[dns-operations] DNS filtering in the UK

Paul Vixie paul at redbarn.org
Thu Sep 15 03:57:43 UTC 2016

Mark Andrews wrote:
> In message<57D9FCE3.6030409 at redbarn.org>, Paul Vixie writes:
>> so, what i hear from the losers in the SOPA wars now is, we weren't
>> lying, DNS filtering at scale does not break the internet, just look at
>> what they're doing in europe. and i don't have a single DNSSEC-aware
>> application to point at, that breaks due to DNS filtering.
> When you just want to stop people getting to a site does it matter
> if it is SERVFAIL, NXDOMAIN or a redirect address?  When you target
> the<service name,type>  there is little collateral damage except
> to the service you are targeting.

the collateral damage is the dnssec-aware applications which will never 
be developed, because they wouldn't be able to tell the difference 
between criminal and government interference in their dns data path.

i for one would not have made my personal or various corporate 
investments in dnssec if the only result was to secure the cache. 
rather, it was the promise of new applications could not have been or 
would never be developed until authenticity was a feature dns had, that 
motivated me.

if governments in most of the free world decide that dns blocking is the 
only way to be seen doing something about online sex crimes against 
children, then we (this community) just wasted about 5000 man years on 
dnssec, because it cannot coexist with this brand of do-something-ism.

>> for all i know TPP will bring it all back around again. bad ideas never
>> die, they just go into submarine mode for a while and then pop up
>> someplace else.
>> vixie

P Vixie

More information about the dns-operations mailing list