Right, but the comment that prompted this sub-thread was:
> Can't GoGo just "blacklist" streaming sites at a DNS level and deal with the problem before a connection is even made to a high-bandwith destination ?
Clearly the word here is "censorship." Or if you prefer, "blocking," which doesn't have a politial connotation. DNSSEC was then proposed as a countermeasure to this blocking, and I showed why it's not a countermeasure.
DNSCrypt would be more effective here because it's encrypted.
DNSCrypt on its own accomplishes nothing. What you're really saying is to use DNSCrypt and configure it to masquerade its traffic by not using port 53 so that it's less likely to be blocked. Without using a non-standard port, the results for DNSCrypt will be the same as from DNSSEC: an error in trying to look up the domain, which is identifiable as being different from an error trying to access the server pointed to by the DNS record.
You don't need DNSCrypt to be able to do DNS lookups on a non-standard port. DNSCrypt just happens to offer a list of a few servers that respond (using their protocol) on non-standard ports. The list is short enough (16 IPs to block!) that it could easily be included in the malicious gateway's firewall rules, rendering DNSCrypt useless for working around the blocking and still less useful than DNSSEC for deducing the nature of the interference.
I think you've misunderstood what whyleyc wrote above. OP asked why GoGo doesn't just "blacklist" ie censor the mentioned sites via DNS, explicitly excluding a MITM attack:
> Why are they even pulling this MITM trick in the first place ?
> Can't GoGo just "blacklist" streaming sites at a DNS level and deal with the problem before a connection is even made to a high-bandwith destination ?
So no MITM, just GFW of China style blocking. Which is trivial for unencrypted packets like DNSSEC. Observe, by the way, that China supports DNSSEC -- it's not a problem for them!
And it wouldn't be a problem for GoGo, either, because DNSSEC is not encrypted and blacklisted sites can be dropped on the floor. Or GoGo could trivially return SERVFAIL. But the whole thing is moot anyway because youtube.com doesn't support DNSSEC and probably never will.
Blocking DNSCrypt entirely and forcing a fallback to the approved (censored) DNS servers is still not any harder to accomplish than censoring unencrypted DNS with or without DNSSEC. DNSCrypt as it currently exists is not any more censorship-resistant except where it is completely unknown to the censoring party. The only real security (against censorship) that it offers is security through obscurity, so saying that DNSSEC's problem is a lack of encryption is complete bullshit.
> Can't GoGo just "blacklist" streaming sites at a DNS level and deal with the problem before a connection is even made to a high-bandwith destination ?
Clearly the word here is "censorship." Or if you prefer, "blocking," which doesn't have a politial connotation. DNSSEC was then proposed as a countermeasure to this blocking, and I showed why it's not a countermeasure.
DNSCrypt would be more effective here because it's encrypted.