DNSSEC and ISPs faking DNS responses
bjorn at mork.no
Fri Nov 13 09:51:52 UTC 2015
Jean-Francois Mezei <jfmezei_nanog at vaxination.ca> writes:
> The Québec government is wanting to pass a law that will force ISPs to
> block and/or redirect certain sites it doesn't like.
(yes, we could discuss the point of all this - but that is a political
discussion, and there are better fora for those. Let's keep this
techical here, please)
Now, we mostly don't do DNSSEC validation yet, and luckily none of the
blocked domains have any DS records either. So DNSSEC is not yet a real
problem in this regard. But there is no reason to think this luck will
last forever. Given the "success", we can only assume there will be
more court orders. And we do want to enable DNSSEC validation
everywhere at some point.
So what do we do? We currently point the blocked domains to addresses of
a web server with a short explanation. But what if the domains were
signed? We could let validating servers return SERVFAIL. But I'd
really prefer avoiding that for the simple reason that there is no way
to distinguish that SERVFAIL from one caused by e.g. a domain owner
configuration error. So I'm wondering if DLV might help us here? I
imagine it will allow us to return a signed response to the client,
with the AD flag, even if we have taken control of the domain. Or won't
that work at all if the parent has a DS record?
If the DLV strategy works, then the main advantage would be that a
validating client could distiguish between a domain owner error and a
deliberate "error" added by us as a resolver operator. The DLV signed
response will still fail client calidation. And we would of course
publish the DLV key, so that anyone wishing to verify the source of the
failing signatures could do that (assuming that some clients may accept
us as a MITM, but still want to prevent others from the same attack).
What do you all think? Is this feasible? Any better solutions?
OK, I should probably lab this instead of discussing it...
Bjørn (working for Telenor, but definitely not having any role in PR or
More information about the NANOG