Should I Trust You? Rethinking the Principle of Zone-Based Isolation DNS Bailiwick Checking
Yuxiao Wu
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Cache & Microarch Security
The **bailiwick checking** principle has served as a cornerstone of DNS security for over 20 years, preventing resolvers from accepting out-of-zone records in DNS responses. This talk presents a comprehensive re-examination of this fundamental mechanism, revealing that the 20-year-old bailiwick principle has failed to keep pace with the modern DNS ecosystem. The researchers analyzed **eight popular DNS software implementations** and found that **seven contain security risks**, with two vulnerable to all three newly identified attack methods. The work also assessed real-world impact, finding that approximately **half of 600,000 open resolvers** and **70% of public DNS providers** are vulnerable to the proposed attacks.
AI review
A thorough audit of DNS bailiwick checking implementations across eight popular DNS software packages, revealing that 20 years of assumptions about zone-based isolation are broken by modern multi-tenant DNS hosting. The work is methodical -- RFC analysis, software testing, 600K resolver measurement -- and the 7-of-8 software vulnerability rate plus 70% of public DNS providers being affected demonstrates real-world impact. Not flashy, but this is the kind of unglamorous infrastructure research that matters.