[185812] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (David Conrad)
Fri Nov 13 17:24:04 2015
X-Original-To: nanog@nanog.org
From: David Conrad <drc@virtualized.org>
In-Reply-To: <Pine.LNX.4.64.1511130909490.9313@gw-admin.pixelgate.net>
Date: Fri, 13 Nov 2015 14:22:15 -0800
To: Mark Milhollan <mlm@pixelgate.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_CF9AD8B3-35FF-486B-A2D0-A77067BED0FC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm@pixelgate.net> wrote:
> On Thu, 13 Nov 2015, John Levine wrote:
>=20
>> At this point very few client resolvers check DNSSEC, so something
>> that stripped off all the DNSSEC stuff and inserted lies where
>> required would "work" for most clients. At least until they realized
>> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
>=20
> Except that the ISP can intercept those queries and respond as it =
likes.
Thank you. I was wondering if anyone would mention this.
DNSSEC only protects the validator's cache. My assumption (which may be =
wrong) is that for the vast majority of folks, that means the cache that =
is run by the ISP.
How many of the ISPs in Quebec enable DNSSEC?
Even if they do, I doubt the government would care: I would presume it =
would be up to the ISP to implement the law and respond back as the law =
dictates. How many of the ISPs would continue to enable DNSSEC if the =
cops show up at their door and turning off DNSSEC is the only way the =
ISP has to implement the law's requirements?
How many applications request DNSSEC related information and validate?
The only way DNSSEC matters in this context is if you validate locally. =
My guess is that the number of folk who do this is so low as to not be =
of interest to the Quebec government. This may be an argument for folks =
to run their own validating resolvers, but I'm not sure how you'd do =
that on your iPhone, iPad, or SmartTV.
Regards,
-drc
--Apple-Mail=_CF9AD8B3-35FF-486B-A2D0-A77067BED0FC
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJWRmKXAAoJENV6ebf0/4rX2HkH/ivZOxvkaNnKhuB+gbFTvSIl
fMeY2Ql+rk2uqj81BExVk+rJvuHDkfGrQPTdZDzV7imDGIPtxIFYiEVT4/HHZQcP
PWhbc+sdiPEdDp8hJSqmiVknA16cq2gek3GMV/QTqQuxSmj5x5zbGJMqjR7NiZmU
o0SJBdaiuufRIBlXhXB2Sxd7ULn+Ji8/XqIHGAlqfXdut3k7DqEUd8z9KF4NGzl0
asfZl1XDrZYAlXN86eYYqk7Sdvm+3rfuDzNKP++qtrdl5LoqIzh31wHyBupyFYGD
xBNbUPNqa5ORB7CxfhxthvysAKwIbtUwyM1u17OVpwf87LU0CcJpnkJp6d7exq4=
=uZV/
-----END PGP SIGNATURE-----
--Apple-Mail=_CF9AD8B3-35FF-486B-A2D0-A77067BED0FC--
