Improving Response Deliverability in DNS(SEC)

Gijs van den Broek, Roland van Rijswijk, Roland M. van Rijswijk, Aiko Pras, Anna Sperotto

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    116 Downloads (Pure)


    The Domain Name System provides a critical service on the Internet, where it allows host names to be translated to IP addresses. However, it does not provide any guarantees about authenticity and origin integrity of resolution data. DNSSEC attempts to solve this through the application of cryptographic signatures to DNS records. These signatures generally result in larger responses compared to plain DNS responses. Some of these larger responses experience fragmentation, which in turn might be partially blocked by some firewalls. Apparently unresolvable zones may in those cases be a consequence. Analysis of DNS traffic suggests that at least one per cent of all resolvers experience this problem with our signed zones. However, we suspect this number to be much larger. In our presentation we will elaborate on the potential extent of this problem and propose to test two solutions. We intent to test both solutions in our production environment.
    Original languageEnglish
    Title of host publicationTERENA Networking Conference 2012
    Place of PublicationAmsterdam, The Netherlands
    PublisherTrans-European Research and Education Networking Association
    Number of pages1
    Publication statusPublished - May 2012
    EventTERENA Networking Conference 2012 - Reykjavik, Iceland
    Duration: 21 May 201224 May 2012

    Publication series

    PublisherTrans-European Research and Education Networking Association


    ConferenceTERENA Networking Conference 2012
    Other21-24 May 2012


    • IR-81272
    • EWI-22169
    • DNSSEC
    • METIS-287973


    Dive into the research topics of 'Improving Response Deliverability in DNS(SEC)'. Together they form a unique fingerprint.

    Cite this