[dns-operations] DNS filtering in the UK

Mark Andrews marka at isc.org
Thu Sep 15 03:12:29 UTC 2016 

In message <57D9FCE3.6030409 at redbarn.org>, Paul Vixie writes:
> the problem with this kind of dns filtering is that it has all the 
> problems we described in the SOPA wars, but those are too detailed for 
> policy makers to grok, and the real problems caused by this kind of 
> filtering will prevent the creation of DNSSEC-aware applications, but 
> there are none at the moment.
> 
> so, what i hear from the losers in the SOPA wars now is, we weren't 
> lying, DNS filtering at scale does not break the internet, just look at 
> what they're doing in europe. and i don't have a single DNSSEC-aware 
> application to point at, that breaks due to DNS filtering.

When you just want to stop people getting to a site does it matter
if it is SERVFAIL, NXDOMAIN or a redirect address?  When you target
the <service name,type> there is little collateral damage except
to the service you are targeting.

example.com 		  A	192.0.2.1
example.com		  MX	0 mail.example.com
example.com		  DNSKEY ...
example.com		  NS	...
mail.example.com	  A	192.0.2.1
_25._tcp.mail.example.com TLSA	...
www.example.com		  A	192.0.2.1

Now if you re-write example.com/A and www.example.com/A, email still
gets through even when the zone is signed and the MTA is TLSA aware.

If you NXDOMAIN the names you stop people reaching the website and
sending email.  It's only when the collateral damage gets too big
will there be complaints, e.g. rewrite the address 192.0.2.1 and
the server is shared with non targeted sites.

At this stage there aren't enough signed zones which contain targeted
data for people to complain.

> for all i know TPP will bring it all back around again. bad ideas never 
> die, they just go into submarine mode for a while and then pop up 
> someplace else.
> 
> vixie
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list