The Québec government is wanting to pass a law that will force ISPs to block and/or redirect certain sites it doesn't like. (namely sites that offer on-line gambling that compete against its own Loto Québec). In order to make a good submission to government, once has to boil it donw to simple enough arguments that clueless politicians can understand. And for me to do that, I want to make sure I understand this correctly. I have tried to research DNSSEC and while I understand how a proper DNS server can validate the chain from the - root server - TLD server - authoritative DNS server for that domain I remain in dark with regartds to clients, namely clients who cannot trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses. Say a consumer wants to connect to lottery.com, which, from the world outside the ISP, would result in a signed, verifiable response. Can't the ISP's DNS server just pretend it is authoritative for lottery.com and return to client a non-DNSSEC response that points to a fake IP address ? If the client gets an unsigned response for lottery.com from its ISP's DNS server, how can it know it is a fake response, how can it know that lottery.com should have generated a signed DNSSEC response ? It seems to me that unless each client goes to the tld servers (they already have root signatures), get signature of the tld server and signed response of where "lotery.com" can be found, they have no way to know whether lottery.com should be signed or not, and whether the answer they got from their ISP is good or not. Is that a proper understanding ? So far, I have seen good explanations of what happens between DNS servers and the servers that are authoritative for domain, TLD and root. But I have seen nothing about clients who only have a resolver that talks to a DNS server. And while I am at it: when a client gets a legit response from ISP's DNS server with RRSIG records, how does the client obtain the public key against which to run the record to ensure its calculated signature matches that provided in RRSIG ? or do DNS servers return the full chain of records so that a request for lottery.com returns not only record for lottery.com but also .com,s reply on where lottery.com is and root's reply of where .com is ? Hopefully, I am only missing a small bit that would explain everything that happens at the client side. But as long as I am told that the client only talks to the ISP's DNS server, I am at a loss. Any help appreciated. (I just watched an hour long youtube on subject which didn't deal with client much).