DNS - Side Room (Thu, 11:00)
Welcome and announcement of the new co-chair
How many DNS queries does it take to resolve a single domain name? The answer might really surprise you and perhaps even alarm you. Depending on a specifici delegation, CNAME chains that CDNs love so much, and cross-domain dependencies, a single cold-cache lookup can trigger hundreds of outgoing queries from a recursive resolver, creating latency for end users and amplifying load on both the resolver and the authoritative DNS servers.
This talk will deep dive into different DNS delegation types…
AS112 is an anycast DNS deployment that responds to junk queries, i.e. leaked queries from internal networks, which should have been handled locally. This includes reverse DNS queries for RFC1918 and link local addresses, and queries for home.arpa and service.arpa.
Unlike other anycast deployments, AS112 is volunteer-run and uncoordinated. Anyone can contribute to AS112 by setting up a DNS server, announcing the AS112 anycast prefixes, and responding to queries.
AS112 helps protect important pa…
Administrators of DNS resolvers with large internet service providers often have multiple inputs for managing the response policy, ranging from legal filters to commercial recommendations from various sources. The open source DNS TAPIR Policy Processor (POP) is a new tool for managing this – both with static inputs and with dynamic rulesets which can be updated over an MQTT message bus. These features are used in the DNS TAPIR platform, but POP can be used as a stand-alone service to simplify a…
An NSEC3 configuration with too many iterations leads to excessive work on authoritative servers and resolvers, can be used for DoS attacks, and even opens a downgrade attack path which is not well documented.
In this brief talk we want to alert operators to this danger and evangelize Best Current Practice RFC 9276 which shows how to use NSEC3 in a safe (or less harmful) way.