[185801] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (John R. Levine)
Fri Nov 13 12:46:34 2015
X-Original-To: nanog@nanog.org
Date: 13 Nov 2015 12:33:12 -0500
From: "John R. Levine" <johnl@iecc.com>
To: "Owen DeLong" <owen@delong.com>
In-Reply-To: <9A14E989-8633-4937-BE46-7D27F5747235@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
>> At this point very few client resolvers check DNSSEC, so something
>> that stripped off all the DNSSEC stuff and inserted lies where
>> required would "work" for most clients. At least until they realized
>> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
>
> If the ISPs don’t start blocking well known public resolvers or even just
> blocking port 53 in general (which has been known to happen).
I doubt the ISPs in Québec would have much sympathy for this proposed law.
It makes their life harder and provides them no benefit. Should it pass
(remember, it's just proposed), I expect they'd just adjust their DNS
caches to block responses for the list of domains that the government
mails them and claim they're in full compliance.
R's,
John
