and interact with domain registrars through the Extensible Provisioning Protocol (EPP) specification. Although they adhere to standard policies, EPP implementations and operational practices can vary between registries. Even minor operational flaws at registries can expose their managed resources to abuse. However, the...
Hardware memory may suffer bit flips. Previous research has shown that if a bit flip happens in the right place, host names may be be contorted, enabling MITM attacks. This study looks at consequences of bit flips occurring for root-servers.net, such as hijacking resolver priming queries. After introducing the experimental setup, selected instances of observed resolution cascades will be...
Since RFC 1034, DNS specifications have mandated that recursive resolvers must "bound the amount of work" performed per query. However, the definition of "work" has remained ambiguous, leading to a class of intrinsic risks that differ fundamentally from traditional volumetric reflection attacks. In practice, the resolution process involves complex interactions among delegations, aliases,...
Different DNS resolver implementations handle delegation from parent to child zones in different ways: some resolvers are strictly parent-centric, while others use whatever information is currently available in the local DNS cache, or offer a child-centric mode that always fetches authoritative NS records. In theory, this difference should not affect the ability to resolve domains, since the...
Synchronizing globe-wide Authoritative DNS Anycast with traditional DNS Zone Transfers might not be optimal. Can versatile Database backend be used in narrow use-case just for transferring the zone contents over long distance, and is it faster? Multiple diverse setups, measurements, results and takeaways.
DNS is a globally distributed system where even a minor configuration mistake can cause immediate and widespread disruption. Yet most of the existing tools rely on static validation of planned DNS changes.
In this presentation, I’ll introduce the concept of CheckMate, an AI-powered assistant that performs real-time pre-validation of proposed DNS zone updates to prevent costly mistakes....
Gonemaster is a Go implementation of Zonemaster that began life as a near 1:1 port of the original software—and then evolved into something that is purpose-built for modern, large-scale DNS measurement work.
At its core, Gonemaster provides robust tests of DNS delegation quality, helping operators and researchers identify misconfigurations and edge cases that impact resolution,...
We have recently built an open dashboard called Rootviz, which visualizes in real-time measurement data produced by all Ripe Atlas probes.
It allow users to visualize real-time reachability between the probes and each Root Server, for both IPv4 and IPv6.
It complements DNSMON...
An update on the status of the development and release planning for our new DNSSEC hidden signer "Cascade", first introduced at OARC 45. Highlights include the new incremental signing and IXFR-out functionality and how they relate to one another, performance/resource usage improvements, TSIG support, Prometheus metrics, ods2cascade migration tooling, re-designed memory and state models and more.
Eight years ago at IMC'17, Verfploeter was introduced by De Vries et al.
This technique allowed anycast operators to perform active catchment mappings at large-scale (using millions of ping-responsive hosts on the Internet).
In this talk we introduce MAnycastR, an open-source tool that improves upon Verfploeter; allowing for IPv6 mappings, increased coverage using transport-layer probing,...
The DITL dataset serves as an invaluable resource for DNS research. The author gratefully acknowledges the data providers and DNS-OARC for permitting access to the Root DITL dataset. Because data collection methodologies vary significantly—with each Root Server Operator (RSO) capturing traffic to the best of their respective capabilities—it is essential to characterize the attributes of each...
We'll present a draft specification (from PowerDNS) for transmitting tracing IDs inside DNS queries using a new EDNS OPT record called TRACEPARENT. Alongside, we'll demonstrate (draft) implementations of tracing in a proprietary resolver/authoritative DNS implementation as well as in the (open source) DNS loadbalancer dnsdist. We hope to raise awareness and enthusiasm for the improved...
DNS resolver operators are increasingly being pulled into enforcement and policy fights that were never really designed with them in mind. Blocking orders that once targeted local ISPs now increasingly cover resolvers, VPN providers, and multiple jurisdictions at the same time. The operational and compliance burden falls hardest on smaller operators.
At the same time, resolver operators...
Typically, ns1.example.net and ns2.example.org have two different IP addresses mapped 1:1. It's conceivable to provision A/AAAA records with both IP addresses for both hostnames (2:2 mapping, or even n-to-n), allowing resolvers to obtain all nameserver IP addresses even when a hostname isn't resolvable during an incident. This talk is about:
- What do current specs say about...
Security researchers equipped with LLMs are finding security issues in various software components at an unprecedented pace, and open-source projects are scrambling to fix them all. The old “enterprise” model of carefully deciding whether to upgrade or delay each software release is becoming problematic.
On 5 May 2026, DENIC experienced an incident with the DE zone caused by
a significant number of invalidatable DNSSEC signatures in the zone.
The lightning talk will share details about the components involved,
the mitigation of the incident and some early learnings.
"I never set out to be a DNS practitioner, but working with it has been a rewarding if unavoidable theme of my 40 year career.."
From a 1980s student seminar on the fresh RFC882/883, through an early stub resolver implementation, becoming the DNS sysadmin at an SME and early ISP, then co-founder of a ccTLD registry, this talk traces the author's experience of working with the DNS....
