ABSTRACT
The Internet's naming system (DNS) is a hierarchically structured database, with hundreds of millions of domains in a radically distributed management architecture. The distributed nature of the DNS is the primary factor that allowed it to scale to its current size, but it also brings security and stability risks. The Internet standards community (IETF) has published several operational best practices to improve DNS resilience, but operators must make their own decisions that tradeoff security, cost, and complexity. Since these decisions can impact the security of billions of Internet users, recently ICANN has proposed an initiative to codify best practices into a set of global norms to improve security: the Knowledge-Sharing and Instantiating Norms for DNS and Naming Security (KINDNS) [4]. A similar effort for routing security - Mutually Agreed Norms for Routing Security - provided inspiration for this effort. The MANRS program encourages operators to voluntarily commit to a set of practices that will improve collective routing security - a challenge when incentives to conform with these practices does not generate a clear return on investment for operators. One challenge for both initiatives is independent verification of conformance with the practices. The KINDNS conversation has just started, and stakeholders are still debating what should be in the set of practices. At this early stage, we analyze possible best practices in terms of their measurability by third parties, including a review of DNS measurement studies and available data sets (Table 1).
- G. Akiwate et al. 2020. Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations (IMC '20).Google ScholarDigital Library
- M. Allman. 2018. Comments on DNS Robustness (IMC '18).Google Scholar
- W.B. de Vries et al. 2019. A First Look at QNAME Minimization in the Domain Name System (PAM '19).Google Scholar
- ICANN. 2022. KINDNS. (2022). https://kindns.org/Google Scholar
- G.C.M. Moura et al. 2016. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event (IMC '16).Google Scholar
- G.C.M. Moura et al. 2018. When the Dike Breaks: Dissecting DNS Defenses During DDoS (IMC '18).Google ScholarDigital Library
- Giovane C. M. Moura et al. 2019. Cache Me If You Can: Effects of DNS Time-to-Live (IMC '19).Google Scholar
- M. Muller et al. 2020. The Reality of Algorithm Agility: Studying the DNSSEC Algorithm Life-Cycle (IMC '20).Google ScholarDigital Library
- R. Sommese et al. 2020. When parents and children disagree: Diving into DNS delegation inconsistency (IMC '20).Google Scholar
- R. Sommese et al. 2021. Characterization of Anycast Adoption in the DNS Authoritative Infrastructure (TMA '21).Google Scholar
- R. Yazdani et al. 2022. A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers (PAM '22).Google Scholar
Index Terms
- Observable KINDNS: validating DNS hygiene
Recommendations
Partially Observable Markov Chain Models for Evaluating Lung Cancer Screening Policies
CASCON '22: Proceedings of the 32nd Annual International Conference on Computer Science and Software EngineeringLung cancer is the leading cause of cancer mortality for both males and females worldwide. The mortality rate of lung cancer is more than the combined mortality rate of breast, colorectal and prostate cancers. Screening can help diagnose the disease at an ...
Internet of Things security
The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the ...
Comments