[dns-operations] Can Root DNS server modify the response?

Terry Manderson terry.manderson at icann.org
Tue Mar 26 14:11:49 UTC 2019

To expand on Joe’s email – here is a gentle pointer to some of the analysis that has been done.



From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Joe Abley <jabley at hopcount.ca>
Date: Wednesday, 27 March 2019 at 00:00
To: Florian Weimer <fw at deneb.enyo.de>
Cc: Ondřej Surý <ondrej at sury.org>, "dns-operations at lists.dns-oarc.net" <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] Can Root DNS server modify the response?

On 25 Mar 2019, at 18:52, Florian Weimer <fw at deneb.enyo.de<mailto:fw at deneb.enyo.de>> wrote:

* Florian Weimer:

* Ondřej Surý:

Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
client perspective.

Right.  In theory, the recursive resolver could switch to a different
root server that returns good data, but the malicious root server
could return bad unsigned glue as part of the attack.  It is very
difficult to recover from that in the recursive resolver.

Actually, it's impossible here because ROOT-SERVERS.NET<http://ROOT-SERVERS.NET> is not signed.

If ROOT-SERVERS.NET<http://ROOT-SERVERS.NET> was signed it would have the effect of increasing the size of responses to priming queries sent with EDNS0/DO=1. An unscientific quick peek over the fence at DNS-OARC's DITL-2018 root zone data suggests that there's a lot of that traffic. Whether or not this has the potential to cause a problem depends on how big the increase might be. Different algorithms might have different impact due to differences in signature size, dual-sign rollovers would cause more bloating, etc, etc.

In the past it has been suggested (e.g. by me) that signatures in the ROOT-SERVERS.NET<http://ROOT-SERVERS.NET> zone don't have much immediate benefit, since the records we're most interested in securing are the ones that affect end-users directly, which are much further down the tree. If rogue data in a priming response take you on a trip down dark shady alleyways, at least DNSSEC lets you know that you're there.

Anyway, I thought it was worth pushing back gently on any inference that the lack of DNSSEC in ROOT-SERVERS.NET<http://ROOT-SERVERS.NET> was a simple oversight. t has definitely been considered.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190326/f6b781aa/attachment.html>

More information about the dns-operations mailing list