[dns-operations] DNS filtering in the UK

Mark Andrews marka at isc.org
Thu Sep 15 04:57:21 UTC 2016

In message <57DA1C37.9000708 at redbarn.org>, Paul Vixie writes:
> Mark Andrews wrote:
> > In message<57D9FCE3.6030409 at redbarn.org>, Paul Vixie writes:
> >> so, what i hear from the losers in the SOPA wars now is, we weren't
> >> lying, DNS filtering at scale does not break the internet, just look at
> >> what they're doing in europe. and i don't have a single DNSSEC-aware
> >> application to point at, that breaks due to DNS filtering.
> >
> > When you just want to stop people getting to a site does it matter
> > if it is SERVFAIL, NXDOMAIN or a redirect address?  When you target
> > the<service name,type>  there is little collateral damage except
> > to the service you are targeting.
> the collateral damage is the dnssec-aware applications which will never 
> be developed, because they wouldn't be able to tell the difference 
> between criminal and government interference in their dns data path.

Which basically means we need secure signalling of latter.  Adding
signed records to the additional section of the response like:

<nsec3hash(qname)>.<well-known-prefix> RESTRICTED <labels> <type-bitmap>

Where <well-known-prefix> is maintained by the government and would
allow validators to detect the different if the record above is
found and validates.  Yes, you do need to distribute the
<well-known-prefix> applicable to the juristiction.

This has the advantage of not distributing the list of well known
names.  Wildcards entries are supported by only hashing <labels>
of the qname.

> i for one would not have made my personal or various corporate 
> investments in dnssec if the only result was to secure the cache. 
> rather, it was the promise of new applications could not have been or 
> would never be developed until authenticity was a feature dns had, that 
> motivated me.
> if governments in most of the free world decide that dns blocking is the 
> only way to be seen doing something about online sex crimes against 
> children, then we (this community) just wasted about 5000 man years on 
> dnssec, because it cannot coexist with this brand of do-something-ism.
> >> for all i know TPP will bring it all back around again. bad ideas never
> >> die, they just go into submarine mode for a while and then pop up
> >> someplace else.
> >>
> >> vixie
> -- 
> P Vixie
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list