[dns-operations] Can Root DNS server modify the response?

Jeroen Massar jeroen at massar.ch
Tue Mar 26 14:37:42 UTC 2019

On 2019-03-26 14:53, Joe Abley wrote:
> On 25 Mar 2019, at 18:52, Florian Weimer <fw at deneb.enyo.de <mailto:fw at deneb.enyo.de>> wrote:
>> * Florian Weimer:
>>> * Ondřej Surý:
>>>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>>>> client perspective.
>>> Right.  In theory, the recursive resolver could switch to a different
>>> root server that returns good data, but the malicious root server
>>> could return bad unsigned glue as part of the attack.  It is very
>>> difficult to recover from that in the recursive resolver.
>> Actually, it's impossible here because ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> is not signed.
>> Oops.
> If ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> was signed it would have the effect of increasing the size of responses to priming queries sent with EDNS0/DO=1. An unscientific quick peek over the fence at DNS-OARC's DITL-2018 root zone data suggests that there's a lot of that traffic. Whether or not this has the potential to cause a problem depends on how big the increase might be. Different algorithms might have different impact due to differences in signature size, dual-sign rollovers would cause more bloating, etc, etc.
> In the past it has been suggested (e.g. by me) that signatures in the ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> zone don't have much immediate benefit, since the records we're most interested in securing are the ones that affect end-users directly, which are much further down the tree. If rogue data in a priming response take you on a trip down dark shady alleyways, at least DNSSEC lets you know that you're there.
> Anyway, I thought it was worth pushing back gently on any inference that the lack of DNSSEC in ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> was a simple oversight. t has definitely been considered.

Thanks Joe for the insight.

Would it be an idea to document it somewhere? (Otherwise one keeps on searching and google does not do tech-searches so well as it used to anymore[1])

Of course, should also include a section for possible future DNS-purists who only accept valid DNSSEC-signed traffic ;)


[1] likely due to a combination of second-guessing the user, trying to typo-fix, ignoring "quotes" and +/- options in queries...

More information about the dns-operations mailing list