DNSSEC and ISPs faking DNS responses
drc at virtualized.org
Sat Nov 14 00:49:44 UTC 2015
> On Nov 13, 2015, at 4:18 PM, Mark Andrews <marka at isc.org> wrote:
>> How many of the ISPs would continue to enable DNSSEC if the
>> cops show up at their door and turning off DNSSEC is the only way the ISP
>> has to implement the law's requirements?
> Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back
> NXDOMAIN. The clients will validate or not. If they validate they will
> get a validation failure. If they don't them the NXDOMAIN will be accepted.
My point was that folks at ISPs tend to prefer not to be thrown in jail.
> Apple just adds a validator to their stub resolver and installs a root
> trust anchor.
Love that plan. Let me know when you've convinced Apple to "just" add a validator to IOS (I'm assuming IOS doesn't currently have that capability).
> This really isn't conceptually different to how they manage
My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the NANOG