[185815] in North American Network Operators' Group
Re: DNSSEC and ISPs faking DNS responses
daemon@ATHENA.MIT.EDU (David Conrad)
Fri Nov 13 19:49:48 2015
X-Original-To: nanog@nanog.org
From: David Conrad <drc@virtualized.org>
In-Reply-To: <20151114001852.EB8423CA23EA@rock.dv.isc.org>
Date: Fri, 13 Nov 2015 16:49:44 -0800
To: Mark Andrews <marka@isc.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_8BFEF338-0E2F-47EE-B733-671618D99C2D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Mark,
> On Nov 13, 2015, at 4:18 PM, Mark Andrews <marka@isc.org> wrote:
>> How many of the ISPs would continue to enable DNSSEC if the
>> cops show up at their door and turning off DNSSEC is the only way the =
ISP
>> has to implement the law's requirements?
>=20
> Why would the ISP's turn off DNSSEC? It doesn't prevent them sending =
back
> NXDOMAIN. The clients will validate or not. If they validate they =
will
> get a validation failure. If they don't them the NXDOMAIN will be =
accepted.
My point was that folks at ISPs tend to prefer not to be thrown in jail.
> Apple just adds a validator to their stub resolver and installs a root
> trust anchor.
Love that plan. Let me know when you've convinced Apple to "just" add a =
validator to IOS (I'm assuming IOS doesn't currently have that =
capability).
> This really isn't conceptually different to how they manage
> CA's.
My point was that the vast majority of those affected by this would =
likely not be in a position to install a validating resolver on their =
device.
Regards,
-drc
--Apple-Mail=_8BFEF338-0E2F-47EE-B733-671618D99C2D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJWRoUoAAoJENV6ebf0/4rXUQoH+werFtFqPWsHwrKPwHxogHhu
BP58dk0J5ZgVAd2fpYaaW5Qi5cusiX2mll3OW3jZabfsk0QqYYFmC564yaMfDbq1
7ZV9ARwgxAmHaRoFiJKZEWvcQ4+t4qfLxVyatKsLh4vhrh0YyXDFrMF5HdC60pc9
pU5+KVmNVwWn9VohHC0jxXPscqNpqLUGZqWB93oifBKAdj14SNwehS1d0WBmpHUG
VBBoDjHfRbF2MAD8oDe0xlT+muKa+5qcbLpupoNXxgb17xYZ3AoTFx2HvErNL2Mx
Ip028VS8L/QxD9XVnPPyjr0xh/YmGFuCAZw0cXSZ1FIgtpoXQoOcN1TSUb42w7U=
=pW4d
-----END PGP SIGNATURE-----
--Apple-Mail=_8BFEF338-0E2F-47EE-B733-671618D99C2D--
