This will only create an new private (non-public) DNS service in China or Romania for Canadians to use. Imagine that someone in China starts a business to help people get around censorship in countries other than China.
You nailed it - "clueless politicians". Bob Evans CTO > > The Québec government is wanting to pass a law that will force ISPs to > block and/or redirect certain sites it doesn't like. (namely sites that > offer on-line gambling that compete against its own Loto Québec). > > In order to make a good submission to government, once has to boil it > donw to simple enough arguments that clueless politicians can > understand. And for me to do that, I want to make sure I understand this > correctly. > > > I have tried to research DNSSEC and while I understand how a proper DNS > server can validate the chain from the > - root server > - TLD server > - authoritative DNS server for that domain > > I remain in dark with regartds to clients, namely clients who cannot > trust the DNS server supplied as part of DHCP/IPCP/PPPoE responses. > > > Say a consumer wants to connect to lottery.com, which, from the world > outside the ISP, would result in a signed, verifiable response. > > Can't the ISP's DNS server just pretend it is authoritative for > lottery.com and return to client a non-DNSSEC response that points to a > fake IP address ? > > If the client gets an unsigned response for lottery.com from its ISP's > DNS server, how can it know it is a fake response, how can it know that > lottery.com should have generated a signed DNSSEC response ? > > > It seems to me that unless each client goes to the tld servers (they > already have root signatures), get signature of the tld server and > signed response of where "lotery.com" can be found, they have no way to > know whether lottery.com should be signed or not, and whether the answer > they got from their ISP is good or not. > > Is that a proper understanding ? > > > > So far, I have seen good explanations of what happens between DNS > servers and the servers that are authoritative for domain, TLD and root. > But I have seen nothing about clients who only have a resolver that > talks to a DNS server. > > > And while I am at it: when a client gets a legit response from ISP's DNS > server with RRSIG records, how does the client obtain the public key > against which to run the record to ensure its calculated signature > matches that provided in RRSIG ? > > or do DNS servers return the full chain of records so that a request for > lottery.com returns not only record for lottery.com but also .com,s > reply on where lottery.com is and root's reply of where .com is ? > > > Hopefully, I am only missing a small bit that would explain everything > that happens at the client side. But as long as I am told that the > client only talks to the ISP's DNS server, I am at a loss. > > Any help appreciated. (I just watched an hour long youtube on subject > which didn't deal with client much). >
