[dns-operations] Can Root DNS server modify the response?

Florian Weimer fw at deneb.enyo.de
Mon Mar 25 15:01:51 UTC 2019

* Ondřej Surý:

>> On 25 Mar 2019, at 15:19, Matthew Pounsett <matt at conundrum.com> wrote:
>>> On Mon, 25 Mar 2019 at 15:08, Florian Weimer <fw at deneb.enyo.de> wrote:
>>> >
>>> > that's great, but it doesn't matter, since CF doesn't have the signing 
>>> > key. any modifications that any operator makes, even RFC 7706 operators, 
>>> > try to make will fail loudly and embarrassingly.
>>> >
>>> > let's call this question absurd and move on.
>>> Yes, but let's not pretend that DNSSEC stops an authoritative server
>>> from suppressing data.  It does not.  So if the concern is censorship
>>> by the authoritative server operator (not sure if that's the case
>>> here), then DNSSEC is completely irrelevant.
>> No, that's wrong.  DNSSEC provides authenticated denial of
>> existence.  If a root authoritative operator tried to suppress
>> data, the NSEC records wouldn't match and the response wouldn't
>> validate.  It'd be the same as if they tried to change any other
>> data in the zone.

> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
> client perspective.

Right.  In theory, the recursive resolver could switch to a different
root server that returns good data, but the malicious root server
could return bad unsigned glue as part of the attack.  It is very
difficult to recover from that in the recursive resolver.

More information about the dns-operations mailing list