{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T00:07:11Z","timestamp":1755907631414,"version":"3.44.0"},"publisher-location":"New York, NY, USA","reference-count":76,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,11,4]],"date-time":"2024-11-04T00:00:00Z","timestamp":1730678400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,11,4]]},"DOI":"10.1145\/3646547.3689017","type":"proceedings-article","created":{"date-parts":[[2024,11,1]],"date-time":"2024-11-01T09:40:26Z","timestamp":1730454026000},"page":"415-422","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Zeros Are Heroes: NSEC3 Parameter Settings in the Wild"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-1887-6777","authenticated-orcid":false,"given":"Cordian Alexander","family":"Daniluk","sequence":"first","affiliation":[{"name":"Hasso Plattner Institute, University of Potsdam, Potsdam, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-1094-7519","authenticated-orcid":false,"given":"Yevheniya","family":"Nosyk","sequence":"additional","affiliation":[{"name":"Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG, Grenoble, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6950-6574","authenticated-orcid":false,"given":"Andrzej","family":"Duda","sequence":"additional","affiliation":[{"name":"Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG, Grenoble, France"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4334-3260","authenticated-orcid":false,"given":"Maciej","family":"Korczynski","sequence":"additional","affiliation":[{"name":"Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG, Grenoble, France"}]}],"member":"320","published-online":{"date-parts":[[2024,11,4]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Afek Yehuda","year":"2020","unstructured":"Yehuda Afek, Anat Bremler-Barr, and Lior Shafir. 2020. NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 631--648."},{"key":"e_1_3_2_1_2_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Afek Yehuda","year":"2023","unstructured":"Yehuda Afek, Anat Bremler-Barr, and Shani Stajnrod. 2023. NRDelegationAttack: Complexity DDoS attack on DNS Recursive Resolvers. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, 3187--3204."},{"key":"e_1_3_2_1_3_1","unstructured":"Cathy Almond. 2024. CVE-2023--50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources. https:\/\/kb.isc.org\/docs\/cve-2023--50868."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Roy Arends Geoffrey Sisson David Blacka and Ben Laurie. 2008. DNS Security (DNSSEC) Hashed Authenticated Denial of Existence. RFC 5155.","DOI":"10.17487\/rfc4956"},{"key":"e_1_3_2_1_5_1","volume-title":"Using the Domain Name System for System Break-ins. In 5th USENIX UNIX Security Symposium (USENIX Security 95)","author":"Bellovin Steven M.","year":"1995","unstructured":"Steven M. Bellovin. 1995. Using the Domain Name System for System Break-ins. In 5th USENIX UNIX Security Symposium (USENIX Security 95). USENIX Association, Salt Lake City, UT, 1--10."},{"volume-title":"Research in Attacks, Intrusions, and Defenses","author":"Bushart Jonas","key":"e_1_3_2_1_6_1","unstructured":"Jonas Bushart and Christian Rossow. 2018. DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives. In Research in Attacks, Intrusions, and Defenses. Springer International Publishing, Cham, 139--160."},{"key":"e_1_3_2_1_7_1","unstructured":"Cali Dog Security. 2022. Certstream. https:\/\/calidog.io."},{"key":"e_1_3_2_1_8_1","unstructured":"Christopher Wood Anbang Wen. 2022. Announcing experimental DDR in 1.1.1.1. https:\/\/blog.cloudflare.com\/announcing-ddr-support."},{"key":"e_1_3_2_1_9_1","volume-title":"End-to-End View of the DNSSEC Ecosystem. In 26th USENIX Security Symposium (USENIX Security 17)","author":"Chung Taejoong","year":"2017","unstructured":"Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2017. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1307--1322."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131373"},{"key":"e_1_3_2_1_11_1","unstructured":"Cloudflare. 2023. Cloudflare 1.1.1.1. https:\/\/developers.cloudflare.com\/1.1.1.1\/."},{"key":"e_1_3_2_1_12_1","unstructured":"Cloudflare. 2024. Cloudflare Website and Online Services Terms of Use. https:\/\/www.cloudflare.com\/website-terms\/."},{"key":"e_1_3_2_1_13_1","unstructured":"CZ.NIC labs. 2021. Release Notes. https:\/\/knot-resolver.readthedocs.io\/en\/v5.3.1\/NEWS.html."},{"key":"e_1_3_2_1_14_1","unstructured":"CZ.NIC labs. 2024. Migration. https:\/\/www.knot-dns.cz\/docs\/3.2\/html\/migration.html."},{"key":"e_1_3_2_1_15_1","unstructured":"CZ.NIC labs. 2024. Release Notes. https:\/\/knot-resolver.readthedocs.io\/en\/stable\/NEWS.html."},{"key":"e_1_3_2_1_16_1","unstructured":"David Dittrich and Erin Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Technical Report. U.S. Department of Homeland Security. https:\/\/catalog.caida.org\/paper\/2012_menlo_report_actual_formatted."},{"key":"e_1_3_2_1_17_1","unstructured":"Domainnameshop. 2024. Domainnameshop. https:\/\/domainname.shop\/."},{"volume-title":"ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22nd USENIX Security Symposium (USENIX Security 13)","author":"Durumeric Zakir","key":"e_1_3_2_1_18_1","unstructured":"Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., 605--620."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFCOM.2013.6566739"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278564"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"Sharon Goldberg Leonid Reyzin Dimitrios Papadopoulos and Jan V?el\u00e1k. 2023. Verifiable Random Functions (VRFs). RFC 9381.","DOI":"10.17487\/RFC9381"},{"key":"e_1_3_2_1_22_1","unstructured":"Google Domains. 2024. Google Domains | Official Site. https:\/\/domains.google\/."},{"key":"e_1_3_2_1_23_1","unstructured":"Google Domains. 2024. Use advanced DNSSEC. https:\/\/cloud.google.com\/dns\/docs\/dnssec-advanced."},{"key":"e_1_3_2_1_24_1","volume-title":"18th USENIX WOOT Conference on Offensive Technologies (WOOT 24)","author":"Gruza Olivia","year":"2024","unstructured":"Olivia Gruza, Elias Heftrig, Oliver Jacobsen, Haya Schulmann, Niklas Vogel, and Michael Waidner. 2024. Attacking with Something That Does Not Exist: textquoterightProof of Non-Existencetextquoteright Can Exhaust DNS Resolver CPU. In 18th USENIX WOOT Conference on Offensive Technologies (WOOT 24). USENIX Association, Philadelphia, PA, 45--57. https:\/\/www.usenix.org\/conference\/woot24\/presentation\/gruza"},{"key":"e_1_3_2_1_25_1","volume-title":"Observing DNSSEC Validation in the Wild. Securing and Trusting Internet Names (SATIN)","author":"Gu\u00f0mundsson \u00d3lafur","year":"2011","unstructured":"\u00d3lafur Gu\u00f0mundsson and Stephen D Crocker. 2011. Observing DNSSEC Validation in the Wild. Securing and Trusting Internet Names (SATIN) (2011)."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Wes Hardaker and Viktor Dukhovni. 2022. Guidance for NSEC3 Parameter Settings. RFC 9276.","DOI":"10.17487\/RFC9276"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670389"},{"key":"e_1_3_2_1_28_1","volume-title":"Measuring Chinatextquoterights DNS Censorship. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Hoang Nguyen Phong","year":"2021","unstructured":"Nguyen Phong Hoang, Arian Akhavan Niaki, Jakub Dalek, Jeffrey Knockel, Pellaeon Lin, Bill Marczak, Masashi Crete-Nishihata, Phillipa Gill, and Michalis Polychronakis. 2021. How Great is the Great Firewall? Measuring Chinatextquoterights DNS Censorship. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3381--3398. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/hoang"},{"key":"e_1_3_2_1_29_1","unstructured":"hostnet. 2024. Have a website made. https:\/\/www.hostnet.nl."},{"key":"e_1_3_2_1_30_1","unstructured":"Hotspoint. 2024. .swiss Domain. https:\/\/www.hostpoint.ch\/."},{"key":"e_1_3_2_1_31_1","unstructured":"IANA. 2024. Root Zone Database. https:\/\/www.iana.org\/domains\/root\/db."},{"key":"e_1_3_2_1_32_1","unstructured":"ICANN. 2022. Centralized Zone Data Service. https:\/\/czds.icann.org."},{"key":"e_1_3_2_1_33_1","unstructured":"Internet Systems Consortium. 2021. Release Notes. https:\/\/bind9.readthedocs.io\/en\/v9.16.16\/notes.html."},{"key":"e_1_3_2_1_34_1","unstructured":"Internet Systems Consortium. 2022. Notes for BIND 9.18.0. https:\/\/bind9.readthedocs.io\/en\/v9.18.0\/notes.html."},{"key":"e_1_3_2_1_35_1","unstructured":"Internet Systems Consortium. 2023. Release Notes. https:\/\/bind9.readthedocs.io\/en\/v9.19.19\/notes.html."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3517745.3561434"},{"key":"e_1_3_2_1_37_1","unstructured":"Dan Kaminsky. 2008. It's the End of the Cache as We Know It. https:\/\/www.slideshare.net\/dakami\/dmk-bo2-k8."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815683"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS.2018.8406223"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_1_41_1","volume-title":"Measuring the Practical Impact of DNSSEC Deployment. In 22nd USENIX Security Symposium (USENIX Security 13)","author":"Lian Wilson","year":"2013","unstructured":"Wilson Lian, Eric Rescorla, Hovav Shacham, and Stefan Savage. 2013. Measuring the Practical Impact of DNSSEC Deployment. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., 573--588."},{"key":"e_1_3_2_1_42_1","unstructured":"Loopia. 2024. Your own space online for just 9 SEK. https:\/\/www.loopia.se\/."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Paul Mockapetris. 1987 a. Domain names - concepts and facilities. RFC 1034.","DOI":"10.17487\/rfc1034"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Paul Mockapetris. 1987 b. Domain names - implementation and specification. RFC 1035.","DOI":"10.17487\/rfc1035"},{"key":"e_1_3_2_1_45_1","unstructured":"NLNet Labs. 2024. Unbound 1.13.2 released. https:\/\/www.nlnetlabs.nl\/news\/2021\/Aug\/12\/unbound-1.13.2-released\/."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3618257.3624835"},{"key":"e_1_3_2_1_47_1","volume-title":"Emile Aben, Giovane C. M. Moura, Samaneh Tajalizadehkhoob, Andrzej Duda, and Maciej Korczy'nski.","author":"Nosyk Yevheniya","year":"2023","unstructured":"Yevheniya Nosyk, Qasim Lone, Yury Zhauniarovich, Carlos H. Ga n\u00e1n, Emile Aben, Giovane C. M. Moura, Samaneh Tajalizadehkhoob, Andrzej Duda, and Maciej Korczy'nski. 2023. Intercept and Inject: DNS Response Manipulation in the Wild. In Passive and Active Measurement. Springer Nature Switzerland, Cham, 461--478."},{"key":"e_1_3_2_1_48_1","unstructured":"University of Oregon. 2024. Route Views Project. http:\/\/www.routeviews.org\/routeviews\/."},{"key":"e_1_3_2_1_49_1","unstructured":"one.com. 2024. Start your website with one.com. https:\/\/www.one.com\/en\/."},{"key":"e_1_3_2_1_50_1","unstructured":"OVHcloud. 2024. Cloud Computing & Web Hosting | OVHcloud Worldwide. https:\/\/www.ovhcloud.com\/."},{"key":"e_1_3_2_1_51_1","unstructured":"Dimitrios Papadopoulos Duane Wessels Shumon Huque Moni Naor Jan V?el\u00e1k Leonid Reyzin and Sharon Goldberg. 2017. Making NSEC5 Practical for DNSSEC. Cryptology ePrint Archive Paper 2017\/099."},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2896816"},{"key":"e_1_3_2_1_53_1","volume-title":"Global Measurement of DNS Manipulation. In 26th USENIX Security Symposium (USENIX Security 17)","author":"Pearce Paul","year":"2017","unstructured":"Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global Measurement of DNS Manipulation. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 307--323. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/pearce"},{"key":"e_1_3_2_1_54_1","unstructured":"PowerDNS.COM BV. 2022. Changelogs for 4.5.X. https:\/\/doc.powerdns.com\/recursor\/changelog\/4.5.html."},{"key":"e_1_3_2_1_55_1","unstructured":"PowerDNS.COM BV. 2024. Changelogs for 5.0.X. https:\/\/doc.powerdns.com\/recursor\/changelog\/5.0.html."},{"key":"e_1_3_2_1_56_1","unstructured":"PowerDNS.COM BV. 2024. Upgrade Notes. https:\/\/doc.powerdns.com\/authoritative\/upgrading.html."},{"key":"e_1_3_2_1_57_1","unstructured":"RIPE Atlas. 2020. RIPE Atlas Service Terms and Conditions. https:\/\/www.ripe.net\/about-us\/legal\/ripe-atlas-service-terms-and-conditions."},{"key":"e_1_3_2_1_58_1","unstructured":"RIPE NCC. 2024. RIPE Atlas. https:\/\/atlas.ripe.net\/."},{"key":"e_1_3_2_1_59_1","unstructured":"Scott Rose Matt Larson Dan Massey Rob Austein and Roy Arends. 2005 a. DNS Security Introduction and Requirements. RFC 4033."},{"key":"e_1_3_2_1_60_1","unstructured":"Scott Rose Matt Larson Dan Massey Rob Austein and Roy Arends. 2005 b. Protocol Modifications for the DNS Security Extensions. RFC 4035."},{"key":"e_1_3_2_1_61_1","unstructured":"Scott Rose Matt Larson Dan Massey Rob Austein and Roy Arends. 2005 c. Resource Records for the DNS Security Extensions. RFC 4034."},{"key":"e_1_3_2_1_62_1","unstructured":"SIE Europe. 2022. Passive DNS Data Sharing. https:\/\/www.sie-europe.net."},{"key":"e_1_3_2_1_63_1","unstructured":"Technitium. 2024. Technitium DNS Server. https:\/\/technitium.com\/dns\/."},{"key":"e_1_3_2_1_64_1","unstructured":"TimeWeb. 2024. Timeweb - Hosting provider and accredited registrar of domains in RU\/RF zones. https:\/\/timeweb.com\/ru\/."},{"key":"e_1_3_2_1_65_1","unstructured":"TransIP. 2024. High Performance Servers to Power your Infrastructure. https:\/\/www.transip.eu\/."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1186\/s13388-015-0023-y"},{"key":"e_1_3_2_1_67_1","unstructured":"Viktor Dukhovni. 2021. https:\/\/twitter.com\/VDukhovni\/status\/1445242037113085956."},{"key":"e_1_3_2_1_68_1","unstructured":"Viktor Dukhovni. 2021. NSEC3 parameter selection (BCP: 1 0 0 -). https:\/\/lists.dns-oarc.net\/pipermail\/dns-operations\/2021-January\/020838.html."},{"key":"e_1_3_2_1_69_1","unstructured":"Jan V?el\u00e1k Sharon Goldberg Dimitrios Papadopoulos Shumon Huque and David C Lawrence. 2018. NSEC5 DNSSEC Authenticated Denial of Existence. Internet-Draft draft-vcelak-nsec5-08. Internet Engineering Task Force. Work in Progress."},{"key":"e_1_3_2_1_70_1","volume-title":"Measurement Survey of Server-Side DNSSEC Adoption. In 2017 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 1--9.","author":"Wander Matth\u00e4us","year":"2017","unstructured":"Matth\u00e4us Wander. 2017. Measurement Survey of Server-Side DNSSEC Adoption. In 2017 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 1--9."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2014.27"},{"volume-title":"Passive and Active Measurement","author":"Wander Matth\u00e4us","key":"e_1_3_2_1_72_1","unstructured":"Matth\u00e4us Wander and Torben Weis. 2013. Measuring Occurrence of DNSSEC Validation. In Passive and Active Measurement. Springer Berlin Heidelberg, Berlin, Heidelberg, 125--134."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.2495\/MIIT130591"},{"key":"e_1_3_2_1_74_1","unstructured":"Wix.com. 2024. Create a website without limits. https:\/\/www.wix.com\/."},{"key":"e_1_3_2_1_75_1","unstructured":"Suzanne Woolf. 2020. Upcoming DNSSEC changes to PIR delegated Top Level Domains. https:\/\/lists.dns-oarc.net\/pipermail\/org-algorithm-roll\/2020-September\/000001.html."},{"key":"e_1_3_2_1_76_1","volume-title":"Check-Repeat: A New Method of Measuring DNSSEC Validating Resolvers. In 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 381--386","author":"Yu Yingdi","year":"2013","unstructured":"Yingdi Yu, Duane Wessels, Matt Larson, and Lixia Zhang. 2013. Check-Repeat: A New Method of Measuring DNSSEC Validating Resolvers. In 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). IEEE, 381--386."}],"event":{"name":"IMC '24: ACM Internet Measurement Conference","sponsor":["SIGMETRICS ACM Special Interest Group on Measurement and Evaluation","SIGCOMM ACM Special Interest Group on Data Communication"],"location":"Madrid Spain","acronym":"IMC '24"},"container-title":["Proceedings of the 2024 ACM on Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3646547.3689017","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3646547.3689017","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T11:49:03Z","timestamp":1755863343000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3646547.3689017"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,4]]},"references-count":76,"alternative-id":["10.1145\/3646547.3689017","10.1145\/3646547"],"URL":"https:\/\/doi.org\/10.1145\/3646547.3689017","relation":{},"subject":[],"published":{"date-parts":[[2024,11,4]]},"assertion":[{"value":"2024-11-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}