<div dir="ltr"><div dir="ltr">AFAIK, Root servers returning SERVFAIL to specific regions or countries are listed as a risk in the circle who have long concerns on Root governance. But return to Cloudflare case, it is not a problem. If two letters return SERVFAIL maliciously, resolvers can query other server to get the answer back. So diversity of root server operators and location are important in this case.</div><div dir="ltr"><br></div><div>Davey </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 25 Mar 2019 at 23:03, Ondřej Surý <<a href="mailto:ondrej@sury.org">ondrej@sury.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client perspective.<div><br></div><div>Ondřej <br><div id="gmail-m_-8673918543827830735AppleMailSignature" dir="ltr">--<div>Ondřej Surý <<a href="mailto:ondrej@sury.org" target="_blank">ondrej@sury.org</a>></div></div><div dir="ltr"><br>On 25 Mar 2019, at 15:19, Matthew Pounsett <<a href="mailto:matt@conundrum.com" target="_blank">matt@conundrum.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 25 Mar 2019 at 15:08, Florian Weimer <<a href="mailto:fw@deneb.enyo.de" target="_blank">fw@deneb.enyo.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">><br>
> that's great, but it doesn't matter, since CF doesn't have the signing <br>
> key. any modifications that any operator makes, even RFC 7706 operators, <br>
> try to make will fail loudly and embarrassingly.<br>
><br>
> let's call this question absurd and move on.<br>
<br>
Yes, but let's not pretend that DNSSEC stops an authoritative server<br>
from suppressing data. It does not. So if the concern is censorship<br>
by the authoritative server operator (not sure if that's the case<br>
here), then DNSSEC is completely irrelevant.<br></blockquote><div><br></div><div>No, that's wrong. DNSSEC provides authenticated denial of existence. If a root authoritative operator tried to suppress data, the NSEC records wouldn't match and the response wouldn't validate. It'd be the same as if they tried to change any other data in the zone.</div></div></div>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>dns-operations mailing list</span><br><span><a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a></span><br><span><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></span><br><span>dns-operations mailing list</span><br><span><a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></span><br></div></blockquote></div></div>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
dns-operations mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div>