nanog mailing list archives

Re: DNSSEC and ISPs faking DNS responses

From: Mark Andrews <marka () isc org>
Date: Sat, 14 Nov 2015 11:18:52 +1100


In message <9692ECC6-34AD-49C0-B310-10B8EF8C112C () virtualized org>, David Conrad writes:


On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm () pixelgate net> wrote:

On Thu, 13 Nov 2015, John Levine wrote:

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients.  At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.


Except that the ISP can intercept those queries and respond as it likes.


Thank you. I was wondering if anyone would mention this.

DNSSEC only protects the validator's cache. My assumption (which may be
wrong) is that for the vast majority of folks, that means the cache that
is run by the ISP.

How many of the ISPs in Quebec enable DNSSEC?

Even if they do, I doubt the government would care: I would presume it
would be up to the ISP to implement the law and respond back as the law
dictates.  How many of the ISPs would continue to enable DNSSEC if the
cops show up at their door and turning off DNSSEC is the only way the ISP
has to implement the law's requirements?


Why would the ISP's turn off DNSSEC?  It doesn't prevent them sending back
NXDOMAIN.  The clients will validate or not.  If they validate they will
get a validation failure.  If they don't them the NXDOMAIN will be accepted.

How many applications request DNSSEC related information and validate?

The only way DNSSEC matters in this context is if you validate locally.
My guess is that the number of folk who do this is so low as to not be of
interest to the Quebec government. This may be an argument for folks to
run their own validating resolvers, but I'm not sure how you'd do that on
your iPhone, iPad, or SmartTV.


Apple just adds a validator to their stub resolver and installs a root
trust anchor.  This really isn't conceptually different to how they manage
CA's.

Regards,
-drc


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: DNSSEC and ISPs faking DNS responses, (continued)
- - - Re: DNSSEC and ISPs faking DNS responses Valdis . Kletnieks (Nov 17)
    - Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 17)
    - Re: DNSSEC and ISPs faking DNS responses Christopher Morrow (Nov 17)
    - Re: DNSSEC and ISPs faking DNS responses Jaap Akkerhuis (Nov 17)
    - Re: DNSSEC and ISPs faking DNS responses Niels Bakker (Nov 14)
    - Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
    - Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
    - Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses David Conrad (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Valdis . Kletnieks (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses David Conrad (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Bjørn Mork (Nov 13)
  - Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 13)
    - Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 14)