[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNSSEC and ISPs faking DNS responses

Subject: DNSSEC and ISPs faking DNS responses
From: johnl at iecc.com (John R. Levine)
Date: 13 Nov 2015 12:33:12 -0500
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

>> At this point very few client resolvers check DNSSEC, so something
>> that stripped off all the DNSSEC stuff and inserted lies where
>> required would "work" for most clients.  At least until they realized
>> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
>
> If the ISPs don?t start blocking well known public resolvers or even just
> blocking port 53 in general (which has been known to happen).

I doubt the ISPs in Qu?bec would have much sympathy for this proposed law. 
It makes their life harder and provides them no benefit.  Should it pass 
(remember, it's just proposed), I expect they'd just adjust their DNS 
caches to block responses for the list of domains that the government 
mails them and claim they're in full compliance.

R's,
John

Follow-Ups:
- DNSSEC and ISPs faking DNS responses
  - From: eric-list at truenet.com (eric-list at truenet.com)

References:
- DNSSEC and ISPs faking DNS responses
  - From: johnl at iecc.com (John Levine)
- DNSSEC and ISPs faking DNS responses
  - From: owen at delong.com (Owen DeLong)

Prev by Date: DNSSEC and ISPs faking DNS responses
Next by Date: DNSSEC and ISPs faking DNS responses
Previous by thread: DNSSEC and ISPs faking DNS responses
Next by thread: DNSSEC and ISPs faking DNS responses
Index(es):
- Date
- Thread