[185802] in North American Network Operators' Group
RE: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (eric-list@truenet.com)
Fri Nov 13 13:12:33 2015
X-Original-To: nanog@nanog.org
From: <eric-list@truenet.com>
To: "'nanog list'" <nanog@nanog.org>
In-Reply-To: <alpine.OSX.2.11.1511131230540.20809@ary.lan>
Date: Fri, 13 Nov 2015 13:12:24 -0500
Errors-To: nanog-bounces@nanog.org
Actually, how are other places implementing these lists? I would have =
thought to use RPZ,=20
but as far as I know if the blocked DNS domain is using DNSSEC it =
wouldn't work.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of John R. Levine
Sent: Friday, November 13, 2015 12:33 PM
To: Owen DeLong
Cc: nanog@nanog.org
Subject: Re: DNSSEC and ISPs faking DNS responses
I doubt the ISPs in Qu=C3=A9bec would have much sympathy for this =
proposed law.=20
It makes their life harder and provides them no benefit. Should it pass =
(remember, it's just proposed), I expect they'd just adjust their DNS =
caches to block responses for the list of domains that the government =
mails them and claim they're in full compliance.
R's,
John
