DNSSEC and ISPs faking DNS responses

Owen DeLong owen at delong.com
Fri Nov 13 17:25:18 UTC 2015

> On Nov 12, 2015, at 21:29 , John Levine <johnl at iecc.com> wrote:
>>> Redirecting is much harder -- ...
>> If you know that the client is using ONLY your resolver(s), couldn’t you
>> simply fake the entire chain and sign everything yourself?
> I suppose, although doing that at scale in a large provider like Videotron
> (1.5M subscribers) would be quite a challenge.
>> Or, alternatively, couldn’t you just fake the answers to all the “is this
>> signed?” requests and say “Nope!” regardless of the state of the authoritative
>> zone in question?
> No, those responses are signed too.

Only if you pass through the claim that the parent domain is signed.

Again, if you’re the only resolver the clients are using, you can claim that
nothing from the root down is signed without ever providing any cryptographic

Seems to me that wouldn’t be significantly harder than running a resolver
at the same scale.

>> Sure, if the client has any sort of independent visibility it can verify that
>> you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
>> much mean it can’t tell that you’re lying to it?
> At this point very few client resolvers check DNSSEC, so something
> that stripped off all the DNSSEC stuff and inserted lies where
> required would "work" for most clients.  At least until they realized
> they couldn't get to PokerStars and switched their DNS to

If the ISPs don’t start blocking well known public resolvers or even just
blocking port 53 in general (which has been known to happen).


More information about the NANOG mailing list