nanog mailing list archives
Re: DNSSEC and ISPs faking DNS responses
From: Mark Milhollan <mlm () pixelgate net>
Date: Fri, 13 Nov 2015 10:24:27 -0800 (PST)
On Thu, 13 Nov 2015, John Levine wrote:
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
Except that the ISP can intercept those queries and respond as it likes. Such is already done at all scales. Not that a government generally cares what kind of burden is required once the law is passed, cf CALEA. True, some users would be able to detect such tampering and many of those could work around it. But most will have no way to do either. Would the masses ever replace their stub with a full resolver? Doubtful, unless their OS vendor does it for them. Would that be the right thing to do for a few billion users of Windows and another couple billion using Android most of whose ISPs are providing unfaked answers? Would the various authoritiative operators be happy / agree? How does one fit local zones into the picture? Would the masses setup a VPN to a service provider in a jurisdiction not subject to such foolishness so their resolver, whether stub or full, would have a chance at unfaked answers? Again, I'm thinking most would be entirely ignorant of the issue, and in any case would be hard pressed to set anything up unless it was trivial, e.g., not just part of their OS but also Wizard-like with most answers pre-supplied. /mark
Current thread:
- Re: DNSSEC and ISPs faking DNS responses, (continued)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 14)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Alejandro Acosta (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 12)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John R. Levine (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses eric-list (Nov 13)
- RE: DNSSEC and ISPs faking DNS responses Tony Finch (Nov 16)
- Re: DNSSEC and ISPs faking DNS responses Tony Finch (Nov 16)
- Re: DNSSEC and ISPs faking DNS responses Mark Milhollan (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses John Levine (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Owen DeLong (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Royce Williams (Nov 13)
- Re: DNSSEC and ISPs faking DNS responses Roland Dobbins (Nov 14)