nanog mailing list archives
Re: DNSSEC and ISPs faking DNS responses
From: Jean-Francois Mezei <jfmezei_nanog () vaxination ca>
Date: Fri, 13 Nov 2015 04:27:36 -0500
On 2015-11-12 23:07, Mark Andrews wrote:
They make the same queries and verify the answers the same way.
It asks for the DNSKEY records and RRSIGs. Verifies them against the DS records whick it asks for. Repeat all the way to the root.
Is it correct to state that clients, instead of issuing a single request to the ISP's DNS server and let it do the recursion, will request (if not cached already) records from the root, the tld and the domain's authoritative server to get the DNSSEC records for each in order to be able to "walk" the path and verify each signature ? So this would result in significant increase in number of transactions between clients and ISP DNS servers, correct ? If the above is correct, then it provides me with the missing link to my understanbding. BTW, the proposed law, being done by lawyers, will have the list of sites to be banned distributed to ISPs via REGISTERED MAIL. (there are two means to have "legal" documents served, registered mail and by bailiffs in Québec). (there are to be financial penalties to ISPs who do not comply, so govt needs proof of delivery). I'll have to research how other countries tried to implement similar schemes (I believe the UK has with some of the popular torrent sites. I know the Australian attempt to filter porn failed miserably.
Current thread:
- DNSSEC and ISPs faking DNS responses Jean-Francois Mezei (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Bob Evans (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Mark Andrews (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Jean-Francois Mezei (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses A . L . M . Buxey (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Marco Davids (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Nick Hilliard (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Jean-Francois Mezei (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Matt Palmer (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Alarig Le Lay (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Jean-Francois Mezei (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)