[dns-operations] Can Root DNS server modify the response?
jeroen at massar.ch
Tue Mar 26 14:37:42 UTC 2019
On 2019-03-26 14:53, Joe Abley wrote:
> On 25 Mar 2019, at 18:52, Florian Weimer <fw at deneb.enyo.de <mailto:fw at deneb.enyo.de>> wrote:
>> * Florian Weimer:
>>> * Ondřej Surý:
>>>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the
>>>> client perspective.
>>> Right. In theory, the recursive resolver could switch to a different
>>> root server that returns good data, but the malicious root server
>>> could return bad unsigned glue as part of the attack. It is very
>>> difficult to recover from that in the recursive resolver.
>> Actually, it's impossible here because ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> is not signed.
> If ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> was signed it would have the effect of increasing the size of responses to priming queries sent with EDNS0/DO=1. An unscientific quick peek over the fence at DNS-OARC's DITL-2018 root zone data suggests that there's a lot of that traffic. Whether or not this has the potential to cause a problem depends on how big the increase might be. Different algorithms might have different impact due to differences in signature size, dual-sign rollovers would cause more bloating, etc, etc.
> In the past it has been suggested (e.g. by me) that signatures in the ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> zone don't have much immediate benefit, since the records we're most interested in securing are the ones that affect end-users directly, which are much further down the tree. If rogue data in a priming response take you on a trip down dark shady alleyways, at least DNSSEC lets you know that you're there.
> Anyway, I thought it was worth pushing back gently on any inference that the lack of DNSSEC in ROOT-SERVERS.NET <http://ROOT-SERVERS.NET> was a simple oversight. t has definitely been considered.
Thanks Joe for the insight.
Would it be an idea to document it somewhere? (Otherwise one keeps on searching and google does not do tech-searches so well as it used to anymore)
Of course, should also include a section for possible future DNS-purists who only accept valid DNSSEC-signed traffic ;)
 likely due to a combination of second-guessing the user, trying to typo-fix, ignoring "quotes" and +/- options in queries...
More information about the dns-operations