On Thu, 13 Nov 2015, John Levine wrote:
At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
Except that the ISP can intercept those queries and respond as it likes. Such is already done at all scales. Not that a government generally cares what kind of burden is required once the law is passed, cf CALEA. True, some users would be able to detect such tampering and many of those could work around it. But most will have no way to do either. Would the masses ever replace their stub with a full resolver? Doubtful, unless their OS vendor does it for them. Would that be the right thing to do for a few billion users of Windows and another couple billion using Android most of whose ISPs are providing unfaked answers? Would the various authoritiative operators be happy / agree? How does one fit local zones into the picture? Would the masses setup a VPN to a service provider in a jurisdiction not subject to such foolishness so their resolver, whether stub or full, would have a chance at unfaked answers? Again, I'm thinking most would be entirely ignorant of the issue, and in any case would be hard pressed to set anything up unless it was trivial, e.g., not just part of their OS but also Wizard-like with most answers pre-supplied. /mark