DNSSEC and ISPs faking DNS responses

David Conrad drc at virtualized.org
Fri Nov 13 22:22:15 UTC 2015

On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm at pixelgate.net> wrote:
> On Thu, 13 Nov 2015, John Levine wrote:
>> At this point very few client resolvers check DNSSEC, so something
>> that stripped off all the DNSSEC stuff and inserted lies where
>> required would "work" for most clients.  At least until they realized
>> they couldn't get to PokerStars and switched their DNS to
> Except that the ISP can intercept those queries and respond as it likes.

Thank you. I was wondering if anyone would mention this.

DNSSEC only protects the validator's cache. My assumption (which may be wrong) is that for the vast majority of folks, that means the cache that is run by the ISP.

How many of the ISPs in Quebec enable DNSSEC?

Even if they do, I doubt the government would care: I would presume it would be up to the ISP to implement the law and respond back as the law dictates.  How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements?

How many applications request DNSSEC related information and validate?

The only way DNSSEC matters in this context is if you validate locally. My guess is that the number of folk who do this is so low as to not be of interest to the Quebec government. This may be an argument for folks to run their own validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, or SmartTV.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20151113/a8edef15/attachment.sig>

More information about the NANOG mailing list