nanog mailing list archives
Re: DNSSEC and ISPs faking DNS responses
From: Owen DeLong <owen () delong com>
Date: Fri, 13 Nov 2015 09:25:18 -0800
On Nov 12, 2015, at 21:29 , John Levine <johnl () iecc com> wrote:Redirecting is much harder -- ...If you know that the client is using ONLY your resolver(s), couldn’t you simply fake the entire chain and sign everything yourself?I suppose, although doing that at scale in a large provider like Videotron (1.5M subscribers) would be quite a challenge.Or, alternatively, couldn’t you just fake the answers to all the “is this signed?” requests and say “Nope!” regardless of the state of the authoritative zone in question?No, those responses are signed too.
Only if you pass through the claim that the parent domain is signed. Again, if you’re the only resolver the clients are using, you can claim that nothing from the root down is signed without ever providing any cryptographic anything. Seems to me that wouldn’t be significantly harder than running a resolver at the same scale.
Sure, if the client has any sort of independent visibility it can verify that you’re lying, but if it can only talk to your resolvers, doesn’t that pretty much mean it can’t tell that you’re lying to it?At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
If the ISPs don’t start blocking well known public resolvers or even just blocking port 53 in general (which has been known to happen). Owen
Current thread:
- Re: DNSSEC and ISPs faking DNS responses, (continued)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Baldur Norddahl (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Alejandro Acosta (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John R. Levine (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses eric-list (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses Tony Finch (Nov 16)