Skip to main content
SpringerLink
Log in

When Parents and Children Disagree: Diving into DNS Delegation Inconsistency

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2020)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12048))

Included in the following conference series:

Abstract

The Domain Name System (DNS) is a hierarchical, decentralized, and distributed database. A key mechanism that enables the DNS to be hierarchical and distributed is delegation [7] of responsibility from parent to child zones—typically managed by different entities. RFC1034 [12] states that authoritative nameserver (NS) records at both parent and child should be “consistent and remain so”, but we find inconsistencies for over 13M second-level domains. We classify the type of inconsistencies we observe, and the behavior of resolvers in the face of such inconsistencies, using RIPE Atlas to probe our experimental domain configured for different scenarios. Our results underline the risk such inconsistencies pose to the availability of misconfigured domains.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This covers 96% of names with disjoint NSSets, the remaining 4% are indeterminate due to unresolvable names in the NSSets.

References

  1. Almond, C.: CNAME at the apex of a zone. https://www.isc.org/blogs/cname-at-the-apex-of-a-zone/

  2. CZ.NIC: Knot Resolver. https://www.knot-resolver.cz

  3. DENIC AG: Statistics of .de domains, 22 October 2019. https://www.denic.de/en/know-how/statistics/l

  4. DNS OARC: Root zone archive. https://www.dns-oarc.net/oarc/data/zfr/root (Jan 2020)

  5. Elz, R., Bush, R.: Clarifications to the DNS specification. RFC 2181, IETF, July 1997. http://tools.ietf.org/rfc/rfc2181.txt

  6. Hardaker, W.: Child-to-parent synchronization in DNS. RFC 7477, IETF, March 2015. http://tools.ietf.org/rfc/rfc7477.txt

  7. Hoffman, P., Sullivan, A., Fujiwara, K.: DNS terminology. RFC 8499, IETF, November 2018. http://tools.ietf.org/rfc/rfc8499.txt

  8. Hubert, A., Mook, R.: Measures for making DNS more resilient against forged answers. RFC 5452, IETF, January 2009. http://tools.ietf.org/rfc/rfc5452.txt

  9. Internet Systems Consortium: BIND: Berkeley Internet Name Domain. https://www.isc.org/bind/

  10. Kristoff, J.: DNS inconsistency (2018). https://blog.apnic.net/2018/08/29/dns-inconsistency/

  11. Liu, D., Hao, S., Wang, H.: All your DNS records point to us: understanding the security threats of dangling DNS records. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1414–1425. ACM, New York (2016). https://doi.org/10.1145/2976749.2978387

  12. Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, IETF, November 1987. http://tools.ietf.org/rfc/rfc1034.txt

  13. Moura, G.C.M., Heidemann, J., Müller, M., de Schmidt, R.O., Davids, M.: When the dike breaks: dissecting DNS defenses during DDoS. In: Proceedings of the ACM Internet Measurement Conference, October 2018. https://doi.org/10.1145/3278532.3278534

  14. Moura, G.C.M., Heidemann, J., de Schmidt, R.O., Hardaker, W.: Cache me if you can: effects of DNS time-to-live (extended). In: Proceedings of the ACM Internet Measurement Conference. ACM, Amsterdam, October 2019. https://doi.org/10.1145/3355369.3355568. p. to appear

  15. Müller, M., Moura, G.C.M., de Schmidt, R.O., Heidemann, J.: Recursives in the wild: engineering authoritative DNS servers. In: Proceedings of the ACM Internet Measurement Conference, London, UK, pp. 489–495 (2017). https://doi.org/10.1145/3131365.3131366

  16. NLnet Labs: Unbound, March 2019. https://unbound.net/

  17. Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. IEEE J. Sel. Areas Commun. 27(3), 275–290 (2009)

    Article  Google Scholar 

  18. PowerDNS: PowerDNS Recursor. https://www.powerdns.com/recursor.html

  19. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 ACM Conference on Internet Measurement Conference, IMC, pp. 449–460. ACM, November 2014

    Google Scholar 

  20. RIPE Ncc Staff: RIPE Atlas: a global internet measurement network. Internet Protocol J. (IPJ) 18(3), 2–26 (2015)

    Google Scholar 

  21. RIPE Network Coordination Centre: RIPE Atlas (2015). https://atlas.ripe.net

  22. Root Zone file: Root, February 2019. http://www.internic.net/domain/root.zone

  23. van Rijswijk-Deij, R., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34(6), 1877–1888 (2016). https://doi.org/10.1109/JSAC.2016.2558918

    Article  Google Scholar 

Download references

Acknowledgments

We thank John Heidemann, Ólafur Guðmundsson and Ülrich Wisser for feedback provided in the early stages of this research. We also thank the PAM2020 anonymous reviewers, our shepherd, Steve Uhlig, and Philip Homburg, from RIPE NCC. This work uses measurements from RIPE Atlas (https://atlas.ripe.net), an open measurements platform operated by RIPE NCC.

This work is partially funded by the NWO-DHS MADDVIPR project (Grant Agreement 628.001.031/FA8750-19-2-0004), the PANDA project (NSF OAC-1724853) and the EU CONCORDIA project (Grant Agreement 830927). This material is based on research sponsored by Air Force Research Laboratory under agreement number FA8750-18-2-0049. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions in this paper are those of the authors and do not necessarily reflect the opinions of a sponsor, Air Force Research Laboratory or the U.S. Government.

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Raffaele Sommese, Mattijs Jonker, Roland van Rijswijk-Deij & Anna Sperotto

  2. SIDN Labs, Arnhem, The Netherlands

    Giovane C. M. Moura

  3. NLnet Labs, Amsterdam, The Netherlands

    Roland van Rijswijk-Deij

  4. CAIDA, San Diego, USA

    Alberto Dainotti & K. C. Claffy

Authors
  1. Raffaele Sommese
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giovane C. M. Moura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mattijs Jonker
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roland van Rijswijk-Deij
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alberto Dainotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. K. C. Claffy
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Anna Sperotto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raffaele Sommese .

Editor information

Editors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Anna Sperotto

  2. University of California, San Diego, CA, USA

    Alberto Dainotti

  3. University of Zürich, Zürich, Switzerland

    Burkhard Stiller

A Longitudinal View on Inconsistency

A Longitudinal View on Inconsistency

1.1 A.1 NS Inconsistency over Time

The results presented in Table 1 show NS inconsistency for a single day. However, it is also interesting to understand how this misconfiguration evolves over time. We analyzed NS inconsistency for the case \(P \ne C\) over the two and a half year-period preceding the date of the analysis presented in Table 1. Figure 7 shows the results of this analysis. The figure clearly demonstrates that the fraction of domains affected by this misconfiguration remains similar over time. This result suggests that NS inconsistency is a long-term misconfiguration in the DNS ecosystem.

Fig. 7.
figure 7

NS inconsistency (\(P \ne C\)) from 2017-04-01 until 2019-10-01

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sommese, R. et al. (2020). When Parents and Children Disagree: Diving into DNS Delegation Inconsistency. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-44081-7_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-44080-0

  • Online ISBN: 978-3-030-44081-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation