Redirecting is much harder -- ...
If you know that the client is using ONLY your resolver(s), couldn’t you simply fake the entire chain and sign everything yourself?
I suppose, although doing that at scale in a large provider like Videotron (1.5M subscribers) would be quite a challenge.
Or, alternatively, couldn’t you just fake the answers to all the “is this signed?” requests and say “Nope!” regardless of the state of the authoritative zone in question?
No, those responses are signed too.
Sure, if the client has any sort of independent visibility it can verify that you’re lying, but if it can only talk to your resolvers, doesn’t that pretty much mean it can’t tell that you’re lying to it?
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8. R's, John