think about signed root-servers.net.
This is note from a hallway discussion so we do not forget:
Here is a theory that signing root-servets.net.
domain might raise bar for attackers who want to track clients. Unsigned zone allow attackers to poison cache with IP addresses of man-in-the-middle root servers servers. These attacker's servers cannot modify answers but they can observe the traffic for potentially long time and potentially track the poisoned recursor as it moves between networks.
So ... What happens when root-servets.net.
is signed? How do we handle RFC 8109 priming in that case?
For validation we need to get . DNSKEY
. To get . DNSKEY
we need to contact root servers. To contact root servers, we need get their IP addresses which are signed by . DNSKEY
... and we are back at the beginning.
It might be an option to use hints from disk for first refresh and replace these hints only if the answer was validated, which would probably defend against the attack described above.
Related to: #220 (closed)