When Parents and Children Disagree: Diving into DNS Delegation Inconsistency

  • Raffaele SommeseEmail author
  • Giovane C. M. Moura
  • Mattijs Jonker
  • Roland van Rijswijk-Deij
  • Alberto Dainotti
  • K. C. Claffy
  • Anna Sperotto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12048)


The Domain Name System (DNS) is a hierarchical, decentralized, and distributed database. A key mechanism that enables the DNS to be hierarchical and distributed is delegation [7] of responsibility from parent to child zones—typically managed by different entities. RFC1034 [12] states that authoritative nameserver (NS) records at both parent and child should be “consistent and remain so”, but we find inconsistencies for over 13M second-level domains. We classify the type of inconsistencies we observe, and the behavior of resolvers in the face of such inconsistencies, using RIPE Atlas to probe our experimental domain configured for different scenarios. Our results underline the risk such inconsistencies pose to the availability of misconfigured domains.



We thank John Heidemann, Ólafur Guðmundsson and Ülrich Wisser for feedback provided in the early stages of this research. We also thank the PAM2020 anonymous reviewers, our shepherd, Steve Uhlig, and Philip Homburg, from RIPE NCC. This work uses measurements from RIPE Atlas (, an open measurements platform operated by RIPE NCC.

This work is partially funded by the NWO-DHS MADDVIPR project (Grant Agreement 628.001.031/FA8750-19-2-0004), the PANDA project (NSF OAC-1724853) and the EU CONCORDIA project (Grant Agreement 830927). This material is based on research sponsored by Air Force Research Laboratory under agreement number FA8750-18-2-0049. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions in this paper are those of the authors and do not necessarily reflect the opinions of a sponsor, Air Force Research Laboratory or the U.S. Government.

Supplementary material


  1. 1.
    Almond, C.: CNAME at the apex of a zone.
  2. 2.
    CZ.NIC: Knot Resolver.
  3. 3.
    DENIC AG: Statistics of .de domains, 22 October 2019.
  4. 4.
    DNS OARC: Root zone archive. (Jan 2020)
  5. 5.
    Elz, R., Bush, R.: Clarifications to the DNS specification. RFC 2181, IETF, July 1997.
  6. 6.
    Hardaker, W.: Child-to-parent synchronization in DNS. RFC 7477, IETF, March 2015.
  7. 7.
    Hoffman, P., Sullivan, A., Fujiwara, K.: DNS terminology. RFC 8499, IETF, November 2018.
  8. 8.
    Hubert, A., Mook, R.: Measures for making DNS more resilient against forged answers. RFC 5452, IETF, January 2009.
  9. 9.
    Internet Systems Consortium: BIND: Berkeley Internet Name Domain.
  10. 10.
    Kristoff, J.: DNS inconsistency (2018).
  11. 11.
    Liu, D., Hao, S., Wang, H.: All your DNS records point to us: understanding the security threats of dangling DNS records. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1414–1425. ACM, New York (2016).
  12. 12.
    Mockapetris, P.: Domain names - concepts and facilities. RFC 1034, IETF, November 1987.
  13. 13.
    Moura, G.C.M., Heidemann, J., Müller, M., de Schmidt, R.O., Davids, M.: When the dike breaks: dissecting DNS defenses during DDoS. In: Proceedings of the ACM Internet Measurement Conference, October 2018.
  14. 14.
    Moura, G.C.M., Heidemann, J., de Schmidt, R.O., Hardaker, W.: Cache me if you can: effects of DNS time-to-live (extended). In: Proceedings of the ACM Internet Measurement Conference. ACM, Amsterdam, October 2019. p. to appear
  15. 15.
    Müller, M., Moura, G.C.M., de Schmidt, R.O., Heidemann, J.: Recursives in the wild: engineering authoritative DNS servers. In: Proceedings of the ACM Internet Measurement Conference, London, UK, pp. 489–495 (2017).
  16. 16.
    NLnet Labs: Unbound, March 2019.
  17. 17.
    Pappas, V., Wessels, D., Massey, D., Lu, S., Terzis, A., Zhang, L.: Impact of configuration errors on DNS robustness. IEEE J. Sel. Areas Commun. 27(3), 275–290 (2009)CrossRefGoogle Scholar
  18. 18.
    PowerDNS: PowerDNS Recursor.
  19. 19.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 ACM Conference on Internet Measurement Conference, IMC, pp. 449–460. ACM, November 2014Google Scholar
  20. 20.
    RIPE Ncc Staff: RIPE Atlas: a global internet measurement network. Internet Protocol J. (IPJ) 18(3), 2–26 (2015)Google Scholar
  21. 21.
    RIPE Network Coordination Centre: RIPE Atlas (2015).
  22. 22.
    Root Zone file: Root, February 2019.
  23. 23.
    van Rijswijk-Deij, R., Jonker, M., Sperotto, A., Pras, A.: A high-performance, scalable infrastructure for large-scale active DNS measurements. IEEE J. Sel. Areas Commun. 34(6), 1877–1888 (2016). Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Raffaele Sommese
    • 1
    Email author
  • Giovane C. M. Moura
    • 2
  • Mattijs Jonker
    • 1
  • Roland van Rijswijk-Deij
    • 1
    • 3
  • Alberto Dainotti
    • 4
  • K. C. Claffy
    • 4
  • Anna Sperotto
    • 1
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.SIDN LabsArnhemThe Netherlands
  3. 3.NLnet LabsAmsterdamThe Netherlands
  4. 4.CAIDASan DiegoUSA

Personalised recommendations