[dns-operations] Can Root DNS server modify the response?

Joe Abley jabley at hopcount.ca
Tue Mar 26 13:53:26 UTC 2019

On 25 Mar 2019, at 18:52, Florian Weimer <fw at deneb.enyo.de> wrote:

> * Florian Weimer:
>> * Ondřej Surý:
>>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>>> client perspective.
>> Right.  In theory, the recursive resolver could switch to a different
>> root server that returns good data, but the malicious root server
>> could return bad unsigned glue as part of the attack.  It is very
>> difficult to recover from that in the recursive resolver.
> Actually, it's impossible here because ROOT-SERVERS.NET is not signed.
> Oops.

If ROOT-SERVERS.NET <http://root-servers.net/> was signed it would have the effect of increasing the size of responses to priming queries sent with EDNS0/DO=1. An unscientific quick peek over the fence at DNS-OARC's DITL-2018 root zone data suggests that there's a lot of that traffic. Whether or not this has the potential to cause a problem depends on how big the increase might be. Different algorithms might have different impact due to differences in signature size, dual-sign rollovers would cause more bloating, etc, etc.

In the past it has been suggested (e.g. by me) that signatures in the ROOT-SERVERS.NET <http://root-servers.net/> zone don't have much immediate benefit, since the records we're most interested in securing are the ones that affect end-users directly, which are much further down the tree. If rogue data in a priming response take you on a trip down dark shady alleyways, at least DNSSEC lets you know that you're there.

Anyway, I thought it was worth pushing back gently on any inference that the lack of DNSSEC in ROOT-SERVERS.NET <http://root-servers.net/> was a simple oversight. t has definitely been considered.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190326/4b22d683/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190326/4b22d683/attachment.sig>

More information about the dns-operations mailing list