Does DNSSEC work? My answer is no, at least not yet.
Before going to look up more information about DNSSEC. I can simply give an example: In current setting, the ISP assigns user DNS servers dynamically. If it provides one with fake DNS records, the user’s computer has no way to find out it’s authentic or not. Unless all the operationg system or browsers get patched, simply do it in ICCAN can’t beat GFW.
Then I go to do some study.
When I come back, I still hold my point. Will Microsoft provide a security update which force Wiondows to check the signature of every DNS response? I hope so. But what if there is no signature at all? Wll it be treated as invalid response?