[dns-operations] Can Root DNS server modify the response?
fw at deneb.enyo.de
Mon Mar 25 17:52:25 UTC 2019
* Florian Weimer:
> * Ondřej Surý:
>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>> client perspective.
> Right. In theory, the recursive resolver could switch to a different
> root server that returns good data, but the malicious root server
> could return bad unsigned glue as part of the attack. It is very
> difficult to recover from that in the recursive resolver.
Actually, it's impossible here because ROOT-SERVERS.NET is not signed.
More information about the dns-operations