[dns-operations] Can Root DNS server modify the response?
jared at puck.nether.net
Thu Mar 28 16:14:44 UTC 2019
On Tue, Mar 26, 2019 at 08:46:59AM +0100, Matthew Pounsett wrote:
> On Mon, Mar 25, 2019 at 15:57 Ondřej Surý <ondrej at sury.org> wrote:
> > Matt, there’s no difference between NXDOMAIN and SERVFAIL from the client
> > perspective.
> Except that, as has been pointed out, we're Not talking about the
> perspective of a single client getting a failure. If a riot operator went
> rogue DNSSEC would make that very obvious.
I similarly suspect it would be.
> That said.. I do still hold out hope that eventually we’ll have richer
> signalling between a validating stub and applications, and that this will
> also cover the single client context.
I would be interested in some more generalized transparency reporting
capabilities in the DNS. It's easy to see who gave out certificates for
*.nether.net in certificate transparency logs, it's not easy to find out who
gave out puck.nether.net as something other than 2001:418:3f4::5 or 184.108.40.206
I can find some of this in various passive dns databases but they're
generally not as public :-)
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the dns-operations