DNSSEC and ISPs faking DNS responses
Mark Andrews
marka at isc.org
Sat Nov 14 00:18:52 UTC 2015
In message <9692ECC6-34AD-49C0-B310-10B8EF8C112C at virtualized.org>, David Conrad writes:
>
> On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm at pixelgate.net> wrote:
> > On Thu, 13 Nov 2015, John Levine wrote:
> >
> >> At this point very few client resolvers check DNSSEC, so something
> >> that stripped off all the DNSSEC stuff and inserted lies where
> >> required would "work" for most clients. At least until they realized
> >> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
> >
> > Except that the ISP can intercept those queries and respond as it likes.
>
> Thank you. I was wondering if anyone would mention this.
>
> DNSSEC only protects the validator's cache. My assumption (which may be
> wrong) is that for the vast majority of folks, that means the cache that
> is run by the ISP.
>
> How many of the ISPs in Quebec enable DNSSEC?
>
> Even if they do, I doubt the government would care: I would presume it
> would be up to the ISP to implement the law and respond back as the law
> dictates. How many of the ISPs would continue to enable DNSSEC if the
> cops show up at their door and turning off DNSSEC is the only way the ISP
> has to implement the law's requirements?
Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back
NXDOMAIN. The clients will validate or not. If they validate they will
get a validation failure. If they don't them the NXDOMAIN will be accepted.
> How many applications request DNSSEC related information and validate?
>
> The only way DNSSEC matters in this context is if you validate locally.
> My guess is that the number of folk who do this is so low as to not be of
> interest to the Quebec government. This may be an argument for folks to
> run their own validating resolvers, but I'm not sure how you'd do that on
> your iPhone, iPad, or SmartTV.
Apple just adds a validator to their stub resolver and installs a root
trust anchor. This really isn't conceptually different to how they manage
CA's.
> Regards,
> -drc
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list