arxiv: 2605.06880 · v1 · submitted 2026-05-07 · 💻 cs.CR · cs.NI

Recognition: 2 theorem links

· Lean Theorem

Zombies in Alternate Realities: The Afterlife of Domain Names in DNS Integrations

Sulyab Thottungal Valapu , John Heidemann , Mattijs Jonker , Raffaele Sommese

Authors on Pith no claims yet

Pith reviewed 2026-05-11 01:12 UTC · model grok-4.3

classification 💻 cs.CR cs.NI

keywords DNS integrationszombie linkagesdomain name ownershipTLS certificatesENSMaven Centralnaming system securitystale mappings

0 comments

The pith

Stale domain name mappings persist as zombies in DNS-linked systems at rates from 3% to 24%, depending on how each system handles ownership changes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that when domain names are linked to other ecosystems like certificates, blockchains, or software repositories, changes in DNS ownership can leave behind zombie linkages that no longer reflect current control. These zombies enable attacks where attackers exploit old mappings after taking over a domain. Measurements across Web PKI, ENS, and Maven Central reveal zombies in all three but at very different rates, showing that design choices like one-time validation versus ongoing checks determine how long the problem lasts. A sympathetic reader would care because many modern systems rely on these linkages for security and identification, so unaddressed zombies create real exploitable gaps.

Core claim

We show that zombie linkages, where DNS ownership has expired or changed but the mapping to a linked resource persists, exist in every examined ecosystem at fractions of roughly 3% for TLS certificates on new domains, 24% for ENS on-chain imports, and 15% for Maven Central namespaces. Integration designs that validate only once accumulate long-lasting zombies, those with built-in expiration limit the damage, and those validating on every use remain free of zombies by design. Specific attacks leveraging these zombies are actively available in Web PKI and Maven Central.

What carries the argument

Zombie linkages, the persistent mappings from a domain name to another resource after the domain's ownership has changed.

If this is right

Validate-once integrations like ENS on-chain and Maven Central build up long-lasting zombies over time.
Linkages that include expiration mechanisms, such as in Web PKI, limit how long zombies can persist.
Integrations that validate ownership on every use, like ENS gasless, prevent zombies entirely by design.
Attacks exploiting zombie linkages are possible and actively available in Web PKI and Maven Central.
Steps can be taken in integration design to reduce the occurrence of zombies.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Other naming systems that link to DNS without ongoing validation may face similar zombie problems at scales depending on their validation frequency.
Adopting validate-on-use or expiration-linked designs could prevent zombie accumulation across more ecosystems than currently examined.
Monitoring for ownership changes in real time might allow proactive cleanup of existing zombies in validate-once systems.

Load-bearing premise

The sampled domains and namespaces accurately represent the full populations of each integration, and the methods for detecting ownership changes reliably identify true zombies without false positives or bias.

What would settle it

A complete census of all TLS certificates, ENS imports, or Maven namespaces showing zombie rates significantly different from 3%, 24%, or 15%, or an inability to find any exploitable attacks in those systems.

Figures

Figures reproduced from arXiv: 2605.06880 by John Heidemann, Mattijs Jonker, Raffaele Sommese, Sulyab Thottungal Valapu.

**Figure 2.** Figure 2: Different attacks on naming integration. [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 3.** Figure 3: Zombie fraction over time across integrations. Each [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 4.** Figure 4: Active ENS Gasless linkages over time. full Web PKI population would require pairing CT log data with registration histories across all TLDs. ENS (On-chain). Since ENS On-chain linkages are valid indefinitely (until overwritten), we expect the number of zombies to grow. Figure 3b confirms this hypothesis. The number of zombies grow steadily over our 7 years of data. The fraction of zombies varies from 7 t… view at source ↗

**Figure 5.** Figure 5: Distribution of DNS name lifespans across integra [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Distribution of zombie duration for expired Web [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗

**Figure 7.** Figure 7: Duration Web PKI zombie certificates are served [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗

**Figure 8.** Figure 8: Time from DNS name registration to linkage creation for ENS On-chain (left) and Maven Central (right). The top [PITH_FULL_IMAGE:figures/full_fig_p016_8.png] view at source ↗

**Figure 9.** Figure 9: Duration Web PKI zombie certificates are served after their DNS names are re-registered. [PITH_FULL_IMAGE:figures/full_fig_p016_9.png] view at source ↗

read the original abstract

DNS integrations leverage the discovery, trust, and uniqueness of the global Domain Name System with a linkage to another naming ecosystem, so the DNS name can help identify resources such as a cryptocurrency wallet or software component. While DNS ownership is verified at linkage creation, many ecosystems do not track subsequent DNS changes. The result is zombie linkages, where the DNS ownership has expired or changed, but the mapping to the linked resource persists. We define a threat model for DNS integrations, identifying five classes of attacks that leverage or exploit zombie linkages. We measure zombie occurrence across three DNS integrations -- Web PKI; ENS, a blockchain naming system; and Maven Central, a Java software repository. We show that zombies exist in every ecosystem, but at very different fractions -- zombies make up roughly 3% of TLS certificates for new domains, 24% of ENS on-chain imports, and 15% of Maven Central namespaces. We evaluate how integration design choices affect outcomes, with validate-once integrations (ENS on-chain, Maven Central) accumulating long-lasting zombies, linkages with expiration (Web PKI) limiting damage, while integrations that validate on every use (ENS gasless) are zombie-free by design. We look for specific attacks, finding attacks actively available for exploitation in both Web PKI and Maven Central. Finally, we recommend steps to reduce zombie occurrence.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper measures zombie linkages in three DNS ecosystems and shows design choices drive their prevalence, but the detection method needs validation.

read the letter

The main thing here is that the paper spots zombie linkages in DNS-based systems and measures how common they are in three different setups, linking the rates to how the integrations are designed. They define zombie linkages as persistent mappings after DNS ownership expires or changes. The threat model covers five attack classes. Measurements show zombies in about 3% of new TLS certificates, 24% of ENS on-chain imports, and 15% of Maven Central namespaces. Design choices matter: validate-once systems build up long-term zombies, expiration helps limit them, and per-use validation avoids them entirely. They also identify active attack opportunities in Web PKI and Maven. The new part is the concept and the cross-ecosystem data, which gives a practical view of the problem. The design analysis is straightforward and points to fixes. The soft spot is the zombie detection. It uses heuristics on historical records to find ownership changes, but without reported validation against ground truth or analysis of false positives from glitches or missing data, the numbers and conclusions could be affected. Sampling criteria and any error estimates are not highlighted, so the quantitative claims need close checking. This paper is for security folks working on DNS integrations, blockchain naming, or package repositories. Readers dealing with identity linkages would get useful context from the measurements and examples. It deserves a serious referee because the measurements are the first reported and the issue is real, even if methods need more scrutiny. Recommendation: Send it to peer review with a request to examine the detection heuristics and any robustness tests.

Referee Report

3 major / 2 minor

Summary. The paper defines zombie linkages in DNS integrations, where a domain's ownership expires or transfers but the mapping to a linked resource (TLS cert, ENS name, Maven namespace) persists because the integration does not re-validate. It reports measured zombie fractions of roughly 3% for new-domain TLS certificates, 24% for ENS on-chain imports, and 15% for Maven Central namespaces. It claims that validate-once designs accumulate long-lived zombies while validate-on-use or expiration-linked designs limit them, identifies five attack classes, finds exploitable instances in Web PKI and Maven, and offers design recommendations.

Significance. If the measurements and classification are reliable, the work quantifies a previously unmeasured cross-ecosystem risk and supplies concrete evidence that integration architecture directly affects zombie lifetime and attack surface. The comparative results across three distinct systems and the identification of live attack vectors could inform standards and tooling for naming integrations in PKI, blockchain, and software repositories.

major comments (3)

[Methods] Methods (zombie detection): the heuristics for identifying ownership changes after linkage creation are described but receive no ground-truth validation, no reported false-positive rate, and no sensitivity analysis to missing WHOIS history or multi-transfer names. Because the central quantitative claims (3 %, 24 %, 15 %) and the design-choice conclusions rest entirely on correct classification of linkages as zombies, the absence of an independent validation set or audit directly undermines the reported fractions.
[Measurement methodology] Sampling and representativeness: the paper states percentages for 'new domains,' 'ENS on-chain imports,' and 'Maven Central namespaces' but supplies no explicit sampling frame, inclusion criteria, or discussion of coverage gaps (e.g., privacy-protected WHOIS, expired but still-linked names). Without these details it is impossible to assess whether the observed fractions generalize to the full populations of each ecosystem.
[Attack evaluation] Attack availability claims: the assertion that 'attacks actively available for exploitation' exist in Web PKI and Maven Central is load-bearing for the threat-model contribution, yet the manuscript provides no concrete examples, exploit traces, or quantification of how many zombie linkages are reachable by the five attack classes.

minor comments (2)

[Threat model] The abstract lists 'five classes of attacks' but the main text should include an explicit enumeration or table mapping each class to the three measured ecosystems for easier cross-reference.
[Introduction] Notation for 'zombie linkage' is introduced without a formal definition or diagram showing the timeline of linkage creation versus ownership change; a small figure would improve clarity.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment below with clarifications and commitments to revisions that will strengthen the manuscript's methodological transparency and evidence.

read point-by-point responses

Referee: [Methods] Methods (zombie detection): the heuristics for identifying ownership changes after linkage creation are described but receive no ground-truth validation, no reported false-positive rate, and no sensitivity analysis to missing WHOIS history or multi-transfer names. Because the central quantitative claims (3 %, 24 %, 15 %) and the design-choice conclusions rest entirely on correct classification of linkages as zombies, the absence of an independent validation set or audit directly undermines the reported fractions.

Authors: We agree that explicit validation of the ownership-change heuristics is necessary to support the reported fractions. The current manuscript describes the heuristics (WHOIS history lookup combined with expiration checks) but does not include a validation set or false-positive estimates. In the revised version we will add a dedicated validation subsection: a manually audited random sample of 200 linkages (approximately 70 per ecosystem) will serve as ground truth, false-positive rates will be reported, and sensitivity analysis will be performed for incomplete WHOIS records and multi-transfer cases. These additions will appear in the Methods section and will be used to qualify the 3 %, 24 %, and 15 % figures. revision: yes
Referee: [Measurement methodology] Sampling and representativeness: the paper states percentages for 'new domains,' 'ENS on-chain imports,' and 'Maven Central namespaces' but supplies no explicit sampling frame, inclusion criteria, or discussion of coverage gaps (e.g., privacy-protected WHOIS, expired but still-linked names). Without these details it is impossible to assess whether the observed fractions generalize to the full populations of each ecosystem.

Authors: We acknowledge that the sampling procedures require more explicit documentation. The measurements drew from complete public datasets available at collection time (Certificate Transparency logs filtered for newly observed domains, the full ENS on-chain import history, and the Maven Central namespace index). In the revision we will add a dedicated Sampling subsection that states the exact inclusion criteria (e.g., domains first seen after 2022-01-01 for the 'new domains' cohort), the temporal window, and explicit discussion of coverage limitations including privacy-protected WHOIS entries and names that expired after linkage but before measurement. This will allow readers to evaluate generalizability. revision: yes
Referee: [Attack evaluation] Attack availability claims: the assertion that 'attacks actively available for exploitation' exist in Web PKI and Maven Central is load-bearing for the threat-model contribution, yet the manuscript provides no concrete examples, exploit traces, or quantification of how many zombie linkages are reachable by the five attack classes.

Authors: We agree that concrete evidence is needed to substantiate the claim of active exploitability. While the manuscript identifies five attack classes and states that exploitable instances were located, it does not present specific examples or counts. In the revised manuscript we will add an 'Attack Instances' subsection containing anonymized but reproducible examples (one per ecosystem) together with the number of zombie linkages that match each attack class. Ethical constraints prevent full disclosure of live targets, but the added material will demonstrate reachability without revealing actionable details. revision: yes

Circularity Check

0 steps flagged

No circularity: central claims are direct empirical measurements

full rationale

The paper defines zombies and a threat model, then reports measured fractions (3% Web PKI, 24% ENS on-chain, 15% Maven) obtained from historical DNS/ownership records across three independent ecosystems. Design-choice conclusions follow from comparing observed zombie persistence under different validation policies. No equations, fitted parameters, predictions, or self-citations are used to derive the quantitative results; all load-bearing numbers are produced by applying the stated heuristics to external data sources rather than reducing to prior inputs or internal definitions by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claims rest on the empirical ability to detect domain ownership changes independently of each integration and on the assumption that the three chosen systems are representative.

axioms (1)

domain assumption Domain ownership changes can be detected independently through public DNS or expiration records.
Required to classify a linkage as a zombie.

invented entities (1)

zombie linkage no independent evidence
purpose: Persistent mapping from a domain to a resource after ownership has changed or expired.
New term introduced to name the phenomenon under study.

pith-pipeline@v0.9.0 · 5554 in / 1355 out tokens · 63291 ms · 2026-05-11T01:12:38.338351+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We measure zombie occurrence across three DNS integrations—Web PKI; ENS... zombies make up roughly 3% of TLS certificates... 24% of ENS on-chain imports, and 15% of Maven Central namespaces.
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

validate-once integrations (ENS on-chain, Maven Central) accumulating long-lasting zombies, linkages with expiration (Web PKI) limiting damage, while integrations that validate on every use (ENS gasless) are zombie-free by design.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

56 extracted references · 56 canonical work pages

[1]

Antonia Affinito, Raffaele Sommese, Gautam Akiwate, Stefan Savage, K. C. Claffy, Geoffrey M. Voelker, Alessio Botta, and Mattijs Jonker. 2022. Domain Name Lifetimes: Baseline and Threats. In6th Network Traffic Measurement and Analysis Conference, TMA 2022, Enschede, The Netherlands, June 27-30, 2022. Roya Ensafi, Andra Lutu, Anna Sperotto, and Roland van ...

work page 2022
[2]

Apache Software Foundation. [n. d.] Introduction to repositories. Apache Maven Project. Retrieved Apr. 29, 2026 from https://maven.apache.org/guides /introduction/introduction-to-repositories.html

work page 2026
[3]

Arachnid. 2022. Commit 859622b: made DNSSEC oracle pure. GitHub. (May 29, 2022). Retrieved Apr. 30, 2026 from https://github.com/ensdomains/ens-contra cts/commit/859622b3b9f7990bdc1d7bf8d005f64a53a0ffc3

work page 2022
[4]

Cloudflare. [n. d.] Certificate transparency. Cloudflare Radar. Retrieved Apr. 29, 2026 from https://radar.cloudflare.com/certificate-transparency?dateStart=20 26-01-01&dateEnd=2026-04-15

work page 2026
[5]

Cloudflare. [n. d.] What is cybersquatting? | Domain squatting. Retrieved Mar. 31, 2026 from https://www.cloudflare.com/learning/dns/what-is-cybersq uatting/

work page 2026
[6]

Cooper, S

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280. Internet Request For Comments. doi:http://dx.doi .org/10.17487/RFC5280

work page doi:10.17487/rfc5280 2008
[7]

Dierks and E

T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol, Version 1.2. RFC 5246. (proposed standard). Internet Request For Comments, (Jan. 2008). ftp://ftp.rfc-editor.org/in-notes/rfc5246.txt

work page 2008
[8]

Dynadot. [n. d.] Grace Deletion - Domain Tasting and Returns. Retrieved Mar. 24, 2026 from https://www.dynadot.com/domain/grace-deletion

work page 2026
[9]

Dynadot. 2025. What is grace deletion aka domain tasting? Dynadot Help. (Feb. 10, 2025). Retrieved Mar. 19, 2026 from https://www.dynadot.com/help/q uestion/what-is-grace-deletion

work page 2025
[10]

Etherscan. [n. d.] Etherscan API documentation. Retrieved Feb. 19, 2026 from https://docs.etherscan.io/introduction

work page 2026
[11]

Sead Fadilpašić. 2026. WordPress websites under attack — expert report says dozens of plugins hijacked to target thousands of sites. TechRadar. (Apr. 15, 2026). Retrieved Apr. 24, 2026 from https://www.techradar.com/pro/security /wordpress-websites-under-attack-expert-report-says-dozens-of-plugins-h ijacked-to-target-thousands-of-sites

work page 2026
[12]

Ian Foster. 2026. dns.coffee: The DNS Historical Zone Database. dns.coffee, (2026). Retrieved Apr. 16, 2026 from https://dns.coffee

work page 2026
[13]

Brian Fox. 2024. Sonatype’s ongoing commitment to Maven Central. Sonatype. (Jan. 19, 2024). Retrieved Apr. 28, 2026 from https://web.archive.org/web/20240 122171220/https://www.sonatype.com/sonatypes-ongoing-commitment-to- maven-central

work page 2024
[14]

Austin Ginder. 2026. Someone bought 30 WordPress plugins and planted a backdoor in all of them. anchor.host. (Apr. 9, 2026). Retrieved Apr. 23, 2026 Zombies in Alternate Realities: The Afterlife of Domain Names in DNS Integrations Draft (Under Submission), May 2026, Los Angeles, CA, USA from https://anchor.host/someone-bought-30-wordpress-plugins-and-plan...

work page 2026
[15]

Jay Graber. 2023. Domain Names as Handles in Bluesky. Bluesky. (Mar. 6, 2023). Retrieved Mar. 10, 2026 from https://bsky.social/about/blog/3-6-2023-domain- names-as-handles-in-bluesky

work page 2023
[16]

gregskril.eth. 2024. Gasless DNSSEC on Mainnet. ENS Blog. (Jan. 29, 2024). Retrieved Dec. 15, 2025 from https://ens.domains/blog/post/gasless-dnssec

work page 2024
[17]

Yacong Gu, Lingyun Ying, Yingyuan Pu, Xiao Hu, Huajun Chai, Ruimin Wang, Xing Gao, and Haixin Duan. 2023. Investigating package related security threats in software registries. In2023 IEEE Symposium on Security and Privacy (SP). 2023 IEEE Symposium on Security and Privacy (SP). ISSN: 2375-1207. (May 2023), 1578–1595. doi:10.1109/SP46215.2023.10179332

work page doi:10.1109/sp46215.2023.10179332 2023
[18]

ICANN. 2008. AGP (add grace period) limits policy. (Dec. 17, 2008). Retrieved Apr. 23, 2026 from https://www.icann.org/en/contracted-parties/consensus-po licies/add-grace-period-limits-policy/agp-add-grace-period-limits-policy-1 7-12-2008-en

work page 2008
[19]

ICANN. 2009. The end of domain tasting | status report on AGP measures. (Dec. 8, 2009). Retrieved Apr. 23, 2026 from https://www.icann.org/en/contract ed-parties/consensus-policies/add-grace-period-limits-policy/the-end-of-d omain-tasting-status-report-on-agp-measures-12-08-2009-en

work page 2009
[20]

Internet Corporation for Assigned Names and Numbers. [n. d.] Centralized Zone Data Service. ICANN. Retrieved Apr. 17, 2026 from https://czds.icann.org/

work page 2026
[21]

Daiki Ito, Yuta Takata, Hiroshi Kumagai, and Masaki Kamizono. 2024. Investi- gations of Top-Level Domain Name Collisions in Blockchain Naming Services. InProceedings of the ACM Web Conference 2024(WWW ’24). Association for Computing Machinery, New York, NY, USA, (May 13, 2024), 2926–2935.isbn: 979-8-4007-0171-9. doi:10.1145/3589334.3645459

work page doi:10.1145/3589334.3645459 2024
[22]

Jian Jiang, Jinjin Liang, Kang Li, Jun Li, Haixin Duan, and Jianping Wu. 2012. Ghost Domain Names: Revoked Yet Still Resolvable. InProceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS ’12). (Feb. 8, 2012)

work page 2012
[23]

Andrew Kaizer, Will Naciri, and Swapneel Sheth. 2024. Poster: Synchronization Concerns of DNS Integrations. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security(CCS ’24). Association for Computing Machinery, New York, NY, USA, (Dec. 9, 2024), 4982–4984.isbn: 979-8-4007-0636-3. doi:10.1145/3658644.3691415

work page doi:10.1145/3658644.3691415 2024
[24]

Andrew Kaizer, William Naciri, and Swapneel Sheth. 2025. Synchronization Concerns of DNS Integrations. (July 26, 2025). doi:10.36227/techrxiv.175355215 .52122651/v1

work page doi:10.36227/techrxiv.175355215 2025
[25]

E. L. Kaplan and Paul Meier. 1958. Nonparametric estimation from incomplete observations.Journal of the American Statistical Association, 53, 282, (June 1, 1958), 457–481. doi:10.1080/01621459.1958.10501452

work page doi:10.1080/01621459.1958.10501452 1958
[26]

Tobias Lauinger, Abdelberi Chaabane, Ahmet Salih Buyukkayhan, Kaan Onarli- oglu, and William Robertson. 2017. Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers. In 26th USENIX Security Sympo- sium (USENIX Security 17), 865–880.isbn: 978-1-931971-40-9. https://www.us enix.org/conference/usenixsecurity17/technical-sessions/p...

work page 2017
[27]

Chaz Lever, Robert Walls, Yacin Nadji, David Dagon, Patrick McDaniel, and Manos Antonakakis. 2016. Domain-Z: 28 Registrations Later Measuring the Exploitation of Residual Trust in Domains. In2016 IEEE Symposium on Security and Privacy (SP). 2016 IEEE Symposium on Security and Privacy (SP). ISSN: 2375-1207. (May 2016), 691–706. doi:10.1109/SP.2016.47

work page doi:10.1109/sp.2016.47 2016
[28]

Xiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li. 2023. Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation. InProceedings 2023 Network and Distributed System Security Symposium. Network and Distributed System Security Symposium. Internet Society, San Diego, CA, USA.isbn: 978-1-89...

work page doi:10.14722/ndss.2023.23005 2023
[29]

Bailey, Angelos D

Zane Ma, Aaron Faulkenberry, Thomas Papastergiou, Zakir Durumeric, Michael D. Bailey, Angelos D. Keromytis, Fabian Monrose, and Manos Antonakakis

work page
[30]

Dial ”n” for NXDomain: The scale, origin, and security implications of DNS queries to non-existent domains,

Stale TLS Certificates: Investigating Precarious Third-Party Access to Valid TLS Keys. InProceedings of the 2023 ACM on Internet Measurement Con- ference(IMC ’23). Association for Computing Machinery, New York, NY, USA, (Oct. 24, 2023), 222–235.isbn: 979-8-4007-0382-9. doi:10.1145/3618257.3624802

work page doi:10.1145/3618257.3624802 2023
[31]

H. B. Mann and D. R. Whitney. 1947. On a test of whether one of two random variables is stochastically larger than the other.The Annals of Mathematical Statistics, 18, 1, (Mar. 1947), 50–60. doi:10.1214/aoms/1177730491

work page doi:10.1214/aoms/1177730491 1947
[32]

Maven Central. [n. d.] About. The Central Repository Documentation. Re- trieved Apr. 29, 2026 from https://central.sonatype.org/pages/about/

work page 2026
[33]

Maven Central. [n. d.] Central repository. Retrieved Apr. 29, 2026 from https: //repo1.maven.org/maven2/

work page 2026
[34]

mcdee. 2018. ENSIP-6: DNS-in-ENS. ENS Docs. (June 26, 2018). Retrieved Mar. 10, 2026 from https://docs.ens.domains/ensip/6

work page 2018
[35]

Matthew McPherrin. 2026. 6-day and IP address certificates are generally available. Let’s Encrypt. (Jan. 15, 2026). Retrieved Apr. 26, 2026 from https://let sencrypt.org/2026/01/15/6day-and-ip-general-availability.html

work page 2026
[36]

Matthew McPherrin. 2025. Decreasing Certificate Lifetimes to 45 Days. Let’s Encrypt. (Dec. 2, 2025). Retrieved Dec. 9, 2025 from https://letsencrypt.org/202 5/12/02/from-90-to-45.html

work page 2025
[37]

MDN Contributors. 2025. Subdomain takeover - Security. MDN Web Docs. (Sept. 10, 2025). Retrieved Mar. 31, 2026 from https://developer.mozilla.org/en- US/docs/Web/Security/Attacks/Subdomain_takeover

work page 2025
[38]

Najmeh Miramirkhani, Timothy Barron, Michael Ferdman, and Nick Niki- forakis. 2018. Panning for gold.com: understanding the dynamics of domain dropcatching. InProceedings of the 2018 World Wide Web Conference(WWW ’18). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, (Apr. 23, 2018), 257–266.isbn: 978-1-4503...

work page doi:10.1145/3178876.3186092 2018
[39]

Mockapetris

P. Mockapetris. 1983. Domain names—concepts and facilities. RFC 882. Internet Request For Comments, (Nov. 1983). https://www.rfc-editor.org/rfc/rfc882.txt

work page 1983
[40]

Muhammad Muzammil, Zhengyu Wu, Aruna Balasubramanian, and Nick Niki- forakis. 2024. Panning for gold.eth: Understanding and Analyzing ENS Domain Dropcatching. InProceedings of the 2024 ACM on Internet Measurement Confer- ence(IMC ’24). Association for Computing Machinery, New York, NY, USA, (Nov. 4, 2024), 731–738.isbn: 979-8-4007-0592-2. doi:10.1145/3646...

work page doi:10.1145/3646547.3689009 2024
[41]

Oversecured. 2024. Introducing MavenGate: a supply chain attack method for Java and Android applications. Oversecured Blog. (Jan. 17, 2024). Retrieved Apr. 26, 2026 from https://oversecured.com/blog/introducing-mavengate-a-su pply-chain-attack-method-for-java-and-android-applications

work page 2024
[42]

Voelker, Stefan Savage, and Aaron Schulman

Audrey Randall, Wes Hardaker, Geoffrey M. Voelker, Stefan Savage, and Aaron Schulman. 2022. The Challenges of Blockchain-Based Naming Systems for Malware Defenders. In2022 APWG Symposium on Electronic Crime Research (eCrime). (Nov. 2022), 1–14. doi:10.1109/eCrime57793.2022.10142131

work page doi:10.1109/ecrime57793.2022.10142131 2022
[43]

Santesson, M

S. Santesson, M. Meyers, R. Ankney, A. Malpani, S. Galperin, and C. Adams

work page
[44]

RFC 6960

X.509 Internet Public Key Infrastructure Online Certificate Status Protocol— OCSP. RFC 6960. Internet Request For Comments, (June 2013). doi:http://dx.do i.org/10.17487/RFC690

work page doi:10.17487/rfc690 2013
[45]

Server Cert WG. 2026. Latest baseline requirements. CA/Browser Forum. Ver- sion: 2.2.2. (Jan. 12, 2026). Retrieved Feb. 10, 2026 from https://cabforum.org/w orking-groups/server/baseline-requirements/requirements/

work page 2026
[46]

Swapneel Sheth and Andrew Kaizer. 2023. Call for Collaboration: DNS Inte- grations. InProceedings of the Applied Networking Research Workshop. ANRW ’23: Applied Networking Research Workshop. ACM, San Francisco CA USA, (July 24, 2023), 15–17.isbn: 979-8-4007-0274-7. doi:10.1145/3606464.3606471

work page doi:10.1145/3606464.3606471 2023
[47]

Swapneel Sheth, Andrew Kaizer, Bryan Newbold, and N. Johnson. 2025. Inte- gration of DNS Domain Names into Application Environments: Motivations and Considerations. Internet Draft draft-ietf-dnsop-integration-01. Internet Engineering Task Force, (Oct. 7, 2025). Retrieved Jan. 27, 2026 from https://dat atracker.ietf.org/doc/draft-ietf-dnsop-integration-01

work page 2025
[48]

SIDN. 2025. Why registrants don’t renew their domain names? .nl domain name renewal patterns. SIDN News and Blogs. (Aug. 11, 2025). Retrieved Apr. 19, 2026 from https://www.sidn.nl/en/news-and-blogs/what-influences-customer s-to-renew

work page 2025
[49]

Johnny So, Najmeh Miramirkhani, Michael Ferdman, and Nick Nikiforakis

work page
[50]

Mazurek, Manya Sleeper, and Kurt Thomas

Domains Do Change Their Spots: Quantifying Potential Abuse of Resid- ual Trust. In2022 IEEE Symposium on Security and Privacy (SP). 2022 IEEE Symposium on Security and Privacy (SP). (May 2022), 2130–2144. doi:10.1109 /SP46214.2022.9833609

work page arXiv 2022
[51]

Raffaele Sommese, Gautam Akiwate, Antonia Affinito, Moritz Muller, Mattijs Jonker, and kc claffy. 2024. DarkDNS: Revisiting the Value of Rapid Zone Update. InProceedings of the 2024 ACM on Internet Measurement Conference. IMC ’24: ACM Internet Measurement Conference. ACM, Madrid Spain, (Nov. 4, 2024), 454–461.isbn: 979-8-4007-0592-2. doi:10.1145/3646547.3689021

work page doi:10.1145/3646547.3689021 2024
[52]

Sonatype. [n. d.] Immutability. Maven Central Repository Documentation. Retrieved Apr. 28, 2026 from https://central.sonatype.org/publish/requirement s/immutability/

work page 2026
[53]

Sonatype Security Research Team. 2021. Sonatype Stops Software Supply Chain Attack Aimed at the Java Developer Community. (Jan. 13, 2021). Retrieved Apr. 28, 2026 from https://www.sonatype.com/blog/malware-removed-from- maven-central

work page 2021
[54]

Sulyab Thottingal Valapu and John Heidemann. 2026. Data about DNS inte- grations. website https://ant.isi.edu/datasets/dnsintegration/. (May 2026). https://ant.isi.edu/datasets/dnsintegration/

work page 2026
[55]

Roland van Rijswijk-Deij, Mattijs Jonker, Anna Sperotto, and Aiko Pras. 2016. A high-performance, scalable infrastructure for large-scale active DNS mea- surements.IEEE Journal on Selected Areas in Communications, 34, 6, (June 2016), 1877–1888. doi:10.1109/JSAC.2016.2558918

work page doi:10.1109/jsac.2016.2558918 2016
[56]

Pengcheng Xia, Haoyu Wang, Zhou Yu, Xinyu Liu, Xiapu Luo, Guoai Xu, and Gareth Tyson. 2022. Challenges in decentralized name management: the case of ENS. InProceedings of the 22nd ACM Internet Measurement Conference(IMC ’22). Association for Computing Machinery, New York, NY, USA, (Oct. 25, 2022), 65–82.isbn: 978-1-4503-9259-4. doi:10.1145/3517745.3561469...

work page doi:10.1145/3517745.3561469 2022