Ted Lemon wrote:
Ohta-san, I think the points you are making in response to what I have said
are that
(1) it's easier for a government to fake a DNS delegation than to MiTM an
IP connection, and
(2) if it's a government that's faking your DNS, they can jail you for
noticing.
You miss my point that compromising employees of ISPs or zones by, say,
kidnapping their children.
I think these are both valid points. However, I don't think they lead to
the conclusion you are drawing. First, if the government really cares about
censorship,
Censorship? Fake news are obviously better.
To the second question, this is also absolutely true, but at the same time,
as we can see, just because something is illegal doesn't mean that it's not
useful. E.g., the government in Russia has made it illegal to protest the
war in Ukraine, and yet we see people protesting in the streets. Their goal
is pretty clearly to bypass a government restriction on communication.
Be also aware of fake news produced against Russia by some governments.
Having a watchdog in software that notices when a certificate has been
replaced by one that isn't valid isn't that hard, and while it might be
made illegal after the fact, officially making it illegal would be a public
act that would have to be announced by the government in order to be
enforceable—otherwise software vendors would have no reason to know they
were violating the law.
The point is what, if any, can DNSSEC do against it.
By announcing it, the government in question is
disclosing the status of your security, which is the whole point.
But, justice defined by the government is the justice for those
who are under control of the government.
> Absent
> such a disclosure, citizens can continue to run such software, and
> continue to detect such attacks.
Though it can be a criminal offense against local justice.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
