Adding IPv6-only to DNS and Truncation in UDP

In February I looked at the behaviour of the DNS when processing responses in UDP which set the Truncated flag in the DNS response. In particular, I was looking for the incidence of DNS resolvers which used the Answer section in truncated responses (despite the admonition in DNS standards not…


KeyTrap!

The National Research Center for Applied Cybersecurity ATHENE has uncovered a critical flaw in the design of DNSSEC, the Security Extensions of DNS (Domain Name System). DNS is one of the fundamental building blocks of the Internet. The design flaw has devastating consequences for essentially all DNSSEC-validating DNS implementations and…


DNS and Truncation in UDP

I’ll press on here with another item within an overall theme of some current work in DNS behaviours with a report of a recent measurement on the level of compliance of DNS resolvers with one aspect of standard-defined DNS behaviour: truncation of DNS over UDP responses. The DNS leverages the…


DNS OARC 42

–> The DNS Operations, Analysis, and Research Center (DNS-OARC) brings together DNS service operators, DNS software implementors, and researchers together to share concerns, information and learn together about the operation and evolution of the DNS. They meet between two to three times a year in a workshops format. The most…


DNS and the DELEG Proposal

The Internet’s Domain Name System (DNS) is implemented as a distributed database. The structure of the database mimics the structure of the name space itself, namely a hierarchy where each “node” (or “zone”) in the distributed database has a single “parent” node and some number of “child” or descendant nodes…


DNS at IETF 118

The IETF met in Prague in the first week of November 2023, and, as usual there was a flurry of activity in the DNS-related Working groups. Here’s a roundup of those DNS topics I found to be of interest at that meeting. Re-thinking the DNS Prior to IETF meetings there…


IPv6, the DNS and Happy Eyeballs

There was a draft that caught my attention during DNSOPS Working Group session at the recent IETF 118 meeting on the topic of “DNS IPv6 Transport Operational Guidelines”. This draft proposes to update an earlier guideline document with some new guidelines. The original document, RFC3901, titled “DNS IPv6 Transport Guidelines””,…


How We Measure: DNSSEC Validation

At APNIC Labs we publish a number of measurements of the deployment of various technologies that are being adopted on the Internet. Here we will look at how we measure the adoption of DNSSEC validation. DNSSEC Security for the DNS has been a vexed topic for many years. The days…


Notes from OARC 41

OARC held a 2-day meeting in September in Danang, Vietnam, with a set of presentations on various DNS topics. Here’s some observations that I picked up from the presentations that were made that meeting. Deploying ZONEMD in the Root Zone As a distributed database, the DNS works through the piecemeal…


DNS is the new BGP

AUSNOG’23 was held in September. As usual, the meeting had a diverse collection of presentations on network technology, operational practices, engineering, and experiences. One of these presentations, by Cloudflare’s Tom Peseka, was on the subject of service routing, highlighting the ways in which today’s service platform attempt to optimise the…