The thread on f-root reminded my of an anecdotal datum regarding DNSSEC in China. I was in China back in August, staying at the Green Lake Hotel in Kunming, Yunnan Provence. When connecting to the hotel in-room network (there was no wireless but a wired connection), I was able to properly validate DNSSEC for names like www.es.net and berkeley.edu, both of which are part of signed zones with a chain of trust from the root. I was able to do the validation on my caching resolver (BIND 9.8.x) running on my laptop. If a site was blocked by authorities, I couldn't resolve it at all, but that was also the case even if I wasn't doing validation on my laptop resolver, but instead using the resolver provided by DHCP. (FYI, I "stumbled" upon an expat bar later in my trip near Yunnan Provincial University and the folks there--Europeans and Americans--all said that the number of sites they can get to has expanded in recent months. One Finn was accessing the Guardian to get the latest on the London riots.) Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to validate or resolve any name using my local laptop resolver. I couldn't even validate TLDs or dlv.isc.org, so *all* of my name resolution broke. In the end, I had to disable my local resolver entirely and use those provided by DHCP. I have nothing to say about hypocrisy or the relative level of oppression between the Chinese government versus the Starwood Group (although it's humorous to think about). What I will say is that DNSSEC made it very clear in the case of the Sheraton that they were messing with DNS because DNSSEC made the handcuffs so obviously tight. michael
On 10/5/11 10:05 , Michael Sinatra wrote:
The thread on f-root reminded my of an anecdotal datum regarding DNSSEC in China. I was in China back in August, staying at the Green Lake Hotel in Kunming, Yunnan Provence. When connecting to the hotel in-room network (there was no wireless but a wired connection), I was able to properly validate DNSSEC for names like www.es.net and berkeley.edu, both of which are part of signed zones with a chain of trust from the root. I was able to do the validation on my caching resolver (BIND 9.8.x) running on my laptop.
If a site was blocked by authorities, I couldn't resolve it at all, but that was also the case even if I wasn't doing validation on my laptop resolver, but instead using the resolver provided by DHCP. (FYI, I "stumbled" upon an expat bar later in my trip near Yunnan Provincial University and the folks there--Europeans and Americans--all said that the number of sites they can get to has expanded in recent months. One Finn was accessing the Guardian to get the latest on the London riots.)
Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to validate or resolve any name using my local laptop resolver. I couldn't even validate TLDs or dlv.isc.org, so *all* of my name resolution broke. In the end, I had to disable my local resolver entirely and use those provided by DHCP.
I have nothing to say about hypocrisy or the relative level of oppression between the Chinese government versus the Starwood Group (although it's humorous to think about). What I will say is that DNSSEC made it very clear in the case of the Sheraton that they were messing with DNS because DNSSEC made the handcuffs so obviously tight.
"Nomadix developed DAT to actively monitor every packet transmitted from each device to ensure all packets are correctly configured for the network. If necessary, DAT will perform standard Network and Port Address Translation and supports Application Level Gateways (ALGs) for protocols such as FTP, H.323, PPTP, IPSec, and others. DAT also ensures that a DNS server is always available to a user through the DNS redirection function. This function redirects a user’s DNS requests to a local DNS server closer to the customer’s location—improving the response time and enabling true plug-and-play access when the subscriber’s configured DNS server is behind a firewall or located on a private Intranet. Transparent proxy assures that subscribers who have proxy configured to work with their native network get broadband access in the HotZone." http://www.nomadix.com/telecom_advantage.php
michael
participants (2)
-
Joel jaeggli -
Michael Sinatra