[dns-operations] K-root in CN leaking outside of CN

Phillip Hallam-Baker phill at hallambaker.com
Sat Nov 6 16:35:00 UTC 2021

On Sat, Nov 6, 2021 at 12:22 AM Manu Bretelle <chantr4 at gmail.com> wrote:

> Hi all,
> Based on https://root-servers.org/, there are a few root servers operated
> from Mainland China.
> How do we ensure that those are not advertised outside of China so DNS
> answers are not poisoned by the GFW?

You can't.

All you can do is to authenticate the data and reject invalid responses.

I am getting heartily sick of all this fearmongering about China. One of
the chief fearmongers who was largely responsible for coining the phrase
'yellow peril' was Kaiser Wilhelm II who after telling Europe how China was
going to invade Europe for decades went and invaded Europe himself starting

If the DNS protocol were sane the root zone would be published as a
notarized, chained append only log. Every DNS resolver would obtain a list
of updates to that log either directly or indirectly. There would be no
root server to poison or DDoS.

But the DNS protocol is not sane and is not going to be changed. Not least
because the organizations that run root servers are rather pleased about
the prestige it brings to them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20211106/7a79f53d/attachment.html>

More information about the dns-operations mailing list