[dns-operations] Can Root DNS server modify the response?

Florian Weimer fw at deneb.enyo.de
Mon Mar 25 17:52:25 UTC 2019

* Florian Weimer:

> * Ondřej Surý:

>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>> client perspective.
> Right.  In theory, the recursive resolver could switch to a different
> root server that returns good data, but the malicious root server
> could return bad unsigned glue as part of the attack.  It is very
> difficult to recover from that in the recursive resolver.

Actually, it's impossible here because ROOT-SERVERS.NET is not signed.

More information about the dns-operations mailing list