Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> writes:
The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like.
BTDT. See https://torrentfreak.com/pirate-sites-must-pay-legal-costs-of-own-blockade-c... (yes, we could discuss the point of all this - but that is a political discussion, and there are better fora for those. Let's keep this techical here, please) Now, we mostly don't do DNSSEC validation yet, and luckily none of the blocked domains have any DS records either. So DNSSEC is not yet a real problem in this regard. But there is no reason to think this luck will last forever. Given the "success", we can only assume there will be more court orders. And we do want to enable DNSSEC validation everywhere at some point. So what do we do? We currently point the blocked domains to addresses of a web server with a short explanation. But what if the domains were signed? We could let validating servers return SERVFAIL. But I'd really prefer avoiding that for the simple reason that there is no way to distinguish that SERVFAIL from one caused by e.g. a domain owner configuration error. So I'm wondering if DLV might help us here? I imagine it will allow us to return a signed response to the client, with the AD flag, even if we have taken control of the domain. Or won't that work at all if the parent has a DS record? If the DLV strategy works, then the main advantage would be that a validating client could distiguish between a domain owner error and a deliberate "error" added by us as a resolver operator. The DLV signed response will still fail client calidation. And we would of course publish the DLV key, so that anyone wishing to verify the source of the failing signatures could do that (assuming that some clients may accept us as a MITM, but still want to prevent others from the same attack). What do you all think? Is this feasible? Any better solutions? OK, I should probably lab this instead of discussing it... Bjørn (working for Telenor, but definitely not having any role in PR or legal matters)