[dns-operations] New U.S. Senate Bill re DNS Blocking

Florian Weimer fw at deneb.enyo.de
Wed Sep 22 05:04:30 UTC 2010

* Jason Livingood:

> And a key is that this is not restricted to registries, registrars, or
> authoritative DNS servers.  This is also meant to affect operators of all
> U.S.-based recursive resolvers, whether in an ISP network, a DNS ASP, a
> company network, academic network, etc.

If you operate globally, you already need to have that filtering
capability.  Most corporate and academic networks have deployed some
filters (sometimes, it's called "packet shapers" or "bandwidth
management").  I also suspect that for compliance, it is sufficient to
load the blocklist into your mandatory web proxy.

One major problem with DNS-based filters is that you want to keep the
list secret for competetive and public order reasons.  This means that
there is a tendency to push the filters into the Internet core because
there are fewer players there and there is some belief that you can
make sure that those do not leak the list.  (German law actually
prohibits small ISPs, companies and individuals from applying the
government-provided filter list to their DNS-related services, even if
they wanted to.)  On the other hand, DNS filters in the core are
undesirable from a technical point of view, although it can be argued
that this particular ship sailed in January 2003.

> One concern I have as a result of it (among many) is what this would
> mean for a DNS server operator once they have implemented DNSSEC
> validation.

It's a problem if you push validation to the clients, and then it
might be significant, depending on the client behavior (see the "roll
over and die" problem).  If we ever do validation on the client, such
altered responses must be signed by a trust anchor that is recognized
by the client.

More information about the dns-operations mailing list