DNSSEC and ISPs faking DNS responses

Bob Evans bob at FiberInternetCenter.com
Fri Nov 13 03:36:08 UTC 2015

This will only create an new private (non-public) DNS service in China or
Romania for Canadians to use. Imagine that someone in China starts a
business to help people get around censorship in countries other than

You nailed it - "clueless politicians".

Bob Evans

> The Québec government is wanting to pass a law that will force ISPs to
> block and/or redirect certain sites it doesn't like.  (namely sites that
> offer on-line gambling that compete against its own Loto Québec).
> In order to make a good submission to government, once has to boil it
> donw to simple enough arguments that clueless politicians can
> understand. And for me to do that, I want to make sure I understand this
> correctly.
> I have tried to research DNSSEC and while I understand how a proper DNS
> server can validate the chain from the
>  - root server
>  - TLD server
>  - authoritative DNS server for that domain
> I remain in dark with regartds to clients, namely clients who cannot
> trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses.
> Say a consumer wants to connect to lottery.com,  which, from the world
> outside the ISP, would result in a signed, verifiable response.
> Can't the ISP's DNS server just pretend it is authoritative for
> lottery.com and return to client a non-DNSSEC response that points to a
> fake IP address ?
> If the client gets an unsigned response for lottery.com from its ISP's
> DNS server,  how can it know it is a fake response, how can it know that
> lottery.com should have generated a signed DNSSEC response ?
> It seems to me that unless each client goes to the tld servers (they
> already have root signatures), get signature of the tld server and
> signed response of where "lotery.com" can be found, they have no way to
> know whether lottery.com should be signed or not, and whether the answer
> they got from their ISP is good or not.
> Is that a proper understanding ?
> So far, I have seen good explanations of what happens between DNS
> servers and the servers that are authoritative for domain, TLD and root.
> But I have seen nothing about clients who only have a resolver that
> talks to a DNS server.
> And while I am at it: when a client gets a legit response from ISP's DNS
> server with RRSIG records, how does the client obtain the public key
> against which to run the record to ensure its calculated signature
> matches that provided in RRSIG ?
> or do DNS servers return the full chain of records so that a request for
> lottery.com returns not only record for lottery.com but also .com,s
> reply on where lottery.com is and root's reply of where .com is ?
> Hopefully, I am only missing a small bit that would explain everything
> that happens at the client side.  But as long as I am told that the
> client only talks to the ISP's DNS server, I am at a loss.
> Any help appreciated. (I just watched an hour long youtube on subject
> which didn't deal with client much).

More information about the NANOG mailing list