Re: DNSSEC and ISPs faking DNS responses

[David Conrad <drc () virtualized org>]

On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm () pixelgate net> wrote:
> On Thu, 13 Nov 2015, John Levine wrote:
>
> > At this point very few client resolvers check DNSSEC, so something
> > that stripped off all the DNSSEC stuff and inserted lies where
> > required would "work" for most clients.  At least until they realized
> > they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
>
> Except that the ISP can intercept those queries and respond as it likes.

Thank you. I was wondering if anyone would mention this.

DNSSEC only protects the validator's cache. My assumption (which may be wrong) is that for the vast majority of folks, 
that means the cache that is run by the ISP.

How many of the ISPs in Quebec enable DNSSEC?

Even if they do, I doubt the government would care: I would presume it would be up to the ISP to implement the law and 
respond back as the law dictates.  How many of the ISPs would continue to enable DNSSEC if the cops show up at their 
door and turning off DNSSEC is the only way the ISP has to implement the law's requirements?

How many applications request DNSSEC related information and validate?

The only way DNSSEC matters in this context is if you validate locally. My guess is that the number of folk who do this 
is so low as to not be of interest to the Quebec government. This may be an argument for folks to run their own 
validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, or SmartTV.

Regards,
-drc

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail