In iks.lists.icann.at-large, you wrote:
http://politics.slashdot.org/story/10/05/09/1939222/DNSSEC-and-the-Geopoliti...
*hmpf* Of course DNS blocking technology seems to be stopped by DNSSEC deployment, but this view is too technical. DNS blocking is mostly unrelated to DNSSEC. There are only a few variants: 1) Users take the DNS server from the DHCP oder LCP (PPP) configuration automatically. This DNS resolver, under ISP control, can use DNSSEC to validate the responses from the Internet, but is free to deliver forged (sorry: gouvernmental edited) results to the users system, because the last mile is unprotected. Probability: 90% 2) Users choose to use an own DNS resolver without DNSSEC validation. They will not use the provider DNS, but resolve directly. So the blocking infrastructure will never harm their communication at all. Probability: 9% 3) Users choose to use an own DNS resolver with DNSSEC validation. Usually they will not use the provider DNS, but resolve directly. So the blocking infrastructure will never harm their communication at all. Probability: 1% 4) Users choose to validate DNS results themself, but stick to the ISP's servers. In this case the redirection to the blocking site will be detected as a malicous modification and none of the sites (original nor stop-page) can be reached. This scenario will occur, if direct DNS traffic is blocked by the ISP. Probability: 0% My probability estimates are nerd like ... sorry.