[dns-operations] DNS filtering in the UK

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Sep 15 06:04:41 UTC 2016

On Wed, Sep 14, 2016 at 10:07:44PM -0700, Paul Vixie wrote:

> >Why do applications need to care about the purported motivation of
> >the interference.  When destination is made unreachable, the technical
> >details are hardly relevant.
> >
> >I don't see how this derails DNSSEC.  What DNSSEC does is make the
> >interferecent visible, is there anything wrong with that?
> http://www.redbarn.org/node/6

I take no issue with the spirit of the document, but it seems that
those DNS filters that the vast majority of users will neither
notice nor be motivated to circumvent will do little harm to DNSSEC.

It is only if DNS filtering overreaches into denying access to
broadly popular content whose users will take steps to bypass the
blocks, that the outlined harms come into play.  Rules that make
criminals of us all can do great harm for quite some time before
they ultimately fail.

Thus, whether a domain hosting child-abuse content is blocked at
the network layer or the DNS layer makes little different to 
DNSSEC applications that are not intended to reach such content.

Attempts to extend DNS filtering to protection of content monopoly
dinosaurs would indeed cause much harm.  Perhaps it is wise to
expect that no DNS filtering regime can plausibly remain limited
in its scope, and that powers once granted only grow over time.

Such a slippery-slope argument could well be valid.  For now I am
not concerned about some of the reported uses, where for lack of
jurisdiction, local authorities cannot seize the domain or shutdown
the servers hosting content that is both illegal and depraved.
Yes, I am concerned about the slippery-slope.

I of course understand that DNS filters will not stop those who
specifically seek out the blocked content.  And yet blocking some
forms of content by various available means may be justifiable.


More information about the dns-operations mailing list