In message <9692ECC6-34AD-49C0-B310-10B8EF8C112C@virtualized.org>, David Conrad writes:
On Nov 13, 2015, at 10:24 AM, Mark Milhollan <mlm@pixelgate.net> wrote:
On Thu, 13 Nov 2015, John Levine wrote:
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
Except that the ISP can intercept those queries and respond as it likes.
Thank you. I was wondering if anyone would mention this.
DNSSEC only protects the validator's cache. My assumption (which may be wrong) is that for the vast majority of folks, that means the cache that is run by the ISP.
How many of the ISPs in Quebec enable DNSSEC?
Even if they do, I doubt the government would care: I would presume it would be up to the ISP to implement the law and respond back as the law dictates. How many of the ISPs would continue to enable DNSSEC if the cops show up at their door and turning off DNSSEC is the only way the ISP has to implement the law's requirements?
Why would the ISP's turn off DNSSEC? It doesn't prevent them sending back NXDOMAIN. The clients will validate or not. If they validate they will get a validation failure. If they don't them the NXDOMAIN will be accepted.
How many applications request DNSSEC related information and validate?
The only way DNSSEC matters in this context is if you validate locally. My guess is that the number of folk who do this is so low as to not be of interest to the Quebec government. This may be an argument for folks to run their own validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, or SmartTV.
Apple just adds a validator to their stub resolver and installs a root trust anchor. This really isn't conceptually different to how they manage CA's.
Regards, -drc
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org