DNSSEC and ISPs faking DNS responses
John R. Levine
johnl at iecc.com
Fri Nov 13 17:33:12 UTC 2015
>> At this point very few client resolvers check DNSSEC, so something
>> that stripped off all the DNSSEC stuff and inserted lies where
>> required would "work" for most clients. At least until they realized
>> they couldn't get to PokerStars and switched their DNS to 22.214.171.124.
> If the ISPs don’t start blocking well known public resolvers or even just
> blocking port 53 in general (which has been known to happen).
I doubt the ISPs in Québec would have much sympathy for this proposed law.
It makes their life harder and provides them no benefit. Should it pass
(remember, it's just proposed), I expect they'd just adjust their DNS
caches to block responses for the list of domains that the government
mails them and claim they're in full compliance.
More information about the NANOG