[dns-operations] will germany therefore make dnssec illegal on their shores?

Otmar Lendl ol at bofh.priv.at
Fri Jun 19 09:52:33 UTC 2009

bmanning at vacation.karoshi.com wrote:
> On Thu, Jun 18, 2009 at 11:39:15PM +0000, Paul Vixie wrote:
>> http://yro.slashdot.org/story/09/06/16/1657255/A-Black-Day-For-Internet-Freedom-In-Germany
> 	doubtful that it will be illegal - just ineffective.

Not really.

> 	DE may become a haven for questionable DNS use, esp
> 	with this offical sanction to hijack.

Questionable DNS use by ISPs on their recursors, yes. Otherwise, no.

You have to keep a few arguments in mind:

* This is more about political grandstanding ("we're doing something about
child-porn on the Internet") than anything else.

* Comparing this to the Data-Retention laws is instructive: there the ISPs
are required by law to keep IP->Account and mailserver logs. These laws
only apply to ISPs and commercial email operators. It does NOT cover
enterprises and privately run servers.

* So all this is your typical "catch the stupid" tough-on-crime rhetoric/laws.

So yes, the recursors of ISPs will implement the filtering/answer-spoofing,
and your run-of-the-mill 15 €/month DSL clueless customer will be prevented
from reaching certain sites. Anyone who is running their own recursor or
manages to configure one of the myriads of public open DNS recursors into
their windows / CPE / ... will not be affected.

I doubt that they will go so far to try to actually prevent these workarounds.

Regarding DNSSEC, here it depends on who is doing the validation and
whether the offending domains are actually signed or not (not likely these

a) DNSSEC validation is done at the ISP resolver:

   DNSSEC doesn't help the end-user here at all.

b) DNSSEC validation in the client, ISP recursor is used:

   If the domain is signed, then the user will get a NXDOMAIN (or maybe a
better error-reporting) instead of the IP address of the STOP-sign website.

   So the censuring still works, just the alerting of the user (and the
logging of the STOP-sign access) does not.

c) DNSSEC validation in the client, full recursion at the client

   Censorship is ineffective.

Remember: DNSSEC is not about the availability part of security, it's only
about the integrity.


Overall: we will see these things crop up everywhere (and yes, even the US
is not immune against such proposals: there the target is off-shore
gambling). We're lobbying the Austrian government not to follow the German
example and for now, it looks like our politicians will wait and see how
this all works out in Germany before trying to do the same.

It's all so absurd: just now there is a lot of reporting about helping the
Iranians to subvert the Internet filters their government is deploying to
hinder the opposition movement. See e.g.

>From a pure technology point of view, there is no difference between the
censorship (and the workaround) of political views vs. that of child porn.

-=-  Otmar Lendl  --  ol at bofh.priv.at  --  http://lendl.priv.at/  -=-

More information about the dns-operations mailing list