[dns-operations] Can Root DNS server modify the response?

Jeroen Massar jeroen at massar.ch
Tue Mar 26 16:27:33 UTC 2019

On 2019-03-26 16:45, Ondřej Surý wrote:
>> On 26 Mar 2019, at 08:46, Matthew Pounsett <matt at conundrum.com> wrote:
>> On Mon, Mar 25, 2019 at 15:57 Ondřej Surý <ondrej at sury.org> wrote:
>> Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client perspective.
>> Except that, as has been pointed out, we're Not talking about the perspective of a single client getting a failure.
> Now, were we? :)  The original message was just an accusation of “censorship” without any proofs.
>> If a riot operator went rogue DNSSEC would make that very obvious. 
> That would be true for world-wide censor ship.  A targeted attack at the resolver-at-the-edge would be less obvious to the genpop.
> But this is all hypothetical, I think nobody here really thinks that any of the rootops is doing any censorship for the root zone.

Just for the sake of clarity: I do not think so either :)

It would be foolish to do so, as it can be detected in some forms (though "proof" would be hard, as it likely would be one-offs).


More information about the dns-operations mailing list