On 2015-11-13 16:59, Stephane Bortzmeyer wrote:
On Fri, Nov 13, 2015 at 04:27:36AM -0500, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote a message of 34 lines which said:
I'll have to research how other countries tried to implement similar schemes
https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-sc...
Thanks to Stephane and all the others. The afnic report will be especially usefull because it is in french and thus better understood by Québec politicians. And thank to all those who filled in the gaps for DNSSEC for me. Unfortunately, an ISP can still pretend to be authoritative for the blocked domains and respond with fake unsigned response. The end client that doesn't validate will be gullible and access the redirect side. Those who validate will get SERVFAIL or NXDOMAIN and the end result is that the blocked web site remains blocked. With regards to VPNs: while they may not be very well known in the USA, they are outside the USA where many people need VPNs to access foreign content that is geoblocked in their home country. New Zealand is not alone, the practice is also common in Canada (as well as using pretend DNS servers in USA There are a number of commercial services that provide DNS "faking" that make your canadian requests appear to come from a USA location, so Netflix assumes you are in USA location when resolving whether content is available or not. (ex: https://www.unblock-us.com ) In the case of gambling, anyone with such an addiction will likely feel deprived after a couple of days being blocked and will call on their best friend Mr Google who will quickly provide ways to get around it such as ignoring your own ISP's DNS server and using one outside of Québec. Or using a VPN. This may have interesting implications for Google's 8.8.8.8 which, if I am not mistaken, peers at QIX, the Montréal exchange. Would they be bound by the law (they are not an ISP). Google could simply widthdraw from the QIX echange at which point the Québec government would have 0 jurisdiction. ISPs that serve both Ontario and Québec thorugh Bell's DSL infrastructure will have fun. PPPoE connections arrive to a common connection point via L2TP tunnels, so the ISP would have to determine the person's province based PPPoE login credentials and assign different DNS servers (blocked for QC, unblocked for ON). Loto Québec is supposed to be testing for compliance, and I am not sure how they will do that short of having a subscription to every ISP that sells services in Québec. (Maybe they think they only have to test 3 ISPs, (telcos and cablecos) and don't realise they have over 100 ISPs to test for compliance). And when an ISP in Val D'Or has its DNS set to recurse only for requests that come from its intranet, Loto Québec won't be able to test from its cushy Montréal offices with a simple "set server" command. Ahh... the trouble clueless politicians can cause.