[pingwin]

I think what tptacek is hinting at is that a nation state could forge roots with their own certificates, creating a separate chain of trust. Given that your internet enabled device does not likely have an DNSSEC validating resolver (with uncompromising trust anchors for the roots) operating on it it's still possible for your device to receive forged responses.

[danyork]

If your Internet-enabled device doesn't have a DNSSEC-validating resolver (with solid trust anchors for the root zone), then this entire conversation is irrelevant.

If your Internet-enable device does have a DNSSEC-validating resolver either on the device or within an acceptable zone or risk[1] then the chain of trust back up to the root zone of DNS will mean that I will notice a substitution and get a SERVFAIL. It may mean that the attacker could DoS me and prevent me from going to a site, but I don't see where I would wind up on the bogus site.

[1] For example, I have a DNSSEC-validating resolver on the edge of my home network. Yes, an attacker could still compromise my home network and send me forged responses. I consider that less likely and am willing to take that risk.

[tptacek]

He knows that; he's saying, if GCHQ did that to tamper with a key stored for a .IO name, the world would notice, because they'd all get that poisoned key.

But that's not actually how DNS works.