[dns-operations] Can Root DNS server modify the response?

Jared Mauch jared at puck.nether.net
Thu Mar 28 16:14:44 UTC 2019


On Tue, Mar 26, 2019 at 08:46:59AM +0100, Matthew Pounsett wrote:
> On Mon, Mar 25, 2019 at 15:57 Ondřej Surý <ondrej at sury.org> wrote:
> 
> > Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client
> > perspective.
> >
> 
> Except that, as has been pointed out, we're Not talking about the
> perspective of a single client getting a failure. If a riot operator went
> rogue DNSSEC would make that very obvious.

	I similarly suspect it would be.

> That said.. I do still hold out hope that eventually we’ll have richer
> signalling between a validating stub and applications, and that this will
> also cover the single client context.

	I would be interested in some more generalized transparency reporting
capabilities in the DNS.  It's easy to see who gave out certificates for
*.nether.net in certificate transparency logs, it's not easy to find out who
gave out puck.nether.net as something other than 2001:418:3f4::5 or 204.42.254.5
for example.

	I can find some of this in various passive dns databases but they're
generally not as public :-)

	- Jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.



More information about the dns-operations mailing list