[dns-operations] Can Root DNS server modify the response?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 25 20:38:39 UTC 2019

> On Mar 25, 2019, at 1:52 PM, Florian Weimer <fw at deneb.enyo.de> wrote:
> Actually, it's impossible here because ROOT-SERVERS.NET is not signed.
> Oops.

It probably would not help to sign it, because glue is not signed.  And
so the A/AAAA records in the additional section of "priming" "NS" answers
for "." from root servers (honest or malicious) are send and accepted unsigned.

Returning RRSIGs for the 26 RRsets in the additional section would
exceed any reasonable packet size limits.

Perhaps the root-servers.net is deliberately unsigned to avoid
accidental bloat?

A resolver that can't reach any working root servers could revert
to its pre-configured "hints", and try to find a working server
from those.


More information about the dns-operations mailing list