[185800] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Nov 13 12:46:34 2015
X-Original-To: nanog@nanog.org
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20151113052946.7102.qmail@ary.lan>
Date: Fri, 13 Nov 2015 09:25:18 -0800
To: John Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> On Nov 12, 2015, at 21:29 , John Levine <johnl@iecc.com> wrote:
>=20
>>> Redirecting is much harder -- ...
>=20
>> If you know that the client is using ONLY your resolver(s), =
couldn=E2=80=99t you
>> simply fake the entire chain and sign everything yourself?
>=20
> I suppose, although doing that at scale in a large provider like =
Videotron
> (1.5M subscribers) would be quite a challenge.
>=20
>> Or, alternatively, couldn=E2=80=99t you just fake the answers to all =
the =E2=80=9Cis this
>> signed?=E2=80=9D requests and say =E2=80=9CNope!=E2=80=9D regardless =
of the state of the authoritative
>> zone in question?
>=20
> No, those responses are signed too.
Only if you pass through the claim that the parent domain is signed.
Again, if you=E2=80=99re the only resolver the clients are using, you =
can claim that
nothing from the root down is signed without ever providing any =
cryptographic
anything.
Seems to me that wouldn=E2=80=99t be significantly harder than running a =
resolver
at the same scale.
>=20
>> Sure, if the client has any sort of independent visibility it can =
verify that
>> you=E2=80=99re lying, but if it can only talk to your resolvers, =
doesn=E2=80=99t that pretty
>> much mean it can=E2=80=99t tell that you=E2=80=99re lying to it?
>=20
> At this point very few client resolvers check DNSSEC, so something
> that stripped off all the DNSSEC stuff and inserted lies where
> required would "work" for most clients. At least until they realized
> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
If the ISPs don=E2=80=99t start blocking well known public resolvers or =
even just
blocking port 53 in general (which has been known to happen).
Owen
