[dns-operations] Can Root DNS server modify the response?

Paul Vixie paul at redbarn.org
Mon Mar 25 16:27:07 UTC 2019

What I meant up that is that no authority operator can modify the root name space quietly. Anyone doing it will be outed here and possibly also in the press. Dnssec does not have to be seen by a stub in order to function as a canary. 

There was and remains no reason to think cloud flare would publish modified data. But if that somehow happened, there would be near instant awareness, and near global blowback. 

This may be the greatest value Dnssec yet provided to the world: assurance. 


⁣Get BlueMail for Android ​

On 25 Mar 2019, 17:46, at 17:46, "Ondřej Surý" <ondrej at sury.org> wrote:
>That doesn’t really matter in most common deployments (the servfail is
>from your recursor) - the end user will end up with a blank (error)
>Ondřej Surý <ondrej at sury.org>
>> On 25 Mar 2019, at 16:12, Tony Finch <dot at dotat.at> wrote:
>> Ondřej Surý <ondrej at sury.org> wrote:
>>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>>> client perspective.
>> One triggers a retry and the other doesn't.
>> Tony.
>> -- 
>> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
>> German Bight, Humber: Northwest 6 or 7, occasionally gale 8 at first,
>> decreasing 4 or 5. Rough or very rough, becoming moderate later.
>> Good.
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>dns-operations mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190325/7595a036/attachment.html>

More information about the dns-operations mailing list