nanog mailing list archives
Re: DNSSEC and ISPs faking DNS responses
From: "John R. Levine" <johnl () iecc com>
Date: 13 Nov 2015 12:33:12 -0500
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.If the ISPs don’t start blocking well known public resolvers or even just blocking port 53 in general (which has been known to happen).
I doubt the ISPs in Québec would have much sympathy for this proposed law. It makes their life harder and provides them no benefit. Should it pass (remember, it's just proposed), I expect they'd just adjust their DNS caches to block responses for the list of domains that the government mails them and claim they're in full compliance.
R's, John
Current thread:
- Re: DNSSEC and ISPs faking DNS responses, (continued)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Stephane Bortzmeyer (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Baldur Norddahl (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses Alejandro Acosta (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John R. Levine (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses eric-list (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses Tony Finch (Nov 16)