[dns-operations] New U.S. Senate Bill re DNS Blocking

Andrew Sullivan ajs at shinkuro.com
Wed Sep 22 03:45:28 UTC 2010


On Wed, Sep 22, 2010 at 01:05:13AM +0000, Livingood, Jason wrote:

> And a key is that this is not restricted to registries, registrars, or
> authoritative DNS servers.  This is also meant to affect operators of all
> U.S.-based recursive resolvers, whether in an ISP network, a DNS ASP, a
> company network, academic network, etc.  One concern I have as a result of
> it (among many) is what this would mean for a DNS server operator once
> they have implemented DNSSEC validation.

Well, an intermediate validating resolver that has a policy of "block
this address" (a stupefyingly bonehead idea, IMO, but never mind that)
will fool with the packets and thereby cause them to fail to validate.
The validator portion of the server can then legitimately return
SERVFAIL and not even lie to the originating client.  In some sense,
DNSSEC actually legitimizes this sort of behaviour, because you can
detect it.  And, of course, if you are opposed to it, you can work
around it by "just" (ahem) running your own recursive DNS server on
your local machine.  Of course, you'd be defying the will of the
enlightened members of the US Congress, assuming this proposal passed.

A

-- 
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.



More information about the dns-operations mailing list