Re: DNSSEC and ISPs faking DNS responses

[Jean-Francois Mezei]

On 2015-11-12 23:07, Mark Andrews wrote:

> They make the same queries and verify the answers the same way.


> It asks for the DNSKEY records and RRSIGs.  Verifies them against the DS
> records whick it asks for.  Repeat all the way to the root.


Is it correct to state that clients, instead of issuing a single request
to the ISP's DNS server and let it do the recursion, will request (if
not cached already) records from the root, the tld and the domain's
authoritative server to get the DNSSEC records for each in order to be
able to "walk" the path and verify each signature ?

So this would result in significant increase in number of transactions
between clients and ISP DNS servers, correct ?

If the above is correct, then it provides me with the missing link to my
understanbding.


BTW, the proposed law, being done by lawyers, will have the list of
sites to be banned distributed to ISPs via REGISTERED MAIL.  (there are
two means to have "legal" documents served, registered mail and by
bailiffs in Québec).  (there are to be financial penalties to ISPs who
do not comply, so govt needs proof of delivery).

I'll have to research how other countries tried to implement similar
schemes (I believe the UK has with some of the popular torrent sites.

I know the Australian attempt to filter porn failed miserably.

Re: DNSSEC and ISPs faking DNS responses

[Bjørn Mork]

Jean-Francois Mezei  writes:

> The Québec government is wanting to pass a law that will force ISPs to
> block and/or redirect certain sites it doesn't like.

BTDT.  See
https://torrentfreak.com/pirate-sites-must-pay-legal-costs-of-own-blockade-court-rules-150902/

(yes, we could discuss the point of all this - but that is a political
discussion, and there are better fora for those. Let's keep this
techical here, please)

Now, we mostly don't do DNSSEC validation yet, and luckily none of the
blocked domains have any DS records either. So DNSSEC is not yet a real
problem in this regard.  But there is no reason to think this luck will
last forever.  Given the "success", we can only assume there will be
more court orders.  And we do want to enable DNSSEC validation
everywhere at some point.

So what do we do? We currently point the blocked domains to addresses of
a web server with a short explanation.  But what if the domains were
signed?  We could let validating servers return SERVFAIL.  But I'd
really prefer avoiding that for the simple reason that there is no way
to distinguish that SERVFAIL from one caused by e.g. a domain owner
configuration error.  So I'm wondering if DLV might help us here?  I
imagine it will allow us to return a signed response to the client,
with the AD flag, even if we have taken control of the domain.  Or won't
that work at all if the parent has a DS record?

If the DLV strategy works, then the main advantage would be that a
validating client could distiguish between a domain owner error and a
deliberate "error" added by us as a resolver operator.  The DLV signed
response will still fail client calidation.  And we would of course
publish the DLV key, so that anyone wishing to verify the source of the
failing signatures could do that (assuming that some clients may accept
us as a MITM, but still want to prevent others from the same attack).

What do you all think? Is this feasible?  Any better solutions?

OK, I should probably lab this instead of discussing it... 


Bjørn (working for Telenor, but definitely not having any role in PR or
legal matters)

Re: DNSSEC and ISPs faking DNS responses

[A . L . M . Buxey]

Hi,

> BTW, the proposed law, being done by lawyers, will have the list of

you say law but this idea of blocking all competitors to the states
lotto sounds very unlawful and anti-competitive  - yes, I can
understand states or countries blocking ALL gambling , thats a simple
'we dont allow it here' , but to say 'yes, you can access just ours'
well, in EU I dont think that would ever fly.

> I know the Australian attempt to filter porn failed miserably.

well, one could say people might be more determined to access porn than
gambling sites so this gambling block might be more successful.

either way, what you'll get are a host of DNS services based in other
countries - some using VPN technology etc so blocking port 53 to
other servers isnt going to work on that score either.  it wont work.

alan

Re: DNSSEC and ISPs faking DNS responses

[Alarig Le Lay]

On Fri Nov 13 04:27:36 2015, Jean-Francois Mezei wrote:
> I'll have to research how other countries tried to implement similar
> schemes (I believe the UK has with some of the popular torrent sites.
> 
> I know the Australian attempt to filter porn failed miserably.

We also have some torrent sites blocked in France, for exemple:
alarig@HP-Z210:~$ dig +noall +comments +answer t411.me @193.252.19.3
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38309
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1460
;; ANSWER SECTION:
t411.me.16418   IN  A   127.0.0.1

alarig@HP-Z210:~$ dig +noall +comments +answer t411.me 
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41652
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
t411.me.70  IN  A   104.18.37.180
t411.me.70  IN  A   104.18.36.180

But, if you look at the flags, there’s no ad, so no DNSSEC (my resolver
has DNSSEC enabled)

-- 
alarig


signature.asc
Description: Digital signature

Re: Another puck.nether.net Outage?

[Christopher Morrow]

Received: from puck.nether.net (localhost [IPv6:::1])
by puck.nether.net (Postfix) with ESMTP id 25969540762;
Fri, 13 Nov 2015 07:05:01 -0500 (EST)

puck seems to be processing mail...

$ w
 09:45:28 up 2 days, 11:30,  2 users,

$ mailq | grep cisco-nsp | wc -l
174

$ mailq | grep pumpk | wc -l
0

On Fri, Nov 13, 2015 at 12:33 AM, Crist Clark  wrote:
> There hasn't been a any traffic on the puck.nether.net list to which I am
> subscribed since the 10th. I sent something to cisco-nsp yesterday and
> retried today, and nothing has come through.
>
> Is it me or puck?
>
> I apologize for using NANOG for this, but jared's email is puck.nether.net
> too; something OOB is needed. I know there are many, many people here who
> also follow puck.nether.net lists and some may have another way to reach
> him.

Contact for Open Resolver Project?

[White, Andrew]

Hi there,

If anyone from the Open Resolver Project is on-list, would love to get in touch 
re. getting a feed of open resolver data for our ASN. I have not been receiving 
response to the email address listed on the project's web site.

Andrew White
Desk:  314.394-9594  | Cell:  314.308-7730
NetOps Consultant, DAS DNS group
Charter Communications
12405 Powerscourt Drive, St. Louis,  MO 63131

Re: Another puck.nether.net Outage?

[Hugo Slabbert]

The problem seems to have been with mailman. I pinged Jared OOB and he 
responded this that it's fixed. I'd sent something to outages-request prior to 
test, and that came through this morning.
--
Hugo
h...@slabnet.com: email, xmpp/jabber
also on Signal

 From: Christopher Morrow  -- Sent: 2015-11-13 - 
06:46 

> Received: from puck.nether.net (localhost [IPv6:::1])
> by puck.nether.net (Postfix) with ESMTP id 25969540762;
> Fri, 13 Nov 2015 07:05:01 -0500 (EST)
>
> puck seems to be processing mail...
>
> $ w
>  09:45:28 up 2 days, 11:30,  2 users,
>
> $ mailq | grep cisco-nsp | wc -l
> 174
>
> $ mailq | grep pumpk | wc -l
> 0
>
> On Fri, Nov 13, 2015 at 12:33 AM, Crist Clark  wrote:
>> There hasn't been a any traffic on the puck.nether.net list to which I am
>> subscribed since the 10th. I sent something to cisco-nsp yesterday and
>> retried today, and nothing has come through.
>>
>> Is it me or puck?
>>
>> I apologize for using NANOG for this, but jared's email is puck.nether.net
>> too; something OOB is needed. I know there are many, many people here who
>> also follow puck.nether.net lists and some may have another way to reach
>> him.
>




signature.asc
Description: PGP/MIME digital signature

Re: DNSSEC and ISPs faking DNS responses

[John Levine]

>> BTW, the proposed law, being done by lawyers, will have the list of
>
>you say law but this idea of blocking all competitors to the states
>lotto sounds very unlawful and anti-competitive

This is Qu�bec, where the rules are not the same as in the UK.  The
provincial lottery is the only legal gambling in the province, give
or take the large amount of online gambling hosted on the Mohawk
reservation that's partly in Qu�bec and partly in New York.

>either way, what you'll get are a host of DNS services based in other
>countries - some using VPN technology etc so blocking port 53 to
>other servers isnt going to work on that score either.  it wont work.

Of course not.

R's,
John

Re: DNSSEC and ISPs faking DNS responses

[Owen DeLong]

> On Nov 12, 2015, at 21:29 , John Levine  wrote:
> 
>>> Redirecting is much harder -- ...
> 
>> If you know that the client is using ONLY your resolver(s), couldn’t you
>> simply fake the entire chain and sign everything yourself?
> 
> I suppose, although doing that at scale in a large provider like Videotron
> (1.5M subscribers) would be quite a challenge.
> 
>> Or, alternatively, couldn’t you just fake the answers to all the “is this
>> signed?” requests and say “Nope!” regardless of the state of the 
>> authoritative
>> zone in question?
> 
> No, those responses are signed too.

Only if you pass through the claim that the parent domain is signed.

Again, if you’re the only resolver the clients are using, you can claim that
nothing from the root down is signed without ever providing any cryptographic
anything.

Seems to me that wouldn’t be significantly harder than running a resolver
at the same scale.

> 
>> Sure, if the client has any sort of independent visibility it can verify that
>> you’re lying, but if it can only talk to your resolvers, doesn’t that pretty
>> much mean it can’t tell that you’re lying to it?
> 
> At this point very few client resolvers check DNSSEC, so something
> that stripped off all the DNSSEC stuff and inserted lies where
> required would "work" for most clients.  At least until they realized
> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

If the ISPs don’t start blocking well known public resolvers or even just
blocking port 53 in general (which has been known to happen).

Owen

Re: DNSSEC and ISPs faking DNS responses

[John R. Levine]

At this point very few client resolvers check DNSSEC, so something
that stripped off all the DNSSEC stuff and inserted lies where
required would "work" for most clients.  At least until they realized
they couldn't get to PokerStars and switched their DNS to 8.8.8.8.


If the ISPs don’t start blocking well known public resolvers or even just
blocking port 53 in general (which has been known to happen).


I doubt the ISPs in Québec would have much sympathy for this proposed law. 
It makes their life harder and provides them no benefit.  Should it pass 
(remember, it's just proposed), I expect they'd just adjust their DNS 
caches to block responses for the list of domains that the government 
mails them and claim they're in full compliance.


R's,
John

RE: DNSSEC and ISPs faking DNS responses

[eric-list]

Actually, how are other places implementing these lists?  I would have thought 
to use RPZ, 
but as far as I know if the blocked DNS domain is using DNSSEC it wouldn't work.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of John R. Levine
Sent: Friday, November 13, 2015 12:33 PM
To: Owen DeLong
Cc: nanog@nanog.org
Subject: Re: DNSSEC and ISPs faking DNS responses

I doubt the ISPs in Québec would have much sympathy for this proposed law. 
It makes their life harder and provides them no benefit.  Should it pass 
(remember, it's just proposed), I expect they'd just adjust their DNS caches to 
block responses for the list of domains that the government mails them and 
claim they're in full compliance.

R's,
John

Re: DNSSEC and ISPs faking DNS responses

[Mark Milhollan]

On Thu, 13 Nov 2015, John Levine wrote:

>At this point very few client resolvers check DNSSEC, so something
>that stripped off all the DNSSEC stuff and inserted lies where
>required would "work" for most clients.  At least until they realized
>they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

Except that the ISP can intercept those queries and respond as it likes.  
Such is already done at all scales.  Not that a government generally 
cares what kind of burden is required once the law is passed, cf CALEA.

True, some users would be able to detect such tampering and many of 
those could work around it.  But most will have no way to do either.

Would the masses ever replace their stub with a full resolver?  
Doubtful, unless their OS vendor does it for them.  Would that be the 
right thing to do for a few billion users of Windows and another couple 
billion using Android most of whose ISPs are providing unfaked answers?  
Would the various authoritiative operators be happy / agree?  How does 
one fit local zones into the picture?

Would the masses setup a VPN to a service provider in a jurisdiction not 
subject to such foolishness so their resolver, whether stub or full, 
would have a chance at unfaked answers?  Again, I'm thinking most would 
be entirely ignorant of the issue, and in any case would be hard pressed 
to set anything up unless it was trivial, e.g., not just part of their 
OS but also Wizard-like with most answers pre-supplied.


/mark

Re: Colo space at Cermak

[Greg Sowell]

I would guess it has to do with competing with your landlord now.  I know
it's starting to happen more and more.

On Thu, Nov 12, 2015 at 8:32 PM, Mike Hammett  wrote:

> Has something happened the past couple months to cause a quick shortage of
> space at Cermak? I had an offer sent a few months ago (when I didn't need
> it) where a cab and five cross connects were cheaper than what five cross
> connects normally are, much less the cabinet value as well. Around that
> time I think cabinets were going for $700 or so for basic primary\redundant
> 20A. Now the cabinet is going for $1,800. It went from being the cheapest
> I've seen at Cermak to the most I've seen at Cermak in a matter of a few
> months. Two people with space in that building are citing an uptick in
> demand. Really? That much of a demand increase with hundreds of thousands
> of square feet coming online in the Chicago metro?
>
> Can anyone corroborate that story or are they just making stuff up hoping
> I agree to inflated cabinet prices?
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
>
>


-- 

GregSowell.com
TheBrothersWISP.com

Re: Another puck.nether.net Outage?

[virendra rode]

Thank you for reaching out.

Will update outages wiki so people can reach admins directly for future 
reference.

Sorry for any inconvenience this may have caused. 

regards,
outages team 

> On Nov 13, 2015, at 7:25 AM, Hugo Slabbert  wrote:
> 
> The problem seems to have been with mailman. I pinged Jared OOB and he 
> responded this that it's fixed. I'd sent something to outages-request prior 
> to test, and that came through this morning.
> --
> Hugo
> h...@slabnet.com: email, xmpp/jabber
> also on Signal
> 
>  From: Christopher Morrow  -- Sent: 2015-11-13 - 
> 06:46 
> 
>> Received: from puck.nether.net (localhost [IPv6:::1])
>> by puck.nether.net (Postfix) with ESMTP id 25969540762;
>> Fri, 13 Nov 2015 07:05:01 -0500 (EST)
>> 
>> puck seems to be processing mail...
>> 
>> $ w
>> 09:45:28 up 2 days, 11:30,  2 users,
>> 
>> $ mailq | grep cisco-nsp | wc -l
>> 174
>> 
>> $ mailq | grep pumpk | wc -l
>> 0
>> 
>>> On Fri, Nov 13, 2015 at 12:33 AM, Crist Clark  wrote:
>>> There hasn't been a any traffic on the puck.nether.net list to which I am
>>> subscribed since the 10th. I sent something to cisco-nsp yesterday and
>>> retried today, and nothing has come through.
>>> 
>>> Is it me or puck?
>>> 
>>> I apologize for using NANOG for this, but jared's email is puck.nether.net
>>> too; something OOB is needed. I know there are many, many people here who
>>> also follow puck.nether.net lists and some may have another way to reach
>>> him.
> 
> 

Re: DNSSEC and ISPs faking DNS responses

[John Levine]

>Would the masses setup a VPN to a service provider in a jurisdiction not 
>subject to such foolishness so their resolver, whether stub or full, 
>would have a chance at unfaked answers?  Again, I'm thinking most would 
>be entirely ignorant of the issue, and in any case would be hard pressed 
>to set anything up unless it was trivial, e.g., not just part of their 
>OS but also Wizard-like with most answers pre-supplied.

I was at a most interesting session in New Zealand a few months ago,
about video streaming in NZ.  People want to watch Netflix and Hulu,
and are willing to pay for it, but NZ is such a small market that the
big providers can't be bothered to license the content for NZ, and by
the time local providers make arrangements it's a month later.  So
everyone buys a Netflix subsription and uses VPNs to pretend to be in
the US.

Take a look at Vyprvpn, which is pretty much point and install, or
even Tunnelblick which is about four clicks to set up with VPN info
from any provider.  Civilians definitely use these.

R's,
John

Re: DNSSEC and ISPs faking DNS responses

[Stephane Bortzmeyer]

On Fri, Nov 13, 2015 at 04:27:36AM -0500,
 Jean-Francois Mezei  wrote 
 a message of 34 lines which said:

> I'll have to research how other countries tried to implement similar
> schemes

https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report-on-dns-based-internet-filtering.html

Re: DNSSEC and ISPs faking DNS responses

[Stephane Bortzmeyer]

On Fri, Nov 13, 2015 at 09:54:28AM +,
 a.l.m.bu...@lboro.ac.uk  wrote 
 a message of 20 lines which said:

> well, in EU I dont think that would ever fly.

It is done in France, for a long time
.

Re: DNSSEC and ISPs faking DNS responses

[Stephane Bortzmeyer]

On Fri, Nov 13, 2015 at 10:24:27AM -0800,
 Mark Milhollan  wrote 
 a message of 30 lines which said:

> Would the masses ever replace their stub with a full resolver?
> Doubtful, unless their OS vendor does it for them.

Fedora already does it, apparently, with the excellent dnssec-trigger.

> Would the various authoritiative operators be happy / agree?

Wearing my TLD operator hat: yes, we agree and we're ready for that.

Re: DNSSEC and ISPs faking DNS responses

[Marco Davids]

On 13/11/15 23:01, Stephane Bortzmeyer wrote:
> On Fri, Nov 13, 2015 at 09:54:28AM +,
>  a.l.m.bu...@lboro.ac.uk  wrote 
>
>> well, in EU I dont think that would ever fly.
> 
> It is done in France, for a long time

And it is common practice in Belgium as well.

http://networkmsg.telenet.be/blocked/fccu/
http://networkmsg.telenet.be/blocked/ksc/

-- 
Marco



smime.p7s
Description: S/MIME Cryptographic Signature

Re: DNSSEC and ISPs faking DNS responses

[Nick Hilliard]

On 13/11/2015 22:10, Marco Davids wrote:
> On 13/11/15 23:01, Stephane Bortzmeyer wrote:
>> On Fri, Nov 13, 2015 at 09:54:28AM +,
>>  a.l.m.bu...@lboro.ac.uk  wrote 
>>
>>> well, in EU I dont think that would ever fly.
>>
>> It is done in France, for a long time
> 
> And it is common practice in Belgium as well.
> 
> http://networkmsg.telenet.be/blocked/fccu/
> http://networkmsg.telenet.be/blocked/ksc/

A similar law was tacked to the bottom of a finance bill regulating
gambling in Ireland a couple of months ago.  The first anyone knew of it
was when the government department responsible for gambling came knocking
on the ISP association's door wanting to talk about implementation details.

Nick

Re: DNSSEC and ISPs faking DNS responses

[David Conrad]

On Nov 13, 2015, at 10:24 AM, Mark Milhollan  wrote:
> On Thu, 13 Nov 2015, John Levine wrote:
> 
>> At this point very few client resolvers check DNSSEC, so something
>> that stripped off all the DNSSEC stuff and inserted lies where
>> required would "work" for most clients.  At least until they realized
>> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
> 
> Except that the ISP can intercept those queries and respond as it likes.

Thank you. I was wondering if anyone would mention this.

DNSSEC only protects the validator's cache. My assumption (which may be wrong) 
is that for the vast majority of folks, that means the cache that is run by the 
ISP.

How many of the ISPs in Quebec enable DNSSEC?

Even if they do, I doubt the government would care: I would presume it would be 
up to the ISP to implement the law and respond back as the law dictates.  How 
many of the ISPs would continue to enable DNSSEC if the cops show up at their 
door and turning off DNSSEC is the only way the ISP has to implement the law's 
requirements?

How many applications request DNSSEC related information and validate?

The only way DNSSEC matters in this context is if you validate locally. My 
guess is that the number of folk who do this is so low as to not be of interest 
to the Quebec government. This may be an argument for folks to run their own 
validating resolvers, but I'm not sure how you'd do that on your iPhone, iPad, 
or SmartTV.

Regards,
-drc



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: DNSSEC and ISPs faking DNS responses

[Valdis . Kletnieks]

On Fri, 13 Nov 2015 14:22:15 -0800, David Conrad said:

> This may be an argument for folks to run their own validating resolvers, but
> I'm not sure how you'd do  that on your iPhone, iPad, or SmartTV.

"There's an app for that". :)


pgpKxb5_TtHXE.pgp
Description: PGP signature

Re: DNSSEC and ISPs faking DNS responses

[Mark Andrews]

In message <9692ecc6-34ad-49c0-b310-10b8ef8c1...@virtualized.org>, David Conrad 
writes:
>
> On Nov 13, 2015, at 10:24 AM, Mark Milhollan  wrote:
> > On Thu, 13 Nov 2015, John Levine wrote:
> >
> >> At this point very few client resolvers check DNSSEC, so something
> >> that stripped off all the DNSSEC stuff and inserted lies where
> >> required would "work" for most clients.  At least until they realized
> >> they couldn't get to PokerStars and switched their DNS to 8.8.8.8.
> >
> > Except that the ISP can intercept those queries and respond as it likes.
>
> Thank you. I was wondering if anyone would mention this.
>
> DNSSEC only protects the validator's cache. My assumption (which may be
> wrong) is that for the vast majority of folks, that means the cache that
> is run by the ISP.
>
> How many of the ISPs in Quebec enable DNSSEC?
>
> Even if they do, I doubt the government would care: I would presume it
> would be up to the ISP to implement the law and respond back as the law
> dictates.  How many of the ISPs would continue to enable DNSSEC if the
> cops show up at their door and turning off DNSSEC is the only way the ISP
> has to implement the law's requirements?

Why would the ISP's turn off DNSSEC?  It doesn't prevent them sending back
NXDOMAIN.  The clients will validate or not.  If they validate they will
get a validation failure.  If they don't them the NXDOMAIN will be accepted.

> How many applications request DNSSEC related information and validate?
>
> The only way DNSSEC matters in this context is if you validate locally.
> My guess is that the number of folk who do this is so low as to not be of
> interest to the Quebec government. This may be an argument for folks to
> run their own validating resolvers, but I'm not sure how you'd do that on
> your iPhone, iPad, or SmartTV.

Apple just adds a validator to their stub resolver and installs a root
trust anchor.  This really isn't conceptually different to how they manage
CA's.

> Regards,
> -drc

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: DNSSEC and ISPs faking DNS responses

[David Conrad]

Mark,

> On Nov 13, 2015, at 4:18 PM, Mark Andrews  wrote:
>> How many of the ISPs would continue to enable DNSSEC if the
>> cops show up at their door and turning off DNSSEC is the only way the ISP
>> has to implement the law's requirements?
> 
> Why would the ISP's turn off DNSSEC?  It doesn't prevent them sending back
> NXDOMAIN.  The clients will validate or not.  If they validate they will
> get a validation failure.  If they don't them the NXDOMAIN will be accepted.

My point was that folks at ISPs tend to prefer not to be thrown in jail.

> Apple just adds a validator to their stub resolver and installs a root
> trust anchor.

Love that plan. Let me know when you've convinced Apple to "just" add a 
validator to IOS (I'm assuming IOS doesn't currently have that capability).

> This really isn't conceptually different to how they manage
> CA's.

My point was that the vast majority of those affected by this would likely not 
be in a position to install a validating resolver on their device.

Regards,
-drc



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: DNSSEC and ISPs faking DNS responses

[Roland Dobbins]

On 14 Nov 2015, at 3:01, John Levine wrote:

> Civilians definitely use these.

A very tiny percentage.  The power of the default reigns supreme.

---
Roland Dobbins 

Re: DNSSEC and ISPs faking DNS responses

[Roland Dobbins]

On 14 Nov 2015, at 5:22, David Conrad wrote:


Thank you. I was wondering if anyone would mention this.


+1.  This is done in some countries which are heavy-handed with Internet 
censorship.


---
Roland Dobbins 

Re: DNSSEC and ISPs faking DNS responses

[Roland Dobbins]

On 14 Nov 2015, at 7:49, David Conrad wrote:

My point was that the vast majority of those affected by this would 
likely not be in a position to install a validating resolver on their 
device.


Correct.  Most folks on this list can and will do it if they deem it 
necessary; but most folks on this list are not representative of the 
global user base.


---
Roland Dobbins 

Re: DNSSEC and ISPs faking DNS responses

[John Levine]

>> Civilians definitely use these.
>
>A very tiny percentage.  The power of the default reigns supreme.

People in New Zealand said differently.  It's a small country, but I
was impressed how everyone in the session (it was NetHui, not a bunch
of geeks) took for granted that you'd use a VPN to get your video fix.

Online gamblers can be a very dedicated group.  See, for example,
these blog posts and online ads about VPNs that circumvent blocks to
get to online poker sites:

http://securethoughts.com/3-best-vpns-online-poker/

https://www.reddit.com/r/poker/comments/1xu89o/using_a_vpn_to_play_real_money_poker/

http://www.onlinebettingsites.com/vpns-for-online-betting/

https://www.vpnaccounts.com/blog/internet-gambling-using-vpn/

http://calvinayre.com/2014/08/18/poker/using-a-vpn-to-play-online-poker-could-be-working-against-you/

https://www.cardschat.com/f10/new-york-players-a-vpn-220913/

http://www.billrini.com/2011/04/23/thinking-vpning-poker/

https://www.le-vpn.com/vpn-for-online-poker-and-gambling/

https://vpnuk.net/gambling.html

R's,
John

Re: DNSSEC and ISPs faking DNS responses

[Roland Dobbins]

On 14 Nov 2015, at 10:02, John Levine wrote:

> People in New Zealand said differently.

This is a corner-case, however.

---
Roland Dobbins 

Re: DNSSEC and ISPs faking DNS responses

[Owen DeLong]

> On Nov 13, 2015, at 19:09 , Roland Dobbins  wrote:
> 
> On 14 Nov 2015, at 10:02, John Levine wrote:
> 
>> People in New Zealand said differently.
> 
> This is a corner-case, however.

Is it really a corner-case, or, is it the first representation of  a group of 
ordinary netizens sufficiently frustrated by policy that they found a 
workaround?

If it’s a corner-case, it’s unlikely to get replicated by a similar level of 
frustration among a different group of netizens.

OTOH, if, as I suspect, it’s merely the first (or first known to us) example of 
such behavior, then it may be more of a predictive result than a corner case.

Every trend starts somewhere. Today, gamblers in Quebec don’t need to work 
around government stupidity, they can just go gamble. If the government truly 
manages to implement the proposed stupidity, that might serve as enough 
motivation to duplicate the “New Zealand Netflix Effect” in Quebec.

Surely time will tell, but I would not be so quick to dismiss this as a 
potential workaround after watching how quickly TOR was adopted to move video 
around during the Arab Spring.

Owen

Re: DNSSEC and ISPs faking DNS responses

[Roland Dobbins]

On 14 Nov 2015, at 10:22, Owen DeLong wrote:

Surely time will tell, but I would not be so quick to dismiss this as 
a potential workaround after watching how quickly TOR was adopted to 
move video around during the Arab Spring.


By a tiny minority of people.

Selection bias.

Most people do not know what a 'VPN' is, or how to install one and get 
it working.  The number of people who do may increase somewhat over time 
due to various restrictions they seek to overcome, but it will never 
become anything close to the norm unless it is a default.


Go out onto the street and ask a selection of random passers-by if they 
know what a VPN is, if they know how to install one, if they've 
installed one.


---
Roland Dobbins 

Re: DNSSEC and ISPs faking DNS responses

[Owen DeLong]

> On Nov 13, 2015, at 19:27 , Roland Dobbins  wrote:
> 
> On 14 Nov 2015, at 10:22, Owen DeLong wrote:
> 
>> Surely time will tell, but I would not be so quick to dismiss this as a 
>> potential workaround after watching how quickly TOR was adopted to move 
>> video around during the Arab Spring.
> 
> By a tiny minority of people.
> 
> Selection bias.
> 
> Most people do not know what a 'VPN' is, or how to install one and get it 
> working.  The number of people who do may increase somewhat over time due to 
> various restrictions they seek to overcome, but it will never become anything 
> close to the norm unless it is a default.

20 years ago, most people didn’t know what a URL or a Domain name was.

18 years ago, they were on every billboard.

People learn stuff as they need to.

Today, the vast majority of people don’t need to know what a VPN is.

New Zealand has become a notable exception to this situation as a result of 
their desire to watch US Netflix programming.

I see no reason to believe it would be 

> Go out onto the street and ask a selection of random passers-by if they know 
> what a VPN is, if they know how to install one, if they've installed one.

Not a valid test… Go out onto the street and ask a random number of people over 
30 if they know what a URL is and how to enter one into a browser.

Now, ask if they learned that more or less than 20 years ago.

In 1930, nobody knew what a television was, let alone a television remote 
control. Today, the average 6 year old can operate a DirectTV satellite system 
with a relatively high degree of facility.

What the average person knows changes over time. Assuming that it does not 
strikes me as either (1) ignoring history or (2) underestimating the general 
public even more than I do, which is saying something.

Owen

Re: DNSSEC and ISPs faking DNS responses

[Matt Palmer]

On Fri, Nov 13, 2015 at 09:54:28AM +, a.l.m.bu...@lboro.ac.uk wrote:
> > BTW, the proposed law, being done by lawyers, will have the list of
> 
> you say law but this idea of blocking all competitors to the states
> lotto sounds very unlawful and anti-competitive  - yes, I can
> understand states or countries blocking ALL gambling , thats a simple
> 'we dont allow it here' , but to say 'yes, you can access just ours'
> well, in EU I dont think that would ever fly.

Sweden's still part of the EU, isn't it?  ("Systembolaget", if you need a
search term).

- Matt

Re: DNSSEC and ISPs faking DNS responses

[Matt Palmer]

On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
> So what do we do? We currently point the blocked domains to addresses of
> a web server with a short explanation.  But what if the domains were
> signed?  We could let validating servers return SERVFAIL.  But I'd
> really prefer avoiding that for the simple reason that there is no way
> to distinguish that SERVFAIL from one caused by e.g. a domain owner
> configuration error.

Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
for legal reasons" with RCODE value 25.

- Matt

Re: DNSSEC and ISPs faking DNS responses

[Roland Dobbins]

On 14 Nov 2015, at 11:32, Owen DeLong wrote:

Go out onto the street and ask a random number of people over 30 if 
they know what a URL is  and how to enter one into a browser.


They don't know what URIs are, nor do they enter them into browsers.  
They type words into a search engine and then click on the resulting 
links.


[I was shocked when I realized this is how non-specialists access Web 
sites, about 15 years or so ago.]


Today, the average 6 year old can operate a DirectTV satellite system 
with a relatively high degree of facility.


And has no idea how it actually works, and can't do anything with it 
beyond the obvious.



What the average person knows changes over time.


Yes, but not in the way you're thinking.  If anything, specialized 
technical knowledge tends to decrease over time, as technology goes from 
being used by a relatively few self-selected enthusiasts to becoming 
more mainstream and accessible to the masses.


Auto mechanics is one example from the physical world.  Cooking is 
another.  Handwriting is yet another.



Assuming that it does not strikes me as either (1) ignoring history


See above.

or (2) underestimating the general public even more than I do, which 
is saying something.


Among the population of Internet users, the knowledge of how the 
Internet actually works has decreased tremendously in the last 20 years, 
as that population has expanded to include non-specialists - e.g., the 
majority.


Most computer users have no idea how computers actually work.  They 
certainly don't know what a VPN is, or how (or why) to set one up.  This 
state of affairs will continue until VPN technology becomes subsumed 
into applications and is enabled as a default, if it ever does.


---
Roland Dobbins 

Re: DNSSEC and ISPs faking DNS responses

[Mark Andrews]

In message <20151114044614.ga4...@hezmatt.org>, Matt Palmer writes:
> On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote:
> > So what do we do? We currently point the blocked domains to addresses of
> > a web server with a short explanation.  But what if the domains were
> > signed?  We could let validating servers return SERVFAIL.  But I'd
> > really prefer avoiding that for the simple reason that there is no way
> > to distinguish that SERVFAIL from one caused by e.g. a domain owner
> > configuration error.
> 
> Perhaps we need to expand RCODE to be the full octet, and indicate "blocked
> for legal reasons" with RCODE value 25.

Rcode's were expanded to 12 bits back in 1999.  See RFC 2671.
 
> - Matt
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: DNSSEC and ISPs faking DNS responses

[Jean-Francois Mezei]

On 2015-11-13 16:59, Stephane Bortzmeyer wrote:
> On Fri, Nov 13, 2015 at 04:27:36AM -0500,
>  Jean-Francois Mezei  wrote 
>  a message of 34 lines which said:
> 
>> I'll have to research how other countries tried to implement similar
>> schemes
> 
> https://www.afnic.fr/en/about-afnic/news/general-news/6584/show/the-afnic-scientific-council-shares-its-report-on-dns-based-internet-filtering.html
> 

Thanks to Stephane and all the others.  The afnic report will be
especially usefull because it is in french and thus better understood by
Québec politicians.

And thank to all those who filled in the gaps for DNSSEC for me.

Unfortunately, an ISP can still pretend to be authoritative for the
blocked domains and respond with fake unsigned response. The end client
that doesn't validate will be gullible and access the redirect side.
Those who validate will get SERVFAIL or NXDOMAIN and the end result is
that the blocked web site remains blocked.


With regards to VPNs: while they may not be very well known in the USA,
they are outside the USA where many people need VPNs to access foreign
content that is geoblocked in their home country.  New Zealand is not
alone, the practice is also common in Canada (as well as using pretend
DNS servers in USA

There are a number of commercial services that provide DNS "faking" that
make your canadian requests appear to come from a USA location, so
Netflix assumes you are in USA location when resolving whether content
is available or not.

(ex: https://www.unblock-us.com )

In the case of gambling, anyone with such an addiction will likely feel
deprived after a couple of days being blocked and will call on their
best friend Mr Google who will quickly provide ways to get around it
such as ignoring your own ISP's DNS server and using one outside of
Québec. Or using a VPN.

This may have interesting implications for Google's 8.8.8.8 which, if I
am not mistaken, peers at QIX, the Montréal exchange. Would they be
bound by the law (they are not an ISP). Google could simply widthdraw
from the QIX echange at which point the Québec government would have 0
jurisdiction.

ISPs that serve both Ontario and Québec thorugh Bell's DSL
infrastructure will have fun. PPPoE connections arrive to a common
connection point via L2TP tunnels, so the ISP would have to determine
the person's province based PPPoE login credentials and assign different
DNS servers (blocked for QC, unblocked for ON).

Loto Québec is supposed to be testing for compliance, and I am not sure
how they will do that short of having a subscription to every ISP that
sells services in Québec. (Maybe they think they only have to test 3
ISPs, (telcos and cablecos) and don't realise they have over 100 ISPs to
test for compliance).  And when an ISP in Val D'Or has its DNS set to
recurse only for requests that come from its intranet, Loto Québec won't
be able to test from its cushy Montréal offices with a simple "set
server" command.

Ahh... the trouble clueless politicians can cause.

Re: DNSSEC and ISPs faking DNS responses

[Royce Williams]

On Fri, Nov 13, 2015 at 8:28 PM, Roland Dobbins  wrote:

> On 14 Nov 2015, at 11:32, Owen DeLong wrote:
>
> Go out onto the street and ask a random number of people over 30 if they
>> know what a URL is  and how to enter one into a browser.
>>
>
> They don't know what URIs are, nor do they enter them into browsers.  They
> type words into a search engine and then click on the resulting links.
>

The don't know what a VPN is ... but when they can't watch the Olympics on
the Internet from their own country, a buddy tells them about an "app" that
"makes you look like you're coming from a different country."  Now they can
watch the Olympics.  I saw this "one weird trick" spread like wildfire
through my non-technical acquaintances.

They don't have to know what a VPN is in order to to use it -- and to pass
it on to their friends.

Royce

Re: Colo space at Cermak

[Ishmael Rufus]

The company who has the worlds most played online multiplayer game moved
their servers to Chicago back in late August. Maybe that affected prices?

On Fri, Nov 13, 2015, 12:45 PM Greg Sowell  wrote:

> I would guess it has to do with competing with your landlord now.  I know
> it's starting to happen more and more.
>
> On Thu, Nov 12, 2015 at 8:32 PM, Mike Hammett  wrote:
>
> > Has something happened the past couple months to cause a quick shortage
> of
> > space at Cermak? I had an offer sent a few months ago (when I didn't need
> > it) where a cab and five cross connects were cheaper than what five cross
> > connects normally are, much less the cabinet value as well. Around that
> > time I think cabinets were going for $700 or so for basic
> primary\redundant
> > 20A. Now the cabinet is going for $1,800. It went from being the cheapest
> > I've seen at Cermak to the most I've seen at Cermak in a matter of a few
> > months. Two people with space in that building are citing an uptick in
> > demand. Really? That much of a demand increase with hundreds of thousands
> > of square feet coming online in the Chicago metro?
> >
> > Can anyone corroborate that story or are they just making stuff up hoping
> > I agree to inflated cabinet prices?
> >
> >
> >
> >
> > -
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> >
> >
> > Midwest Internet Exchange
> > http://www.midwest-ix.com
> >
> >
> >
> >
>
>
> --
>
> GregSowell.com
> TheBrothersWISP.com
>