ICANN DNS Symposium (IDS) 2021 recap summary

The ICANN DNS Symposium concluded today. It was about 3 hours of talks for the past 3 days. Four talks each day. For me it started at 5:00 am and I didn’t always make it on time and I left early a couple of times. This is a very brief summary since I didn’t take very detailed notes and the presentations are not yet online to review. Materials should appear on the IDS page in due time.

Day 1

DNS-STATS traffic capture and visualization development
Jim Hague
Showcase of the DNS-STATS tool. All you really need to know is here.

Measuring recursive resolver centrality
Joao Damas, Geoff Huston
They try to provide some insight into the notion of consolidation and centralization of the resolution services on the Internet using APNIC Labs Google ads driven name server measurement infrastructure. Methodology and observations discussed. Some statistics here.

pktvisor; summarizing traffic for observability and DDoS mitigation
Shannon Weyrick
Another DNS statistics tool, this one currently based on pcap data to provide a dashboard like view. Other inputs, including sFlow/NetFlow support planned. All you need to know here.

DSFI-TSG Panel
Merike Kaeo, Robert Schishka, John L Crain, Tim April, Gavin Brown, and Duane Wessels
The ICANN-sponsored DNS Security Facility Initiative Technical Study Group. I didn’t stick around for this one. Best I can tell they are coming up with some big picture guidance to provide to the ICANN board on security issues involving the DNS. You can find more information about the group here.

Day 2

COMAR: classification of compromised versus maliciously registered domains
Maciej Korczynski, Christian Hesselman, Benoit Ampeau
I missed this one, but the title is pretty self explanatory. Probably everything you need to know here.

Canadian Shield - A year of experience operating a secure national DNS infrastructure for Canada
Marc Gaudet
A project run by CIRA.ca to essentially help limit “leakage” of DNS data and limit exposure to malicious domain names for Canadians. Basically a government sponsored open resolver service. Currently service ~700 million queries/day. More detail here.

The DNS practice on security and stability in Alibaba Cloud DNS
Yong Ma
An overview of how Alibaba operates it’s DNS resolution infrastructure. Compare to the project above, Alibaba services about 1 trillion queries/day.

DNS security threats outreach platform KINDNS
Adiel Akplogan, Michael Hausing, Leslie Daigle, Andrew Campling
I did not stick around for this one. This is a relatively new effort sponsored by ICANN. KINDNS is Knowledge-sharing and instantiating norms for DNS and naming security. More detail here.

Day 3

DNS cache poisoning revived with network side channels (SAD DNS)
Zhiyun Qian
I missed this one, but I believe it was essentially presenting this research here.

Poison over troubled forwarders: A cache poisoning attack targeting DNS forwarding devices
Xiang Li
More cache poisoning research. Involves IP ID prediction. Uses CNAME RRs to force fragmentation, which helps facilitate the attack. Originally published here.

rm -rf SHA-1: DNSSEC algorithm roll en masse
Howard Eland
Case study on Donuts (formerly Afilias) efforts to change DNSSEC parameters across their TLDs. Lots of man power to accomplish, no major problems reported.

Message digest for DNS Zones
Duane Wessels
Discussing the introduction of a new RR called ZONEMD, which is intended initially for the root zone and will be computed on the canonically ordered zone data (like DNSSEC does) with the exception of this record. Ideally this record would be protected by DNSSEC. Other TLDs are looking at deploying this as well. Recently achieved RFC status here.