root hints operation

Mark Andrews marka at
Wed Nov 18 04:02:14 UTC 2015

In message <564BE747.40002 at>, Grant Taylor writes:
> On 11/17/2015 03:22 PM, Mark Andrews wrote:
> > Given the root zone is signed and most of the TLD's are also signed
> > there is little a rogue operator can do besides causing a DoS if
> > you validate the returned answers.
> This quite from Twitter seems appropriate:  DNSSEC only protects you 
> from getting bad answers.  If someone wants you to get no answers at all 
> then DNSSEC cannot help.

As I said.  It doesn't protect you from a Denial of Service.
> I think it would be possible for a rogue operator to completely hide 
> DNSSEC related records (NODATA) and revert to pre-DNSSEC DNS.  Thus it 
> would then be possible to do some nefarious things.
> I think the only thing that would help thwart this type of behavior is 
> for clients to do DNSSEC validation themselves.  (It's my understanding 
> that most do not.)

If your recursive server is validating then you are protected from a
rogue root server.

If your application is validating then you are protected from a 
rogue root server and a rogue recursive server.


> -- 
> Grant. . . .
> unix || die
> _______________________________________________
> Please visit to unsubscribe
>  from this list
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list