DNSSEC in China

Joel jaeggli joelja at bogus.com
Wed Oct 5 17:12:44 UTC 2011

On 10/5/11 10:05 , Michael Sinatra wrote:
> The thread on f-root reminded my of an anecdotal datum regarding DNSSEC
> in China.  I was in China back in August, staying at the Green Lake
> Hotel in Kunming, Yunnan Provence.  When connecting to the hotel in-room
> network (there was no wireless but a wired connection), I was able to
> properly validate DNSSEC for names like www.es.net and berkeley.edu,
> both of which are part of signed zones with a chain of trust from the
> root.  I was able to do the validation on my caching resolver (BIND
> 9.8.x) running on my laptop.
> If a site was blocked by authorities, I couldn't resolve it at all, but
> that was also the case even if I wasn't doing validation on my laptop
> resolver, but instead using the resolver provided by DHCP.  (FYI, I
> "stumbled" upon an expat bar later in my trip near Yunnan Provincial
> University and the folks there--Europeans and Americans--all said that
> the number of sites they can get to has expanded in recent months.  One
> Finn was accessing the Guardian to get the latest on the London riots.)
> Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to
> validate or resolve any name using my local laptop resolver.  I couldn't
> even validate TLDs or dlv.isc.org, so *all* of my name resolution broke.
>  In the end, I had to disable my local resolver entirely and use those
> provided by DHCP.
> I have nothing to say about hypocrisy or the relative level of
> oppression between the Chinese government versus the Starwood Group
> (although it's humorous to think about).  What I will say is that DNSSEC
> made it very clear in the case of the Sheraton that they were messing
> with DNS because DNSSEC made the handcuffs so obviously tight.

"Nomadix developed DAT to actively monitor every packet transmitted from
each device to ensure all packets are correctly configured for the
network. If necessary, DAT will perform standard Network and Port
Address Translation and supports Application Level Gateways (ALGs) for
protocols such as FTP, H.323, PPTP, IPSec, and others. DAT also ensures
that a DNS server is always available to a user through the DNS
redirection function. This function redirects a user’s DNS requests to a
local DNS server closer to the customer’s location—improving the
response time and enabling true plug-and-play access when the
subscriber’s configured DNS server is behind a firewall or located on a
private Intranet. Transparent proxy assures that subscribers who have
proxy configured to work with their native network get broadband access
in the HotZone."


> michael

More information about the NANOG mailing list