Welcome back to PING for the first episode of 2025. In this episode, Gautam Akiwate (now with Apple but with Stanford University at the time of recording), discusses the 2021 Advanced Network Research Prize-winning paper titled ‘Risky BIZness: Risks Derived from Registrar Name Management‘, co-authored with Stefan Savage, Geoffrey Voelker, and KC Claffy.
The paper examines an issue that arose within the supply chain of DNS name delegation, specifically using the IETF protocol known as Extensible Provisioning Protocol (EPP). EPP, which operates over XML using the SOAP mechanism, facilitates communication between registries and registrars on behalf of domain name holders (delegates). This communication is used to specify the DNS nameservers authorized to publish the delegated zone.
The problem is not rooted in the DNS itself but in certain operational practices adopted by some registrars to eliminate dangling dependencies when domain names are deregistered. To address this, they used an EPP feature to rename these dependencies, allowing the domain name to be sold to a new owner.
The issue lies in the fact that this feature generated valid names, which could then be purchased. For certain DNS consumers, these newly valid nameservers would be recognized as authorized to serve the domain. This opened the door to potential attacks on the integrity of the DNS and the web.
Gautam and his co-authors explored a very interesting quirk of the back end systems, and in the process, helped improve the security of the DNS and identified weaknesses in a long-standing ‘daily dump’ process to provide audit and historical data.
Read more about RISKY BIZness and the supply chain attack on the web:
- The 2021 ANRP paper: ‘Risky BIZness: Risks Derived from Registrar Name Management‘
- 2017 ‘Grand Jury Indictment of Zhang et al‘
- 2022 IMC paper: ‘Retroactive Identification of Targeted DNS Infrastructure Hijacking‘
- The prevalence, persistence, and perils of lame delegations (APNIC Blog, 2021)
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. Please let us know what you think of the podcast and the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.