[dns-operations] Can Root DNS server modify the response?

David Conrad drc at virtualized.org
Sat Mar 23 18:20:07 UTC 2019


On Mar 22, 2019, at 7:09 PM, solvepuzzle at secmail.pro wrote:
> Now the E root and F root are Cloudflare's server, should I
> change my DNS software to lookup other alphabet root server?

Based on your question, I’m unsure how well you understand how the DNS works.

Just to be sure: all the root servers are anycast. NASA and ISC are using Cloudflare for (some of) their instances. When your resolver starts up, it issues a priming query to the addresses in your root hints configuration to obtain the root server addresses. If you modify your resolver configuration to remove E and F, you would also need to modify your resolver’s code to drop E and F from the priming query (and any subsequent root NS queries) response. Seems like a lot of work. Alternatively, you could null route the IP addresses for E and F. Presumably your resolver would then treat them as down and choose other root servers to query (when necessary).

However, I believe all the root server operators have committed to abide by RSSAC01 (https://www.icann.org/en/system/files/files/rssac-001-root-service-expectations-04dec15-en.pdf <https://www.icann.org/en/system/files/files/rssac-001-root-service-expectations-04dec15-en.pdf>), which includes expectation E.3.2-B which states "Individual Root Servers will serve accurate and current revisions of the root zone.”  I’m sure both NASA and ISC require the folks who operate their instances to abide by RSSAC01.

If you are concerned about root zone data integrity, turn on DNSSEC validation (if you haven’t already). You might also want to look at RFC 7706.

> Cloudflare's DNS service is censoring so using it as a root DNS
> is really bad news.

Why do you think Cloudflare is censoring their DNS service? Perhaps you’re thinking of resolution service and confusing them with Quad9 that provides a resolution service that is scrubbed for names that appear to be security threats?

Since the root is signed, modifying root zone responses to censor the DNS would be fairly pointless.

Or perhaps I misunderstand your question.

Regards,
-drc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190323/42de2a05/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190323/42de2a05/attachment.sig>


More information about the dns-operations mailing list