资料：OARC 2016 Spring Workshop

Recent DDoS attacks against RIPE NCC’s DNS servers

8w qps， 1G口，量不大

How we are developing a next generation DNS API for applications

https://getdnsapi.net

基础库工具，支持 stub / recursive 模式

异步

支持 dnssec/dane 验证，支持 dns over tls

Real-Time Analytics of DNS packets

redis

AAAA Deep Dive: DNS Resolution Anomalies and Performance across a Huge Data Set

配置ipv6/ipv4各种单独、混杂环境的递归，

测试1亿多域名权威是否能正常返回应答

纯v6的servfail比例较大，可以理解

ENTRADA: The Impact of a TTL Change at the TLD-level

nl顶级域，500w~600w 的二级域名量

zone update interval 2 hour -> 1 hour

NS TTL 7200 -> 3600

SOA NXDOMAIN TTL 900 -> 600

主要影响：峰值domain query double，nxdomain 略升

Continuous Data-driven Analysis of Root Server System Stability

里面的根区指标图挺不错……

RSSAC002 写的那一堆可以复习一下

Testing Most Authoritative Servers for Conformance

gTLD nameservers: a few very quick observations

all gtld zonefiles …

约 300w NS

约70w not glue records ( a name in .com whose NS records are in .net )

glue 跟 not glue 的 timeout 表现不一

如何reduce ?

其实吧，hot up cold down

State of the “DNS privacy” project: running code

dns over tls, port 853

https://dnscrypt.org/

QNAME minimisation in Unbound

unbound 已支持

draft-vixie-dnsext-resimprove

draft-ietf-dnsop-nxdomain-cut

Knot DNS Resolver

https://www.knot-resolver.cz

缓存server平台，有些acl啥的增强接口

Threshold-Cryptography Distributed HSM

libpcks

Multi-vantage point DNS Diagnostics and Measurement

dnsviz , 调试工具吧

其实跟域名体检差不多

Review and analysis of attack traffic against A-root and J-root on November 30 and December 1, 2015

895 million src ip ，伪造ip查询

4739 ip send 100+ query

top 200 ip => 68% traffic

主要打 336901.com/916yy.com，动机未明

rrl + filter

The Quest for the Missing Keytags

就是hash要不要搞长点

Increasing the Root Zone ZSK Size

response size, bandwidth cost 的差别

Deckard – Integration Testing of DNS Servers

又一个体检

DNS Secondary service for customers, evolution and “meta-slave”

多个备选server也还好吧

ECDSA - Reviewed

ECDSA 比 RSS 好点，不过支持比例低些

Zombies

只查一次，ttl=1s，随机数模板，

其实跟临时域名也满像的~

dns-stats

dns-stats.org

EDNS Compliance

edns的支持测试以及返回码，可以仔细看看

https://ednscomp.isc.org/compliance/summary.html

https://ednscomp.isc.org/compliance/tld-report.html

Rolling the Root Key

几年轮一次的……

Algorithm roll-over experiences

……

Panel: DNSSEC algorithm flexibility

……

Published

06 April 2016

Share On

twitter

weibo

本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。

DNS-OARC: 2016.04 阿根廷会议

Recent DDoS attacks against RIPE NCC’s DNS servers

How we are developing a next generation DNS API for applications

Real-Time Analytics of DNS packets

AAAA Deep Dive: DNS Resolution Anomalies and Performance across a Huge Data Set

ENTRADA: The Impact of a TTL Change at the TLD-level

Continuous Data-driven Analysis of Root Server System Stability

Testing Most Authoritative Servers for Conformance

State of the “DNS privacy” project: running code

QNAME minimisation in Unbound

Knot DNS Resolver

Threshold-Cryptography Distributed HSM

Multi-vantage point DNS Diagnostics and Measurement

Review and analysis of attack traffic against A-root and J-root on November 30 and December 1, 2015

The Quest for the Missing Keytags

Increasing the Root Zone ZSK Size

Deckard – Integration Testing of DNS Servers

DNS Secondary service for customers, evolution and “meta-slave”

ECDSA - Reviewed

Zombies

dns-stats

EDNS Compliance

Rolling the Root Key

Algorithm roll-over experiences

Panel: DNSSEC algorithm flexibility

Published

Tags

Share On

DNS-OARC: 2016.04 阿根廷 会议

Recent DDoS attacks against RIPE NCC’s DNS servers

How we are developing a next generation DNS API for applications

Real-Time Analytics of DNS packets

AAAA Deep Dive: DNS Resolution Anomalies and Performance across a Huge Data Set

ENTRADA: The Impact of a TTL Change at the TLD-level

Continuous Data-driven Analysis of Root Server System Stability

Testing Most Authoritative Servers for Conformance

State of the “DNS privacy” project: running code

QNAME minimisation in Unbound

Knot DNS Resolver

Threshold-Cryptography Distributed HSM

Multi-vantage point DNS Diagnostics and Measurement

Review and analysis of attack traffic against A-root and J-root on November 30 and December 1, 2015

The Quest for the Missing Keytags

Increasing the Root Zone ZSK Size

Deckard – Integration Testing of DNS Servers

DNS Secondary service for customers, evolution and “meta-slave”

ECDSA - Reviewed

Zombies

dns-stats

EDNS Compliance

Rolling the Root Key

Algorithm roll-over experiences

Panel: DNSSEC algorithm flexibility

Published

Tags

Share On

DNS-OARC: 2016.04 阿根廷会议