[dns-operations] Can Root DNS server modify the response?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Mar 25 15:48:59 UTC 2019
On Mon, Mar 25, 2019 at 04:36:27PM +0100, Ondřej Surý wrote:
> For a *censorship* purposes, there’s no difference between not getting an
> answer or not getting an answer.
As you're well aware, NXDOMAIN is an answer and SERVFAIL is a lookup
failure.
Thus, with NXDomain, and SPF and DANE, denial of existence is not
a DoS. Email delivery continues with the knowledge that no SPF
records are published, or DANE is not deployed.
Of course the censor can just SERVFAIL or serve bogus records, and
that would be a DoS, if all the authoritative servers do that. If
it is just some, the resolver will, perhaps after some extra delay,
eventually get the right answer.
--
Viktor.
More information about the dns-operations
mailing list