[185785] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Nov 13 00:08:13 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20151113045027.6997.qmail@ary.lan>
Date: Thu, 12 Nov 2015 21:05:49 -0800
To: John Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On Nov 12, 2015, at 20:50 , John Levine <johnl@iecc.com> wrote:
>=20
> In article <56455885.8090409@vaxination.ca> you write:
>> The Qu=C3=A9bec government is wanting to pass a law that will force =
ISPs to
>> block and/or redirect certain sites it doesn't like. (namely sites =
that
>> offer on-line gambling that compete against its own Loto Qu=C3=A9bec).
>=20
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
>=20
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again. Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible. (If you figure out how, CSIS would really like to talk to
> you.) It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.
If you know that the client is using ONLY your resolver(s), couldn=E2=80=99=
t you
simply fake the entire chain and sign everything yourself?
Or, alternatively, couldn=E2=80=99t you just fake the answers to all the =
=E2=80=9Cis this
signed?=E2=80=9D requests and say =E2=80=9CNope!=E2=80=9D regardless of =
the state of the authoritative
zone in question?
Sure, if the client has any sort of independent visibility it can verify =
that
you=E2=80=99re lying, but if it can only talk to your resolvers, =
doesn=E2=80=99t that pretty
much mean it can=E2=80=99t tell that you=E2=80=99re lying to it?
>=20
> And anyway, it's pointless. What they're saying is to take the
> gambling sites out of the phone book, but this is the Internet and
> there are a million other phone books available, outside of Quebec,
> such as Google's 8.8.8.8 located in the US, that people can configure
> their computers to use with a few mouse clicks. Or you can run your
> own cache on your home network like I do, just run NSD or BIND on a
> linux laptop.
I believe the traditional statement is =E2=80=9CThis type of regulation =
is considered
damage and will be routed around.=E2=80=9D
>=20
> They could insist that ISPs block the actual web traffic to the sites,
> by blocking IP ranges, but that is also a losing battle since it's
> trivial to circumvent with widely available free VPN software. If
> they want to outlaw VPNs, they're outlawing telework, since VPNs is
> how remote workers connect to their employers' systems, and the
> software is identical.
It=E2=80=99s also fairly easy for the gambling sites to become somewhat =
IP Agile
creating a game of Whack-a-mole for the regulators and the ISPs they
are inflicting this pain on.
Owen
