[dns-operations] Can Root DNS server modify the response?

Ondřej Surý ondrej at sury.org
Tue Mar 26 15:45:12 UTC 2019

> On 26 Mar 2019, at 08:46, Matthew Pounsett <matt at conundrum.com> wrote:
> On Mon, Mar 25, 2019 at 15:57 Ondřej Surý <ondrej at sury.org> wrote:
> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client perspective.
> Except that, as has been pointed out, we're Not talking about the perspective of a single client getting a failure.

Now, were we? :)  The original message was just an accusation of “censorship” without any proofs.

> If a riot operator went rogue DNSSEC would make that very obvious. 

That would be true for world-wide censor ship.  A targeted attack at the resolver-at-the-edge would be less obvious to the genpop.

But this is all hypothetical, I think nobody here really thinks that any of the rootops is doing any censorship for the root zone.

Ondřej Surý
ondrej at sury.org

More information about the dns-operations mailing list