In message <5ca68a46-2f63-466a-b418-30da71b2b...@delong.com>, Owen DeLong write s: > > > On Nov 12, 2015, at 20:50 , John Levine <jo...@iecc.com> wrote: > > > > In article <56455885.8090...@vaxination.ca> you write: > >> The Québec government is wanting to pass a law that will force ISPs to > >> block and/or redirect certain sites it doesn't like. (namely sites > >> that offer on-line gambling that compete against its own Loto Québec). > > > > Blocking is prettty easy, just don't return the result, or fake an > > NXDOMAIN. For a signed domain, a DNSSEC client will see a SERVERFAIL > > instead, but they still won't get a result. > > > > Redirecting is much harder -- as others have explained there is a > > chain of signatures from the root to the desired record, and if the > > chain isn't intact, it's SERVERFAIL again. Inserting a replacement > > record with a fake signature into the original chain is intended to be > > impossible. (If you figure out how, CSIS would really like to talk to > > you.) It is possible to configure an ISP's DNS caches to trust > > specific signatures for specific parts of the tree, but that is kludgy > > and fragile and is likely to break DNS for everyone. > > If you know that the client is using ONLY your resolver(s), couldnât you > simply fake the entire chain and sign everything yourself?
Which is exactly how we test validation in nameservers. If you tell the validator to use a bogus trust anchor you get bogus trust. > Or, alternatively, couldnât you just fake the answers to all the âis this > signed?â requests and say âNope!â regardless of the state of the > authoritative zone in question? No. You can detect that. > Sure, if the client has any sort of independent visibility it can verify > that > youâre lying, but if it can only talk to your resolvers, doesnât that > pretty > much mean it canât tell that youâre lying to it? No. The root's trust anchor are published independently of whatever your ISP does. This isn't something you learn via DHCP. > > And anyway, it's pointless. What they're saying is to take the > > gambling sites out of the phone book, but this is the Internet and > > there are a million other phone books available, outside of Quebec, > > such as Google's 8.8.8.8 located in the US, that people can configure > > their computers to use with a few mouse clicks. Or you can run your > > own cache on your home network like I do, just run NSD or BIND on a > > linux laptop. > > I believe the traditional statement is âThis type of regulation is > considered > damage and will be routed around.â > > > > > They could insist that ISPs block the actual web traffic to the sites, > > by blocking IP ranges, but that is also a losing battle since it's > > trivial to circumvent with widely available free VPN software. If > > they want to outlaw VPNs, they're outlawing telework, since VPNs is > > how remote workers connect to their employers' systems, and the > > software is identical. > > Itâs also fairly easy for the gambling sites to become somewhat IP Agile > creating a game of Whack-a-mole for the regulators and the ISPs they > are inflicting this pain on. > > Owen -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
