DNSSEC in China
michael at rancid.berkeley.edu
Wed Oct 5 12:05:07 CDT 2011
The thread on f-root reminded my of an anecdotal datum regarding DNSSEC
in China. I was in China back in August, staying at the Green Lake
Hotel in Kunming, Yunnan Provence. When connecting to the hotel in-room
network (there was no wireless but a wired connection), I was able to
properly validate DNSSEC for names like www.es.net and berkeley.edu,
both of which are part of signed zones with a chain of trust from the
root. I was able to do the validation on my caching resolver (BIND
9.8.x) running on my laptop.
If a site was blocked by authorities, I couldn't resolve it at all, but
that was also the case even if I wasn't doing validation on my laptop
resolver, but instead using the resolver provided by DHCP. (FYI, I
"stumbled" upon an expat bar later in my trip near Yunnan Provincial
University and the folks there--Europeans and Americans--all said that
the number of sites they can get to has expanded in recent months. One
Finn was accessing the Guardian to get the latest on the London riots.)
Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to
validate or resolve any name using my local laptop resolver. I couldn't
even validate TLDs or dlv.isc.org, so *all* of my name resolution broke.
In the end, I had to disable my local resolver entirely and use those
provided by DHCP.
I have nothing to say about hypocrisy or the relative level of
oppression between the Chinese government versus the Starwood Group
(although it's humorous to think about). What I will say is that DNSSEC
made it very clear in the case of the Sheraton that they were messing
with DNS because DNSSEC made the handcuffs so obviously tight.
More information about the NANOG