DNSSEC and ISPs faking DNS responses

Stephane Bortzmeyer bortzmeyer at nic.fr
Sat Nov 14 17:26:40 UTC 2015


On Sat, Nov 14, 2015 at 01:36:06AM -0500,
 Jean-Francois Mezei <jfmezei_nanog at vaxination.ca> wrote 
 a message of 71 lines which said:

> Loto Québec is supposed to be testing for compliance, and I am not
> sure how they will do that short of having a subscription to every
> ISP that sells services in Québec.

They will simply use RIPE Atlas probes, as we all do to test our
networks from the outside.

Here, Bulgaria, where the mandatory blocking of gambling Web sites is
far from perfect (the right IP address is 5.226.176.16):

% python resolve-name.py --requested=500 --country=BG www.bet365.com 
Measurement #2930308 for www.bet365.com/A uses 94 probes

[] : 1 occurrences 
[193.24.240.122] : 1 occurrences 
[84.54.148.18] : 1 occurrences 
[212.73.128.166] : 1 occurrences 
[212.39.93.34] : 3 occurrences 
[ERROR: SERVFAIL] : 1 occurrences 
[5.226.176.16] : 75 occurrences 
[127.0.0.1] : 4 occurrences 
Test done at 2015-11-14T17:14:20Z

A few lying DNS resolvers but not much. 

> (Maybe they think they only have to test 3 ISPs, (telcos and
> cablecos) and don't realise they have over 100 ISPs to test for
> compliance).

My experience with these sort of organisations is that they don't care
about 100 % compliance. They're only interested in "good enough" (the
three largest ISPs...)




More information about the NANOG mailing list