Re: DNSSEC and ISPs faking DNS responses

On Thu, Nov 12, 2015 at 10:27:01PM -0500, Jean-Francois Mezei wrote a message of 66 lines which said: > The Québec government is wanting to pass a law that will force ISPs > to block and/or redirect certain sites it doesn't like. (namely > sites that offer

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 14:32, Jaap Akkerhuis wrote: > There is now a push to forbid the sales of these thingies. A push to forbid the sale of Raspberry Pis, of VPNs, or of both? Where? Thanks! --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

On Tue, Nov 17, 2015 at 7:21 PM, Roland Dobbins wrote: > On 14 Nov 2015, at 14:32, Jaap Akkerhuis wrote: > >> There is now a push to forbid the sales of these thingies. > > A push to forbid the sale of Raspberry Pis, of VPNs, or of both? > * > Where? elbonia. > Thanks! > >

Re: DNSSEC and ISPs faking DNS responses

"Roland Dobbins" writes: > On 14 Nov 2015, at 14:32, Jaap Akkerhuis wrote: > > > There is now a push to forbid the sales of these thingies. > > A push to forbid the sale of Raspberry Pis, of VPNs, or of both? > No, a push on devices which allow access to "illegal" material. The devives

Re: DNSSEC and ISPs faking DNS responses

On Sat, 14 Nov 2015 08:32:51 +0100, Jaap Akkerhuis said: > Most people don't need to know. They just buy a cheap (EUR 50 or > so seems to be the starting price) application (rasberry Pi or > similar stuff based) which gives them what they want. > > There is now a push to forbid the sales of these

Re: DNSSEC and ISPs faking DNS responses

Owen DeLong wrote: > Again, if you’re the only resolver the clients are using, you can claim that > nothing from the root down is signed without ever providing any cryptographic > anything. If the client is validating it will know the root is signed and the ISP resolver will

RE: DNSSEC and ISPs faking DNS responses

eric-l...@truenet.com wrote: > Actually, how are other places implementing these lists? I would have > thought to use RPZ, but as far as I know if the blocked DNS domain is > using DNSSEC it wouldn't work. You can configure RPZ with the "break-dnssec" option which means

Re: DNSSEC and ISPs faking DNS responses

"Roland Dobbins" writes: > On 14 Nov 2015, at 10:22, Owen DeLong wrote: > > By a tiny minority of people. > > Selection bias. > > Most people do not know what a 'VPN' is, or how to install one and get > it working. Most people don't need to know. They just buy a cheap (EUR 50 or so

Re: DNSSEC and ISPs faking DNS responses

> On Nov 14, 2015, at 00:21 , Roland Dobbins wrote: > > On 14 Nov 2015, at 13:36, Jean-Francois Mezei wrote: > >> With regards to VPNs: while they may not be very well known in the USA, they >> are outside the USA where many people need VPNs to access foreign content >>

Re: DNSSEC and ISPs faking DNS responses

> On Nov 14, 2015, at 03:11 , Roland Dobbins wrote: > > On 14 Nov 2015, at 16:05, Owen DeLong wrote: > >> Lots of VPN services out there like the ones mentioned earlier in the thread >> have made it nearly as simple to install and operate a VPN. > > Until the setup and

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 16:27, Owen DeLong wrote: Today. Yes, today, and tomorrow, and next week, and next month, and next year, etc. Why on earth do you assume that this will not continue to expand and/or accelerate its rate of expansion as word spreads that it is possible? Because it

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 19:07, Owen DeLong wrote: The point you seem to be missing is that your “until…” is already met. Not AFAICT. It isn't a default in the OS and on the window manager/home screen. I know of at least one ISP that is providing CPE with VPN pre-configured and built in.

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 13:36, Jean-Francois Mezei wrote: With regards to VPNs: while they may not be very well known in the USA, they are outside the USA where many people need VPNs to access foreign content that is geoblocked in their home country. I do not live in the United States; I live

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 13:38, Royce Williams wrote: > They don't have to know what a VPN is in order to to use it -- and to pass > it on to their friends. That's still a very small proportion of the user base. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

> On Nov 13, 2015, at 21:28 , Roland Dobbins wrote: > > On 14 Nov 2015, at 11:32, Owen DeLong wrote: > >> Go out onto the street and ask a random number of people over 30 if they >> know what a URL is and how to enter one into a browser. > > They don't know what URIs

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 16:05, Owen DeLong wrote: Lots of VPN services out there like the ones mentioned earlier in the thread have made it nearly as simple to install and operate a VPN. Until the setup and functionality are automagic, we're not going to see broad use of VPNs by non-specialists.

Re: DNSSEC and ISPs faking DNS responses

On Sat, Nov 14, 2015 at 3:34 AM, Roland Dobbins wrote: >> >> More likely this is going to be iterations of what is already being more widely accepted. Downloadable pre-configured client software that works with a particular VPN service. > > > Again, downloading is a barrier to

Re: DNSSEC and ISPs faking DNS responses

* rdobb...@arbor.net (Roland Dobbins) [Sat 14 Nov 2015, 04:13 CET]: On 14 Nov 2015, at 10:02, John Levine wrote: People in New Zealand said differently. This is a corner-case, however. We can continue citing corner cases, like the % of people in Turkey who use Google DNS since their

Re: DNSSEC and ISPs faking DNS responses

>Until the setup and functionality are automagic, we're not going to see >broad use of VPNs by non-specialists. I'm getting the impression you haven't yet gotten around to looking at VPN applications intended for non-specialists. Here's a good one to start with:

Re: DNSSEC and ISPs faking DNS responses

On Sat, Nov 14, 2015 at 01:36:06AM -0500, Jean-Francois Mezei wrote a message of 71 lines which said: > Loto Québec is supposed to be testing for compliance, and I am not > sure how they will do that short of having a subscription to every > ISP that sells

Re: DNSSEC and ISPs faking DNS responses

So when will we see CPE routers with built-in secure resolver and VPN client? Log in to 192.168.1.1 and select your country of the day from a drop down. Regards Baldur

Re: DNSSEC and ISPs faking DNS responses

In article you write: >So when will we see CPE routers with built-in secure resolver and VPN >client? Log in to 192.168.1.1 and select your country of the day from a >drop down. VyprVPN has a plug in for Tomato. R's, John

Re: DNSSEC and ISPs faking DNS responses

On Sat, Nov 14, 2015 at 05:32:41PM +1100, Mark Andrews wrote: > In message <20151114044614.ga4...@hezmatt.org>, Matt Palmer writes: > > On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bj�rn Mork wrote: > > > So what do we do? We currently point the blocked domains to addresses of > > > a web server with

Re: DNSSEC and ISPs faking DNS responses

On 15 Nov 2015, at 2:25, John Levine wrote: They have point'n'click apps for all the usual platforms. They are not defaults. I think that many people on this list don't understand that the vast majority of users around the world do not know what a VPN is, do not know why they might need

Re: DNSSEC and ISPs faking DNS responses

On 11/14/2015 16:48, Roland Dobbins wrote: On 15 Nov 2015, at 2:25, John Levine wrote: They have point'n'click apps for all the usual platforms. They are not defaults. I think that many people on this list don't understand that the vast majority of users around the world do not know what a

Re: DNSSEC and ISPs faking DNS responses

On 11/14/2015 16:56, Larry Sheldon wrote: On 11/14/2015 16:48, Roland Dobbins wrote: On 15 Nov 2015, at 2:25, John Levine wrote: They have point'n'click apps for all the usual platforms. They are not defaults. I think that many people on this list don't understand that the vast majority of

Re: DNSSEC and ISPs faking DNS responses

On 15 Nov 2015, at 2:08, Niels Bakker wrote: When will there be enough 'corner cases' to convince you it's business as usual? The majority of people who use the Internet in Turkey do not in fact use Google DNS. It is an informed and motivated minority. The most recent statistics I can

Re: DNSSEC and ISPs faking DNS responses

In article <339de9d9-f459-48e3-8d27-94eb76c90...@arbor.net> you write: >On 15 Nov 2015, at 2:25, John Levine wrote: > >> They have point'n'click apps for all the usual platforms. > >They are not defaults. The question at hand is whether gamblers faced with government blocking would use VPNS to

Re: DNSSEC and ISPs faking DNS responses

>Do you believe that percentage is going to significantly increase over >time? What relevance does that have to gamblers using VPNs to circumvent blocks? R's, John

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 23:39, Royce Williams wrote: Downloading is now much more common 2than during the age of the browser wars. Sure, I understand that. As of October 2014, 64% of American adults owned a smartphone [1]. Phones don't usually come with Candy Crush, but somehow, 93

Re: DNSSEC and ISPs faking DNS responses

On 15 Nov 2015, at 6:01, Larry Sheldon wrote: in spite of your best attempts to prevent it. My 'best attempts to prevent it'? You're obviously addressing someone else. I'm not trying to prevent anyone accessing anything. On the contrary, I'm very much in favor of making applications and

Re: DNSSEC and ISPs faking DNS responses

On Sun, 15 Nov 2015, Roland Dobbins wrote: > On 15 Nov 2015, at 2:25, John Levine wrote: > > > They have point'n'click apps for all the usual platforms. > > They are not defaults. > > I think that many people on this list don't understand that the vast majority > of users around the world do

Re: DNSSEC and ISPs faking DNS responses

> On Nov 14, 2015, at 04:34 , Roland Dobbins wrote: > > On 14 Nov 2015, at 19:07, Owen DeLong wrote: > >> The point you seem to be missing is that your “until…” is already met. > > Not AFAICT. It isn't a default in the OS and on the window manager/home > screen. > >> I

Re: DNSSEC and ISPs faking DNS responses

> > And it may only take a secondary use case to reach critical mass. People I > know who use WhatsApp seem to have started using it to avoid per-text > charges, not to get end-to-end encrypted messaging. But now, even if > Facebook's estimate [2] of 450 million WhatsApp users is 90% inflated,

Re: DNSSEC and ISPs faking DNS responses

On 2015-11-12 23:07, Mark Andrews wrote: > They make the same queries and verify the answers the same way. > It asks for the DNSKEY records and RRSIGs. Verifies them against the DS > records whick it asks for. Repeat all the way to the root. Is it correct to state that clients, instead of

Re: DNSSEC and ISPs faking DNS responses

Jean-Francois Mezei writes: > The Québec government is wanting to pass a law that will force ISPs to > block and/or redirect certain sites it doesn't like. BTDT. See https://torrentfreak.com/pirate-sites-must-pay-legal-costs-of-own-blockade-court-rules-150902/

Re: DNSSEC and ISPs faking DNS responses

Hi, > BTW, the proposed law, being done by lawyers, will have the list of you say law but this idea of blocking all competitors to the states lotto sounds very unlawful and anti-competitive - yes, I can understand states or countries blocking ALL gambling , thats a simple 'we dont allow it

Re: DNSSEC and ISPs faking DNS responses

> On Nov 12, 2015, at 21:29 , John Levine wrote: > >>> Redirecting is much harder -- ... > >> If you know that the client is using ONLY your resolver(s), couldn’t you >> simply fake the entire chain and sign everything yourself? > > I suppose, although doing that at scale in a

Re: DNSSEC and ISPs faking DNS responses

>> BTW, the proposed law, being done by lawyers, will have the list of > >you say law but this idea of blocking all competitors to the states >lotto sounds very unlawful and anti-competitive This is Qu�bec, where the rules are not the same as in the UK. The provincial lottery is the only

RE: DNSSEC and ISPs faking DNS responses

[mailto:nanog-boun...@nanog.org] On Behalf Of John R. Levine Sent: Friday, November 13, 2015 12:33 PM To: Owen DeLong Cc: nanog@nanog.org Subject: Re: DNSSEC and ISPs faking DNS responses I doubt the ISPs in Québec would have much sympathy for this proposed law. It makes their life harder and provides them

Re: DNSSEC and ISPs faking DNS responses

At this point very few client resolvers check DNSSEC, so something that stripped off all the DNSSEC stuff and inserted lies where required would "work" for most clients. At least until they realized they couldn't get to PokerStars and switched their DNS to 8.8.8.8. If the ISPs don’t start

Re: DNSSEC and ISPs faking DNS responses

On Thu, 13 Nov 2015, John Levine wrote: >At this point very few client resolvers check DNSSEC, so something >that stripped off all the DNSSEC stuff and inserted lies where >required would "work" for most clients. At least until they realized >they couldn't get to PokerStars and switched their

Re: DNSSEC and ISPs faking DNS responses

>Would the masses setup a VPN to a service provider in a jurisdiction not >subject to such foolishness so their resolver, whether stub or full, >would have a chance at unfaked answers? Again, I'm thinking most would >be entirely ignorant of the issue, and in any case would be hard pressed >to

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 04:27:36AM -0500, Jean-Francois Mezei wrote a message of 34 lines which said: > I'll have to research how other countries tried to implement similar > schemes

Re: DNSSEC and ISPs faking DNS responses

On 13/11/2015 22:10, Marco Davids wrote: > On 13/11/15 23:01, Stephane Bortzmeyer wrote: >> On Fri, Nov 13, 2015 at 09:54:28AM +, >> a.l.m.bu...@lboro.ac.uk wrote >> >>> well, in EU I dont think that would ever fly. >> >> It is done in France, for a long time > >

Re: DNSSEC and ISPs faking DNS responses

On Fri, 13 Nov 2015 14:22:15 -0800, David Conrad said: > This may be an argument for folks to run their own validating resolvers, but > I'm not sure how you'd do that on your iPhone, iPad, or SmartTV. "There's an app for that". :) pgpKxb5_TtHXE.pgp Description: PGP signature

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 09:54:28AM +, a.l.m.bu...@lboro.ac.uk wrote a message of 20 lines which said: > well, in EU I dont think that would ever fly. It is done in France, for a long time .

Re: DNSSEC and ISPs faking DNS responses

On 13/11/15 23:01, Stephane Bortzmeyer wrote: > On Fri, Nov 13, 2015 at 09:54:28AM +, > a.l.m.bu...@lboro.ac.uk wrote > >> well, in EU I dont think that would ever fly. > > It is done in France, for a long time And it is common practice in Belgium as well.

Re: DNSSEC and ISPs faking DNS responses

On Nov 13, 2015, at 10:24 AM, Mark Milhollan wrote: > On Thu, 13 Nov 2015, John Levine wrote: > >> At this point very few client resolvers check DNSSEC, so something >> that stripped off all the DNSSEC stuff and inserted lies where >> required would "work" for most clients.

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 10:24:27AM -0800, Mark Milhollan wrote a message of 30 lines which said: > Would the masses ever replace their stub with a full resolver? > Doubtful, unless their OS vendor does it for them. Fedora already does it, apparently, with the excellent

Re: DNSSEC and ISPs faking DNS responses

Mark, > On Nov 13, 2015, at 4:18 PM, Mark Andrews wrote: >> How many of the ISPs would continue to enable DNSSEC if the >> cops show up at their door and turning off DNSSEC is the only way the ISP >> has to implement the law's requirements? > > Why would the ISP's turn off

Re: DNSSEC and ISPs faking DNS responses

>> Civilians definitely use these. > >A very tiny percentage. The power of the default reigns supreme. People in New Zealand said differently. It's a small country, but I was impressed how everyone in the session (it was NetHui, not a bunch of geeks) took for granted that you'd use a VPN to get

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 5:22, David Conrad wrote: Thank you. I was wondering if anyone would mention this. +1. This is done in some countries which are heavy-handed with Internet censorship. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 10:02, John Levine wrote: > People in New Zealand said differently. This is a corner-case, however. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 09:54:28AM +, a.l.m.bu...@lboro.ac.uk wrote: > > BTW, the proposed law, being done by lawyers, will have the list of > > you say law but this idea of blocking all competitors to the states > lotto sounds very unlawful and anti-competitive - yes, I can > understand

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 7:49, David Conrad wrote: My point was that the vast majority of those affected by this would likely not be in a position to install a validating resolver on their device. Correct. Most folks on this list can and will do it if they deem it necessary; but most folks on

Re: DNSSEC and ISPs faking DNS responses

In message <9692ecc6-34ad-49c0-b310-10b8ef8c1...@virtualized.org>, David Conrad writes: > > On Nov 13, 2015, at 10:24 AM, Mark Milhollan wrote: > > On Thu, 13 Nov 2015, John Levine wrote: > > > >> At this point very few client resolvers check DNSSEC, so something > >> that

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 3:01, John Levine wrote: > Civilians definitely use these. A very tiny percentage. The power of the default reigns supreme. --- Roland Dobbins

Re: DNSSEC and ISPs faking DNS responses

> On Nov 13, 2015, at 19:09 , Roland Dobbins wrote: > > On 14 Nov 2015, at 10:02, John Levine wrote: > >> People in New Zealand said differently. > > This is a corner-case, however. Is it really a corner-case, or, is it the first representation of a group of ordinary

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote: > So what do we do? We currently point the blocked domains to addresses of > a web server with a short explanation. But what if the domains were > signed? We could let validating servers return SERVFAIL. But I'd > really prefer

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 10:22, Owen DeLong wrote: Surely time will tell, but I would not be so quick to dismiss this as a potential workaround after watching how quickly TOR was adopted to move video around during the Arab Spring. By a tiny minority of people. Selection bias. Most people do not

Re: DNSSEC and ISPs faking DNS responses

> On Nov 13, 2015, at 19:27 , Roland Dobbins wrote: > > On 14 Nov 2015, at 10:22, Owen DeLong wrote: > >> Surely time will tell, but I would not be so quick to dismiss this as a >> potential workaround after watching how quickly TOR was adopted to move >> video around

Re: DNSSEC and ISPs faking DNS responses

On Fri, Nov 13, 2015 at 8:28 PM, Roland Dobbins wrote: > On 14 Nov 2015, at 11:32, Owen DeLong wrote: > > Go out onto the street and ask a random number of people over 30 if they >> know what a URL is and how to enter one into a browser. >> > > They don't know what URIs are,

Re: DNSSEC and ISPs faking DNS responses

On 2015-11-13 16:59, Stephane Bortzmeyer wrote: > On Fri, Nov 13, 2015 at 04:27:36AM -0500, > Jean-Francois Mezei wrote > a message of 34 lines which said: > >> I'll have to research how other countries tried to implement similar >> schemes > >

Re: DNSSEC and ISPs faking DNS responses

On 14 Nov 2015, at 11:32, Owen DeLong wrote: Go out onto the street and ask a random number of people over 30 if they know what a URL is and how to enter one into a browser. They don't know what URIs are, nor do they enter them into browsers. They type words into a search engine and then

Re: DNSSEC and ISPs faking DNS responses

In message <20151114044614.ga4...@hezmatt.org>, Matt Palmer writes: > On Fri, Nov 13, 2015 at 10:51:52AM +0100, Bjørn Mork wrote: > > So what do we do? We currently point the blocked domains to addresses of > > a web server with a short explanation. But what if the domains were > > signed? We

Re: DNSSEC and ISPs faking DNS responses

On Fri Nov 13 04:27:36 2015, Jean-Francois Mezei wrote: > I'll have to research how other countries tried to implement similar > schemes (I believe the UK has with some of the popular torrent sites. > > I know the Australian attempt to filter porn failed miserably. We also have some torrent

Re: DNSSEC and ISPs faking DNS responses

> On Nov 12, 2015, at 20:50 , John Levine wrote: > > In article <56455885.8090...@vaxination.ca> you write: >> The Québec government is wanting to pass a law that will force ISPs to >> block and/or redirect certain sites it doesn't like. (namely sites that >> offer on-line

Re: DNSSEC and ISPs faking DNS responses

>> Redirecting is much harder -- ... >If you know that the client is using ONLY your resolver(s), couldn’t you >simply fake the entire chain and sign everything yourself? I suppose, although doing that at scale in a large provider like Videotron (1.5M subscribers) would be quite a challenge.

Re: DNSSEC and ISPs faking DNS responses

In message <5ca68a46-2f63-466a-b418-30da71b2b...@delong.com>, Owen DeLong write s: > > > On Nov 12, 2015, at 20:50 , John Levine wrote: > > > > In article <56455885.8090...@vaxination.ca> you write: > >> The Québec government is wanting to pass a law that will force ISPs to > >>

Re: DNSSEC and ISPs faking DNS responses

This will only create an new private (non-public) DNS service in China or Romania for Canadians to use. Imagine that someone in China starts a business to help people get around censorship in countries other than China. You nailed it - "clueless politicians". Bob Evans CTO > > The Québec

Re: DNSSEC and ISPs faking DNS responses

In message <56455885.8090...@vaxination.ca>, Jean-Francois Mezei writes: > > The Québec government is wanting to pass a law that will force ISPs to > block and/or redirect certain sites it doesn't like. (namely sites that > offer on-line gambling that compete against its own Loto Québec). >

Re: DNSSEC and ISPs faking DNS responses

In article <56455885.8090...@vaxination.ca> you write: >The Québec government is wanting to pass a law that will force ISPs to >block and/or redirect certain sites it doesn't like. (namely sites that >offer on-line gambling that compete against its own Loto Québec). Blocking is prettty easy,

Re: DNSSEC and ISPs faking DNS responses

Hello, El 11/13/2015 a las 12:20 AM, John Levine escribió: > In article <56455885.8090...@vaxination.ca> you write: >> The Québec government is wanting to pass a law that will force ISPs to >> block and/or redirect certain sites it doesn't like. (namely sites that >> offer on-line gambling that