nanog mailing list archives
Re: DNSSEC and ISPs faking DNS responses
From: Alejandro Acosta <alejandroacostaalamo () gmail com>
Date: Fri, 13 Nov 2015 00:33:10 -0430
Hello, El 11/13/2015 a las 12:20 AM, John Levine escribió:
In article <56455885.8090409 () vaxination ca> you write:The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec).Blocking is prettty easy, just don't return the result, or fake an NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL instead, but they still won't get a result. Redirecting is much harder -- as others have explained there is a chain of signatures from the root to the desired record, and if the chain isn't intact, it's SERVERFAIL again. Inserting a replacement record with a fake signature into the original chain is intended to be impossible. (If you figure out how, CSIS would really like to talk to you.) It is possible to configure an ISP's DNS caches to trust specific signatures for specific parts of the tree, but that is kludgy and fragile and is likely to break DNS for everyone.
I'm not a DNSSEC expert but I wonder what would be the behavior if the ISP adds a specific trust anchor for the domain they wish to block?
And anyway, it's pointless. What they're saying is to take the gambling sites out of the phone book, but this is the Internet and there are a million other phone books available, outside of Quebec, such as Google's 8.8.8.8 located in the US, that people can configure their computers to use with a few mouse clicks. Or you can run your own cache on your home network like I do, just run NSD or BIND on a linux laptop. They could insist that ISPs block the actual web traffic to the sites, by blocking IP ranges, but that is also a losing battle since it's trivial to circumvent with widely available free VPN software. If they want to outlaw VPNs, they're outlawing telework, since VPNs is how remote workers connect to their employers' systems, and the software is identical. R's, John
Thanks, Alejandro,
Current thread:
- Re: DNSSEC and ISPs faking DNS responses, (continued)
- Re: DNSSEC and ISPs faking DNS responses Alarig Le Lay (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Jean-Francois Mezei (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Baldur Norddahl (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Alejandro Acosta (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John R. Levine (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses eric-list (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses Tony Finch (Nov 16)