<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">To expand on Joe’s email – here is a gentle pointer to some of the analysis that has been done.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><a href="https://www.icann.org/en/system/files/files/rssac-028-03aug17-en.pdf">https://www.icann.org/en/system/files/files/rssac-028-03aug17-en.pdf</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Terry<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">dns-operations <dns-operations-bounces@dns-oarc.net> on behalf of Joe Abley <jabley@hopcount.ca><br>
<b>Date: </b>Wednesday, 27 March 2019 at 00:00<br>
<b>To: </b>Florian Weimer <fw@deneb.enyo.de><br>
<b>Cc: </b>Ondřej Surý <ondrej@sury.org>, "dns-operations@lists.dns-oarc.net" <dns-operations@lists.dns-oarc.net><br>
<b>Subject: </b>Re: [dns-operations] Can Root DNS server modify the response?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">On 25 Mar 2019, at 18:52, Florian Weimer <<a href="mailto:fw@deneb.enyo.de">fw@deneb.enyo.de</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">* Florian Weimer:<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">* Ondřej Surý:<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Matt, there’s no difference between NXDOMAIN and SERVFAIL from the<br>
client perspective.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Right. In theory, the recursive resolver could switch to a different<br>
root server that returns good data, but the malicious root server<br>
could return bad unsigned glue as part of the attack. It is very<br>
difficult to recover from that in the recursive resolver.<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><br>
Actually, it's impossible here because <a href="http://ROOT-SERVERS.NET">ROOT-SERVERS.NET</a> is not signed.<br>
Oops.<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal">If <a href="http://ROOT-SERVERS.NET">ROOT-SERVERS.NET</a> was signed it would have the effect of increasing the size of responses to priming queries sent with EDNS0/DO=1. An unscientific quick peek over the fence at DNS-OARC's DITL-2018
root zone data suggests that there's a lot of that traffic. Whether or not this has the potential to cause a problem depends on how big the increase might be. Different algorithms might have different impact due to differences in signature size, dual-sign
rollovers would cause more bloating, etc, etc. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In the past it has been suggested (e.g. by me) that signatures in the
<a href="http://ROOT-SERVERS.NET">ROOT-SERVERS.NET</a> zone don't have much immediate benefit, since the records we're most interested in securing are the ones that affect end-users directly, which are much further down the tree. If rogue data in a priming
response take you on a trip down dark shady alleyways, at least DNSSEC lets you know that you're there.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Anyway, I thought it was worth pushing back gently on any inference that the lack of DNSSEC in
<a href="http://ROOT-SERVERS.NET">ROOT-SERVERS.NET</a> was a simple oversight. t has definitely been considered.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Joe<o:p></o:p></p>
</div>
</div>
</body>
</html>