[dns-operations] Can Root DNS server modify the response?
Jeroen Massar
jeroen at massar.ch
Tue Mar 26 16:27:33 UTC 2019
On 2019-03-26 16:45, Ondřej Surý wrote:
>
>> On 26 Mar 2019, at 08:46, Matthew Pounsett <matt at conundrum.com> wrote:
>>
>> On Mon, Mar 25, 2019 at 15:57 Ondřej Surý <ondrej at sury.org> wrote:
>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client perspective.
>>
>> Except that, as has been pointed out, we're Not talking about the perspective of a single client getting a failure.
>
> Now, were we? :) The original message was just an accusation of “censorship” without any proofs.
>
>> If a riot operator went rogue DNSSEC would make that very obvious.
>
> That would be true for world-wide censor ship. A targeted attack at the resolver-at-the-edge would be less obvious to the genpop.
>
> But this is all hypothetical, I think nobody here really thinks that any of the rootops is doing any censorship for the root zone.
Just for the sake of clarity: I do not think so either :)
It would be foolish to do so, as it can be detected in some forms (though "proof" would be hard, as it likely would be one-offs).
Greets,
Jeroen
More information about the dns-operations
mailing list