Bytes from IETF 120 – DNS Topics

DELEG This is a newly formed Working Group to look at the mechanisms for delegation in the DNS, intending to define a delegation with a richer set of functions than what we have with the NS delegation record. There are a number of shortcomings with the current form of delegation…


Privacy and DNS Client Subnet

There has been a fundamental change in the architecture of service and content delivery over the Internet over the past decade. Instead of using the network to bring the remote user to a server that delivers the content or service, the content (or service) is loaded into one or more…


Revisiting DNS and UDP Truncation

The choice of UDP as the default transport for the DNS was not a completely unqualified success. On the positive side, the stateless query/response model of UDP has been a good fit to the stateless query/response model of DNS transactions between a client and a server. The use of a…


DNS Evolution

The DNS is a crucial part of today’s Internet. With the fracturing of the network’s address space as a byproduct of IPv4 address run down and the protracted IPv6 transition the Internet’s name space is now the defining attribute of the Internet that makes it one network. However, the DNS…


DNS Topics at RIPE 88

RIPE 88 was held in May 2024 at Krakow, Poland. Here’s as summary of some of the the DNS topics that were presented at that meeting that I found to be of interest. DNSSEC Bootstrapping How can you start up a DNSSEC relationship between the parent zone and the delegated…


Calling Time on DNSSEC?

There have been quite a few Internet technologies which have not been enthusiastically adopted from the outset. In many cases the technology has been quietly discarded in favour of the next innovation, but in some cases the technology just refuses to go away and sits in a protracted state of…


DNSSEC and .nz

I had the opportunity to participate in the New Zealand Network Operators Group meeting (NZNOG) in Nelson earlier this month. This article was prompted by a presentation from Josh Simpson on an .nz service outage incident in May 2023. I guess we’ve become used to reading evasive and vague outage…


DNS Topics at IETF 119

The Internet has changed quite radically in recent years. The proliferation of service and content delivery platforms at the edge of the network, fed by privately operated feeder networks has reamed out the transit core of the Internet. Most of the traffic and the overwhelming of value within the Internet…


Adding IPv6-only to DNS and Truncation in UDP

In February I looked at the behaviour of the DNS when processing responses in UDP which set the Truncated flag in the DNS response. In particular, I was looking for the incidence of DNS resolvers which used the Answer section in truncated responses (despite the admonition in DNS standards not…


KeyTrap!

The National Research Center for Applied Cybersecurity ATHENE has uncovered a critical flaw in the design of DNSSEC, the Security Extensions of DNS (Domain Name System). DNS is one of the fundamental building blocks of the Internet. The design flaw has devastating consequences for essentially all DNSSEC-validating DNS implementations and…