NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"

Forwarded with Vint's permission.


----- Forwarded message from Vint Cerf <vint@google.com> -----

Date: Mon, 18 Jul 2011 08:21:25 -0400
From: Vint Cerf <vint@google.com>
Subject: Re: [ NNSquad ] Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA
	and Secure DNS"
To: Lauren Weinstein <lauren@vortex.com>


George's argument seems flawed to me. Suppose you have a site that is NOT
illegal but a government wants to suppress it or even re-direct to a
counterfeit site. Without DNSSEC, such re-direction is possible without
detection. With DNSSEC one of two things might happen:

1. the site looks invalid because the DNSSEC check fails in which case
counterfeiting the site doesn't work. that's the good case I suppose except
that the government "wins" since it suppresses access to the site for those
relying on DNSSEC

2. the government produces a false but signed entry that passes the DNSSEC
check (wouldn't that mean that it had falsified a certificate containing the
public key of that domain name?) in which case the government succeeds in
re-directing even a DNSSEC-checking user.

Of course, if you ignore DNSSEC and accept whatever comes back as the IP
address, you will be fooled (or denied access to the real site).


On Sun, Jul 17, 2011 at 11:59 PM, Lauren Weinstein <lauren@vortex.com>wrote:

> Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"
> http://j.mp/qHnkDB  (ISC)
>    "Nevertheless the raw uncomfortable truth of the matter is that any
>     form of mandated "DNS blocking'' whose goal is to make certain domain
>     names unreachable will be indistinguishable from the result of a
>     Secure DNS failure - and a failure is a failure is a failure."
>  - - -
> It should be noted that the MPAA's response on these issues is the
> assertion that most
> users are too stupid to understand how to change their DNS (presumably even
> after
> being given step by step instructions) and that not permitting content
> owners to
> manipulate the DNS to protect their profit centers would amount to allowing
> the
> Internet to "decay into a lawless Wild West."
> --Lauren--
> Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
> Co-Founder: People For Internet Responsibility: http://www.pfir.org
> Founder:
>  - Network Neutrality Squad: http://www.nnsquad.org
>  - Global Coalition for Transparent Internet Performance:
> http://www.gctip.org
>  - PRIVACY Forum: http://www.vortex.com
> Member: ACM Committee on Computers and Public Policy
> Blog: http://lauren.vortex.com
> Google+: http://vortex.com/g+lauren
> Twitter: https://twitter.com/laurenweinstein
> Tel: +1 (818) 225-2800 / Skype: vortex.com

----- End forwarded message -----