DNSSEC in China

Mailman List Mirror (Read Only)
1

The thread on f-root reminded my of an anecdotal datum regarding DNSSEC in China. I was in China back in August, staying at the Green Lake Hotel in Kunming, Yunnan Provence. When connecting to the hotel in-room network (there was no wireless but a wired connection), I was able to properly validate DNSSEC for names like www.es.net and berkeley.edu, both of which are part of signed zones with a chain of trust from the root. I was able to do the validation on my caching resolver (BIND 9.8.x) running on my laptop.

If a site was blocked by authorities, I couldn't resolve it at all, but that was also the case even if I wasn't doing validation on my laptop resolver, but instead using the resolver provided by DHCP. (FYI, I "stumbled" upon an expat bar later in my trip near Yunnan Provincial University and the folks there--Europeans and Americans--all said that the number of sites they can get to has expanded in recent months. One Finn was accessing the Guardian to get the latest on the London riots.)

Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to validate or resolve any name using my local laptop resolver. I couldn't even validate TLDs or dlv.isc.org, so *all* of my name resolution broke. In the end, I had to disable my local resolver entirely and use those provided by DHCP.

I have nothing to say about hypocrisy or the relative level of oppression between the Chinese government versus the Starwood Group (although it's humorous to think about). What I will say is that DNSSEC made it very clear in the case of the Sheraton that they were messing with DNS because DNSSEC made the handcuffs so obviously tight.

michael

2

The thread on f-root reminded my of an anecdotal datum regarding DNSSEC
in China. I was in China back in August, staying at the Green Lake
Hotel in Kunming, Yunnan Provence. When connecting to the hotel in-room
network (there was no wireless but a wired connection), I was able to
properly validate DNSSEC for names like www.es.net and berkeley.edu,
both of which are part of signed zones with a chain of trust from the
root. I was able to do the validation on my caching resolver (BIND
9.8.x) running on my laptop.

If a site was blocked by authorities, I couldn't resolve it at all, but
that was also the case even if I wasn't doing validation on my laptop
resolver, but instead using the resolver provided by DHCP. (FYI, I
"stumbled" upon an expat bar later in my trip near Yunnan Provincial
University and the folks there--Europeans and Americans--all said that
the number of sites they can get to has expanded in recent months. One
Finn was accessing the Guardian to get the latest on the London riots.)

Another anecdote from NANOG 52: At the Denver Sheraton, I was unable to
validate or resolve any name using my local laptop resolver. I couldn't
even validate TLDs or dlv.isc.org, so *all* of my name resolution broke.
In the end, I had to disable my local resolver entirely and use those
provided by DHCP.

I have nothing to say about hypocrisy or the relative level of
oppression between the Chinese government versus the Starwood Group
(although it's humorous to think about). What I will say is that DNSSEC
made it very clear in the case of the Sheraton that they were messing
with DNS because DNSSEC made the handcuffs so obviously tight.

"Nomadix developed DAT to actively monitor every packet transmitted from
each device to ensure all packets are correctly configured for the
network. If necessary, DAT will perform standard Network and Port
Address Translation and supports Application Level Gateways (ALGs) for
protocols such as FTP, H.323, PPTP, IPSec, and others. DAT also ensures
that a DNS server is always available to a user through the DNS
redirection function. This function redirects a user�s DNS requests to a
local DNS server closer to the customer�s location�improving the
response time and enabling true plug-and-play access when the
subscriber�s configured DNS server is behind a firewall or located on a
private Intranet. Transparent proxy assures that subscribers who have
proxy configured to work with their native network get broadband access
in the HotZone."

http://www.nomadix.com/telecom_advantage.php