DNSSEC and ISPs faking DNS responses

Jean-Francois Mezei jfmezei_nanog at vaxination.ca
Fri Nov 13 09:27:36 UTC 2015

On 2015-11-12 23:07, Mark Andrews wrote:

> They make the same queries and verify the answers the same way.

> It asks for the DNSKEY records and RRSIGs.  Verifies them against the DS
> records whick it asks for.  Repeat all the way to the root.

Is it correct to state that clients, instead of issuing a single request
to the ISP's DNS server and let it do the recursion, will request (if
not cached already) records from the root, the tld and the domain's
authoritative server to get the DNSSEC records for each in order to be
able to "walk" the path and verify each signature ?

So this would result in significant increase in number of transactions
between clients and ISP DNS servers, correct ?

If the above is correct, then it provides me with the missing link to my

BTW, the proposed law, being done by lawyers, will have the list of
sites to be banned distributed to ISPs via REGISTERED MAIL.  (there are
two means to have "legal" documents served, registered mail and by
bailiffs in Québec).  (there are to be financial penalties to ISPs who
do not comply, so govt needs proof of delivery).

I'll have to research how other countries tried to implement similar
schemes (I believe the UK has with some of the popular torrent sites.

I know the Australian attempt to filter porn failed miserably.

More information about the NANOG mailing list