On 2015-11-12 23:07, Mark Andrews wrote:
They make the same queries and verify the answers the same way.
It asks for the DNSKEY records and RRSIGs. Verifies them against the DS records whick it asks for. Repeat all the way to the root.
Is it correct to state that clients, instead of issuing a single request to the ISP's DNS server and let it do the recursion, will request (if not cached already) records from the root, the tld and the domain's authoritative server to get the DNSSEC records for each in order to be able to "walk" the path and verify each signature ? So this would result in significant increase in number of transactions between clients and ISP DNS servers, correct ? If the above is correct, then it provides me with the missing link to my understanbding. BTW, the proposed law, being done by lawyers, will have the list of sites to be banned distributed to ISPs via REGISTERED MAIL. (there are two means to have "legal" documents served, registered mail and by bailiffs in Québec). (there are to be financial penalties to ISPs who do not comply, so govt needs proof of delivery). I'll have to research how other countries tried to implement similar schemes (I believe the UK has with some of the popular torrent sites. I know the Australian attempt to filter porn failed miserably.