[dns-operations] Can Root DNS server modify the response?

[Florian Weimer]

* Florian Weimer:

> * Ondřej Surý:

>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>> client perspective.
>
> Right.  In theory, the recursive resolver could switch to a different
> root server that returns good data, but the malicious root server
> could return bad unsigned glue as part of the attack.  It is very
> difficult to recover from that in the recursive resolver.

Actually, it's impossible here because ROOT-SERVERS.NET is not signed.
Oops.