DNSSEC and ISPs faking DNS responses

[drc at virtualized.org (David Conrad)]

Mark,

> On Nov 13, 2015, at 4:18 PM, Mark Andrews <marka at isc.org> wrote:
>> How many of the ISPs would continue to enable DNSSEC if the
>> cops show up at their door and turning off DNSSEC is the only way the ISP
>> has to implement the law's requirements?
> 
> Why would the ISP's turn off DNSSEC?  It doesn't prevent them sending back
> NXDOMAIN.  The clients will validate or not.  If they validate they will
> get a validation failure.  If they don't them the NXDOMAIN will be accepted.

My point was that folks at ISPs tend to prefer not to be thrown in jail.

> Apple just adds a validator to their stub resolver and installs a root
> trust anchor.

Love that plan. Let me know when you've convinced Apple to "just" add a validator to IOS (I'm assuming IOS doesn't currently have that capability).

> This really isn't conceptually different to how they manage
> CA's.

My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20151113/20193450/attachment.pgp>