Hello, El 11/13/2015 a las 12:20 AM, John Levine escribió: > In article <56455885.8090...@vaxination.ca> you write: >> The Québec government is wanting to pass a law that will force ISPs to >> block and/or redirect certain sites it doesn't like. (namely sites that >> offer on-line gambling that compete against its own Loto Québec). > Blocking is prettty easy, just don't return the result, or fake an > NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL > instead, but they still won't get a result. > > Redirecting is much harder -- as others have explained there is a > chain of signatures from the root to the desired record, and if the > chain isn't intact, it's SERVERFAIL again. Inserting a replacement > record with a fake signature into the original chain is intended to be > impossible. (If you figure out how, CSIS would really like to talk to > you.) It is possible to configure an ISP's DNS caches to trust > specific signatures for specific parts of the tree, but that is kludgy > and fragile and is likely to break DNS for everyone.
I'm not a DNSSEC expert but I wonder what would be the behavior if the ISP adds a specific trust anchor for the domain they wish to block? > > And anyway, it's pointless. What they're saying is to take the > gambling sites out of the phone book, but this is the Internet and > there are a million other phone books available, outside of Quebec, > such as Google's 8.8.8.8 located in the US, that people can configure > their computers to use with a few mouse clicks. Or you can run your > own cache on your home network like I do, just run NSD or BIND on a > linux laptop. > > They could insist that ISPs block the actual web traffic to the sites, > by blocking IP ranges, but that is also a losing battle since it's > trivial to circumvent with widely available free VPN software. If > they want to outlaw VPNs, they're outlawing telework, since VPNs is > how remote workers connect to their employers' systems, and the > software is identical. > > R's, > John Thanks, Alejandro,
