DNS, Transitive Trust and How Many is Many

How many DNS queries does it take to resolve a single domain name? The answer might really surprise you and perhaps even alarm you. Depending on a specifici delegation, CNAME chains that CDNs love so much, and cross-domain dependencies, a single cold-cache lookup can trigger hundreds of outgoing queries from a recursive resolver, creating latency for end users and amplifying load on both the resolver and the authoritative DNS servers.

This talk will deep dive into different DNS delegation types - in-domain, in-bailiwick, out-of-bailiwick - and explain how each type of the delegations affects the resolver query chain when the cache is cold. I will show how combining delegations across different TLDs and different domain increase the strain on the DNS ecosystem, and how combining this with CNAME chains leads to explosion of transitive trust dependencies that resolvers must chase before returning a single answer.