The internet infrastructure community gathered in Bucharest, Romania from 20 through 24 October, 2025 for RIPE 91. Over 500 on-site attendees and 300 virtual participants got together for a week of technical discussions, presentations and collaborative problem-solving.
What is RIPE?
RIPE (Réseaux IP Européens) is an open forum for anyone interested in the coordination and technical development of the Internet across Europe, the Middle East and parts of Central Asia. RIPE meetings, held twice annually, are open, collaborative events where the global internet operations community comes together to advance best practices, policies, share research, resources and debate the future of the internet’s infrastructure.
Our own IBM NS1 Connect Engineer, Shane Kerr attended RIPE 91, contributing to discussions and sharing some of our latest research and insights.
DNS was a prominent theme throughout RIPE 91, with significant attention in both the plenary sessions and dedicated work group discussions. Six plenary presentations directly touched on DNS operations, performance or future-looking research:
-
Towards Operational and Security Best Practices for DNS in the Internet of Things link here
-
IPv4 vs. IPv6 for Authoritative DNS link here
-
An Update on IBDNS, the Intentionally Broken DNS Server link here
-
Transparent DNS Forwarders: On the misuse potential in DNS amplification attacks link here
While ‘What’s new at the IETF?’ covered a broad sweep of protocol development activity, one standout moment was the discussion about putting the internet in space – including IP communication paths for the Moon, Mars and low-Earth orbit systems. It is a powerful reminder that the future of networking extends far beyond terrestrial infrastructure.
The Problem of IoT Security
An insightful security-focused talk covered the ongoing risks of poor DNS and networking practices found in IoT devices. It highlighted the systemic issues of poor security practices often found in IoT devices. The research covered whole categories of problems and underscores the need for better mitigation strategies by anyone operating these devices.
IBM NS1 Connect Research: IPv4 vs. IPv6 for Authoritative DNS
A lightning talk based on research of the IBM NS1 Connect anycast edge provided compelling insights into the IPv4 vs. IPv6 landscape. The research demonstrated that IPv4 and IPv6 are equally well supported for domains on NS1 Connect when measured from end users’ perspectives.
Perhaps more intriguingly, the data showed that an IPv6-only DNS domain was just as reachable from end users as an IPv4-only DNS domain. This raises an important question – could the migration to IPv6 be considered ‘done’ for authoritative DNS? These findings suggest that IPv6 deployment in authoritative DNS may be further along than widely assumed.
DNS Working Group Deep Dives
The DNS working group packed five presentations into a 90-minute session, covering topics from emerging best practices to operational research.
-
TLD Resilience in the Light of Signature Validity Constraints link here
A BCP on Hyperlocal Root – Documenting Best Practices
The ‘Hyperlocal Root’ presentation brought awareness to efforts documenting best practices around this technique. Since the DNS root zone is secured with DNSSEC, one can download the zone and answer questions that would normally go to a root name server, without ever having to send a query to any of the root name servers. This technique is not new, but there have been developments around it in the past few years, and the idea is to document the best current practice and encourage wider adoption.
DNS TTL Upper Limits in Practice
Another presentation featured research conducted by the team IBM NS1 Connect, examining how DNS resolvers handle time-to-live (TTL) values in practice. Many DNS Resolvers implement caps on caching duration of DNS records, independent of the time-to-live (TTL) of the records themselves. This presentation covers a survey of resolvers used by end user networks to see what these limits are in the real world and makes recommendations based on the results. The most important takeaway being that if you are picking TTL for your own zone data, going past 1 day is not useful.
ADoT/ADoQ: Deployment Collaboration BoF
Birds of a Feather (BoF) sessions provide informal evening forums for focused discussions. The ADoT/ADoQ BoF, organized by Sara Dickenson of Sinodun IT and Babak Farrokhi of Quad9, tackled (ADoT) and Authoritative DNS over QUIC.
The panel featured industry experts including:
Historically, DNS has been unencrypted, devices and many operating systems. However, the connection between recursive resolvers to the authoritative (ADoT and ADoQ) is rarely encrypted. This BoF was a great discussion around the issues with ADoT/ADoQ.
Image courtesy of the RIPE NCC, photographed at RIPE 91
RIPE 91 showcased the depth and diversity of ongoing DNS and network engineering work. From authoritative IPv6 readiness to resolver caching behaviour, and from hyperlocal root approaches to encrypted DNS communication, the week underscored both the momentum and the ongoing challenges shaping modern DNS infrastructure. IBM NS1 Connect is proud to contribute data, research and operational insights that help move the industry forward.
#Technical
#TechnicalBlog
#Event