[dns-operations] Can Root DNS server modify the response?

Ondřej Surý ondrej at sury.org
Mon Mar 25 14:56:57 UTC 2019

Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client perspective.

Ondřej Surý <ondrej at sury.org>

> On 25 Mar 2019, at 15:19, Matthew Pounsett <matt at conundrum.com> wrote:
>> On Mon, 25 Mar 2019 at 15:08, Florian Weimer <fw at deneb.enyo.de> wrote:
>> >
>> > that's great, but it doesn't matter, since CF doesn't have the signing 
>> > key. any modifications that any operator makes, even RFC 7706 operators, 
>> > try to make will fail loudly and embarrassingly.
>> >
>> > let's call this question absurd and move on.
>> Yes, but let's not pretend that DNSSEC stops an authoritative server
>> from suppressing data.  It does not.  So if the concern is censorship
>> by the authoritative server operator (not sure if that's the case
>> here), then DNSSEC is completely irrelevant.
> No, that's wrong.  DNSSEC provides authenticated denial of existence.  If a root authoritative operator tried to suppress data, the NSEC records wouldn't match and the response wouldn't validate.  It'd be the same as if they tried to change any other data in the zone.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190325/37f8c9af/attachment.html>

More information about the dns-operations mailing list