nanog mailing list archives
Re: DNSSEC and ISPs faking DNS responses
From: David Conrad <drc () virtualized org>
Date: Fri, 13 Nov 2015 14:22:15 -0800
On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm () pixelgate net> wrote:
On Thu, 13 Nov 2015, John Levine wrote:At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.Except that the ISP can intercept those queries and respond as it likes.
Thank you. I was wondering if anyone would mention this. DNSSEC only protects the validator's cache. My assumption (which may be wrong) is that for the vast majority of folks, that means the cache that is run by the ISP. How many of the ISPs in Quebec enable DNSSEC? Even if they do, I doubt the government would care: I would presume it would be up to the ISP to implement the law and respond back as the law dictates. How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements? How many applications request DNSSEC related information and validate? The only way DNSSEC matters in this context is if you validate locally. My guess is that the number of folk who do this is so low as to not be of interest to the Quebec government. This may be an argument for folks to run their own validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, or SmartTV. Regards, -drc
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- Re: DNSSEC and ISPs faking DNS responses, (continued)
- Re: DNSSEC and ISPs faking DNS responses Sven-Haegar Koch (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Jaap Akkerhuis (Nov 15)
- Re: DNSSEC and ISPs faking DNS responses Valdis . Kletnieks (Nov 17)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 17)
- Re: DNSSEC and ISPs faking DNS responses Christopher Morrow (Nov 17)
- Re: DNSSEC and ISPs faking DNS responses Jaap Akkerhuis (Nov 17)
- Re: DNSSEC and ISPs faking DNS responses Niels Bakker (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses David Conrad (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Valdis . Kletnieks (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses David Conrad (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 14)