[Cryptography] Sonic.net implements DNSSEC, performs MITM against customers. Are they legally liable?

Viktor Dukhovni cryptography at dukhovni.org
Sat Oct 11 12:26:55 EDT 2014

On Sat, Oct 11, 2014 at 09:24:54PM +1300, Peter Gutmann wrote:
> Bear <bear at sonic.net> writes:
> >Sonic implemented and deployed DNSSEC - and put it on their shiny new servers
> >along with an 'RBZ service' that censors supposed malware and phishing sites.
> >And while they told their customers about DNSSEC, they didn't mention the
> >'RBZ service.'
> So just to make sure I'm getting this right, Sonic are sending out DNSSEC-
> authenticated but invalid/spoofed/however you want to label them DNS
> responses?  As you say, the very thing that DNSSEC was designed to prevent?

No.  Their recursive resolver validates data from upstream sources.
It then serves some synthetic data of its own, which is seen as bogus
by downstream validating resolvers.

A similar thing was done briefly to me by Time Warner Cable.  They
"quarantined" my cable modem by making it serve the same bogus A
record for all domains with a 5s TTL.  The reason was apparently
that they wanted me to "request" a cable modem upgrade.

I did not notice for some time, because my OpenWrt router runs its
own validating resolver and does not use the ISP's recursive caches.

When I power-cycled the router a few days back, I was in for a
protracted trouble-shoot.  The router could not sync its clock,
because none of the openwrt NTP pool servers would resolve.  With
an incorrect clock the signature on the root zone looked wrong, so
the local DNS resolver failed to work.   Eventually I figured out
what happened, and "volunteered" for the upgrade.


More information about the cryptography mailing list