NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"

  [ The government has repeatedly and largely unapologetically blocked
    innocent sites (and foreign sites arguably not under U.S.
    jurisdiction) in the course of implementing court-approved blocks.
    This means that any error conditions related to this situation
    must be viewed in terms of their impact on innocent and
    potentially innocent sites as well as on legally targeted sites.
    Even "guilty" sites (as per government claims) -- and especially
    innocent sites -- deserve to have their users properly notified
    of government actions.  Various artificially induced error conditions
    are not an acceptable substitute for court-ordered blocking-related
    notifications to users.  Also, given the fact that "unauthorized"
    wiretaps are an unfortunate fact of life in this country, they also
    are of interest in any associated analysis.

       -- Lauren Weinstein
          NNSquad Moderator ]

Vint Cerf:
> "George's argument seems flawed to me. Suppose you have a site that is NOT
> illegal but a government wants to suppress it or even re-direct to a
> counterfeit site."

As Richard pointed out, this is irrelevant to the discussion since the
Protect IP Act only authorizes filtering of sites that are primarily
dedicated to selling counterfeit goods.

Vint Cerf:
> "Without DNSSEC, such re-direction is possible without
> detection. With DNSSEC one of two things might happen:

> 1. the site looks invalid because the DNSSEC check fails in which case
> counterfeiting the site doesn't work. that's the good case I suppose
> that the government "wins" since it suppresses access to the site for
> relying on DNSSEC"

If a web browser queries a newly visited website (one deemed illegal by the
courts) for both DNS and DNSSEC, the DNS reply will be redirected to a
takedown notification.  There would be no DNSSEC response as the redirector
(in this case the ISP) wouldn't have the ability to cryptographically sign
DNSSEC responses.  In this scenario, the use of DNS filtering required by
the Protect IP Act would deny service to the entire website secured by
DNSSEC or not.  It does not affect legal websites not deemed illegal by the
courts which means DNS filtering poses no risk to legally valid uses of

If a web browser queries a site whose known security profile is DNSSEC-only,
then the redirection of DNS would fail in addition to the lack of a valid
DNSSEC response.  Even if the mandated redirection failed, a key objective
of the law is still fulfilled which is to impede the counterfeit website.
Again in this scenario, there is no risk to legal websites.

Vint Cerf:
> 2. the government produces a false but signed entry that passes the DNSSEC
> check (wouldn't that mean that it had falsified a certificate containing
> public key of that domain name?) in which case the government succeeds in
> re-directing even a DNSSEC-checking user."

What you are talking about here would be a wire tap and the Protect IP Act
would not authorize wire tapping.  Therefore this is not a valid concern
with regard to the Protect IP Act.

Vint Cerf:
> Of course, if you ignore DNSSEC and accept whatever comes back as the IP
> address, you will be fooled (or denied access to the real site).

This would be a flagrantly negligent implementation of DNSSEC.  A DNSSEC
implementation is only secure if it enforces the authentication checks.
This has nothing to do with the DNS filtering aspect of the Protect IP Act.

George Ou

-----Original Message-----
From: Richard Bennett [mailto:richard@bennett.com] 
Sent: Monday, July 18, 2011 1:33 PM
To: nnsquad@nnsquad.org; Vint Cerf; George Ou
Subject: Re: [ NNSquad ] [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by
Paul Vixie - "COICA and Secure DNS"

Unlike the government action in Vint's hypothetical, PROTECT IP is not 
about censorship of unpopular opinions. Rather, the goal of PROTECT IP 
is to block access to sites that sell unlicensed movies, so faking out 
the user who would otherwise purchase from an unauthorized seller is not 
in the cards.

So George's point stands that PROTECT-IP accomplishes the goal and does 
not "break" DNSSEC.


On 7/18/2011 10:44 AM, Lauren Weinstein wrote:
> Forwarded with Vint's permission.
> --Lauren--
> ----- Forwarded message from Vint Cerf<vint@google.com>  -----
> On Sun, Jul 17, 2011 at 11:59 PM, Lauren
>> Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"
>> http://j.mp/qHnkDB  (ISC)
>>     "Nevertheless the raw uncomfortable truth of the matter is that any
>>      form of mandated "DNS blocking'' whose goal is to make certain
>>      names unreachable will be indistinguishable from the result of a
>>      Secure DNS failure - and a failure is a failure is a failure."
>>   - - -
>> It should be noted that the MPAA's response on these issues is the
>> assertion that most
>> users are too stupid to understand how to change their DNS (presumably
>> after
>> being given step by step instructions) and that not permitting content
>> owners to
>> manipulate the DNS to protect their profit centers would amount to
>> the
>> Internet to "decay into a lawless Wild West."
>> --Lauren--
>> Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
>> Co-Founder: People For Internet Responsibility: http://www.pfir.org
>> Founder:
>>   - Network Neutrality Squad: http://www.nnsquad.org
>>   - Global Coalition for Transparent Internet Performance:
>> http://www.gctip.org
>>   - PRIVACY Forum: http://www.vortex.com
>> Member: ACM Committee on Computers and Public Policy
>> Blog: http://lauren.vortex.com
>> Google+: http://vortex.com/g+lauren
>> Twitter: https://twitter.com/laurenweinstein
>> Tel: +1 (818) 225-2800 / Skype: vortex.com
> ----- End forwarded message -----

Richard Bennett