[dns-operations] Can Root DNS server modify the response?

Florian Weimer fw at deneb.enyo.de
Mon Mar 25 14:03:47 UTC 2019

* Paul Vixie:

> Ray Bellis wrote on 2019-03-23 13:59:
>> On 23/03/2019 19:20, David Conrad wrote:
>>> However, I believe all the root server operators have committed to
>>> abide by RSSAC01  which includes expectation E.3.2-B which states
>>> "Individual Root Servers will serve accurate and current revisions of
>>> the root zone.”  I’m sure both NASA and ISC require the folks who
>>> operate their instances to abide by RSSAC01.
>> That's correct - Cloudflare are required through our agreement with them
>> to serve the root zone data correctly and completely.   There is no
>> "censorship" of root zone answers from them.
> that's great, but it doesn't matter, since CF doesn't have the signing 
> key. any modifications that any operator makes, even RFC 7706 operators, 
> try to make will fail loudly and embarrassingly.
> let's call this question absurd and move on.

Yes, but let's not pretend that DNSSEC stops an authoritative server
from suppressing data.  It does not.  So if the concern is censorship
by the authoritative server operator (not sure if that's the case
here), then DNSSEC is completely irrelevant.

More information about the dns-operations mailing list