root hints operation

Grant Taylor gtaylor at
Wed Nov 18 02:49:43 UTC 2015

On 11/17/2015 03:22 PM, Mark Andrews wrote:
> Given the root zone is signed and most of the TLD's are also signed
> there is little a rogue operator can do besides causing a DoS if
> you validate the returned answers.

This quite from Twitter seems appropriate:  DNSSEC only protects you 
from getting bad answers.  If someone wants you to get no answers at all 
then DNSSEC cannot help.

I think it would be possible for a rogue operator to completely hide 
DNSSEC related records (NODATA) and revert to pre-DNSSEC DNS.  Thus it 
would then be possible to do some nefarious things.

I think the only thing that would help thwart this type of behavior is 
for clients to do DNSSEC validation themselves.  (It's my understanding 
that most do not.)

Grant. . . .
unix || die

More information about the bind-users mailing list