Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 15 Mar 2026 02:00

IEPG

IETF 119 Meeting Minutes
Session: IEPG
Chairs: Warren Kumari, Jen Linkova (Remote)

Summary

The IEPG meeting at IETF 119 focused almost exclusively on DNS operational measurements and research. Key topics included the traffic implications of deploying local root zones, resolver behaviors when encountering broken authoritative servers (specifically the NS . proposal), the prevalence of bitflipping in root server queries, and large-scale measurements of DNS resolution over IPv6 transport.

Key Discussion Points

1. Administrivia

• Presenter: Warren Kumari
• Slides: Administrivia
• The meeting was noted as being heavily DNS-centric, though IEPG traditionally covers broader operational topics.

2. Global Local Root

• Presenter: Willem Toorop
• Slides: Global Local Root
• Discussion:
  • This research assessed the traffic impact of the local root Best Current Practice (referencing draft-ietf-dnsop-rfc8806bis).
  • Baseline traffic for a resolver is approximately 1 MB per day. Early tests with Unbound showed an outlier of 105 MB/day due to aggressive HTTP fetching (48 updates/day), which has since been fixed via ETag/If-None-Match implementation.
  • Knot Resolver uses roughly 2.2 MB/day by fetching once daily.
  • The research explored "incremental signing" of the root zone, which could theoretically reduce daily traffic below the current baseline.
  • Job Snijders recommended using gzip compression for HTTP transfers to save ~56% of bandwidth.
  • Dwayne Wessels noted that comparing "clean" local root behavior to "real-world" root traffic (where 90% of queries are junk) might be an unfair baseline.
  • Geoff Huston argued that the root zone should be treated as a standard signed web object, moving distribution away from the DNS protocol to more efficient web delivery ecosystems.

3. Testing Resolver Behaviours With Broken Authoritative Servers

• Presenter: Wes Hardaker
• Slides: Testing Resolver Behaviours With Broken Authoritative Servers
• Discussion:
  • Research explored the proposal (originally by Joe Abley, related to draft-abley-dnsop-delegation-dot) to point Name Server (NS) records to the root (.) for non-delegated strings like .internal.
  • Using 5,000 Ripe Atlas probes, Hardaker tested several failure modes: non-existent parents, broken bailiwicks, and NS ..
  • Findings: All error conditions cause increased traffic. NS . results in SERVFAIL, which current resolvers do not cache effectively, causing repeat queries. However, NS . was found to be "no worse" than existing broken infrastructure (e.g., lame delegations).
  • Conclusion: An empty zone (returning NXDOMAIN) remains the best way to control negative caching TTLs, whereas NS . is a useful signal but currently triggers un-cached SERVFAIL responses.
  • Hardaker noted strange traffic remnants like A6 and CNAME queries for non-existent records.

4. Bitflipping root-servers.net

• Presenter: Peter Thomassen
• Slides: Bitflipping root-servers.net
• Discussion:
  • Inspired by previous work on "bitquatting," Thomassen registered 48 bitflip variations of root-servers.net to see if resolvers would latch onto them due to memory errors.
  • Significant traffic was observed, particularly for r-k-o-t-servers.net.
  • Data analysis revealed "resolution cascades" from specific sources, notably car navigation systems (Volvo, Ford) and older systems like G-Book. These systems appeared to have structural memory defects rather than random flips.
  • Lorenzo Colitti questioned if the flips were network-induced, but the structural consistency of the flips suggested hardware/client memory issues.
  • Thomassen implemented "fake root servers" (proxied to K-root) to further observe behavior. The research concluded that while interesting, the volume is low enough that it doesn't represent a massive threat, though the names are now registered to prevent malicious exploitation.

5. Measuring DNS over IPv6

• Presenter: Geoff Huston
• Slides: Measuring DNS over IPv6
• Discussion:
  • Huston used APNIC’s ad-based measurement system to test the viability of IPv6-only authoritative name servers (referencing the context of RFC 3901).
  • Approximately 66-67% of users can resolve a name if the authoritative server only answers over IPv6.
  • The research highlighted the "glueless delegation" problem: some regions (e.g., North Africa, Algeria) effectively block resolution of names that require additional glueless lookups.
  • Findings: The DNS is a "massive feedback amplification system" where ~40% of queries are "bullshit" (no user is waiting for the answer). Simple models of resolver/stub behavior are failing to capture the complexity of modern traffic (replays, log-playing, and aggressive pre-fetching).
  • Wes Hardaker and Job Snijders discussed the persistence of DNS queries and the potential for memory bitflips to actually serve as a "natural" end to infinite query loops.

Decisions and Action Items

• Willem Toorop noted that Unbound has already been patched to include ETag support for root zone fetching over HTTPS to reduce redundant traffic.
• Peter Thomassen will continue monitoring the bitflipped domains, though they are currently "parked" for security.

Next Steps

• Participants were encouraged to bring non-DNS operational topics (e.g., BGP, routing) to future IEPG meetings to balance the agenda.
• Future research on DELEG (referencing draft-ietf-dnsop-deleg) and its impact on the "path" of DNS resolution was suggested as an area for further measurement.

Related Documents

draft-abley-dnsop-delegation-dot, draft-ietf-dnsop-deleg, draft-ietf-dnsop-rfc8806bis