[185786] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (John Levine)
Fri Nov 13 00:30:11 2015
X-Original-To: nanog@nanog.org
Date: 13 Nov 2015 05:29:46 -0000
From: "John Levine" <johnl@iecc.com>
To: nanog@nanog.org
In-Reply-To: <5CA68A46-2F63-466A-B418-30DA71B2BAC5@delong.com>
Errors-To: nanog-bounces@nanog.org
>> Redirecting is much harder -- ...
>If you know that the client is using ONLY your resolver(s), couldn’t you
>simply fake the entire chain and sign everything yourself?
I suppose, although doing that at scale in a large provider like Videotron
(1.5M subscribers) would be quite a challenge.
>Or, alternatively, couldn’t you just fake the answers to all the “is this
>signed?” requests and say “Nope!” regardless of the state of the authoritative
>zone in question?
No, those responses are signed too.
>Sure, if the client has any sort of independent visibility it can verify that
>you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
>much mean it can’t tell that you’re lying to it?
At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients. At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
R's,
John
