DNSSEC in China

Wed Oct 5 17:05:07 UTC 2011

The thread on f-root reminded my of an anecdotal datum regarding DNSSEC 
in China.  I was in China back in August, staying at the Green Lake 
Hotel in Kunming, Yunnan Provence.  When connecting to the hotel in-room 
network (there was no wireless but a wired connection), I was able to 
properly validate DNSSEC for names like www.es.net and berkeley.edu, 
both of which are part of signed zones with a chain of trust from the 
root.  I was able to do the validation on my caching resolver (BIND 
9.8.x) running on my laptop.

If a site was blocked by authorities, I couldn't resolve it at all, but 
that was also the case even if I wasn't doing validation on my laptop 
resolver, but instead using the resolver provided by DHCP.  (FYI, I 
"stumbled" upon an expat bar later in my trip near Yunnan Provincial 
University and the folks there--Europeans and Americans--all said that 
the number of sites they can get to has expanded in recent months.  One 
Finn was accessing the Guardian to get the latest on the London riots.)

Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to 
validate or resolve any name using my local laptop resolver.  I couldn't 
even validate TLDs or dlv.isc.org, so *all* of my name resolution broke. 
  In the end, I had to disable my local resolver entirely and use those 
provided by DHCP.

I have nothing to say about hypocrisy or the relative level of 
oppression between the Chinese government versus the Starwood Group 
(although it's humorous to think about).  What I will say is that DNSSEC 
made it very clear in the case of the Sheraton that they were messing 
with DNS because DNSSEC made the handcuffs so obviously tight.

michael