Actually, how are other places implementing these lists? I would have thought to use RPZ, but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of John R. Levine Sent: Friday, November 13, 2015 12:33 PM To: Owen DeLong Cc: nanog@nanog.org Subject: Re: DNSSEC and ISPs faking DNS responses I doubt the ISPs in Québec would have much sympathy for this proposed law. It makes their life harder and provides them no benefit. Should it pass (remember, it's just proposed), I expect they'd just adjust their DNS caches to block responses for the list of domains that the government mails them and claim they're in full compliance. R's, John