DNSSEC and ISPs faking DNS responses

John Levine johnl at iecc.com
Fri Nov 13 05:29:46 UTC 2015

>> Redirecting is much harder -- ...

>If you know that the client is using ONLY your resolver(s), couldn’t you
>simply fake the entire chain and sign everything yourself?

I suppose, although doing that at scale in a large provider like Videotron
(1.5M subscribers) would be quite a challenge.

>Or, alternatively, couldn’t you just fake the answers to all the “is this
>signed?” requests and say “Nope!” regardless of the state of the authoritative
>zone in question?

No, those responses are signed too.

>Sure, if the client has any sort of independent visibility it can verify that
>you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
>much mean it can’t tell that you’re lying to it?

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients.  At least until they realized
they couldn't get to PokerStars and switched their DNS to


More information about the NANOG mailing list