[dns-operations] DNS filtering in the UK

[Viktor Dukhovni]

On Thu, Sep 15, 2016 at 07:49:52AM -0700, Paul Vixie wrote:

> >I take no issue with the spirit of the document, but it seems that
> >those DNS filters that the vast majority of users will neither
> >notice nor be motivated to circumvent will do little harm to DNSSEC.
> 
> the document covers that point.

Not sure which part of the paper does that.  If it is:

    Even DNS filtering that did not contemplate redirection would
    pose security challenges. The only possible DNSSEC-compliant
    response to a query for a domain that has been ordered to be
    filtered is for the lookup to fail. It cannot provide a false
    response pointing to another resource or indicate that the
    domain does not exist. From an operational standpoint, a
    resolution failure from a nameserver subject to a court order
    and from a hacked nameserver would be indistinguishable. Users
    running secure applications have a need to distinguish between
    policy-based failures and failures caused, for example, by the
    presence of an attack or a hostile network, or else downgrade
    attacks would likely be prolific.

then I don't see why a DNSSEC application should care whether access
to a destination is blocked by an attacker or by court order.
Indeed the court ordered DNS filter is but one form of attack on
the availability of the target service, albeit presumably a legal
attack in the jurisdiction in question.

With reference to:

    DNSSEC is being implemented to allow systems to demand verification
    of what they get from the DNS. PROTECT IP would not only require
    DNS responses that cannot deliver such proof, but it would
    enshrine and institutionalize the very network manipulation
    DNSSEC must fight in order to prevent cyberattacks and other
    miscreant behavior on the global Internet.

was it really the case that PROTECT IP required clients to accept
the modified response?  With DNSSEC, the sensible filtering DNS
server implementation is a SERVFAIL or a REFUSED response.  These
don't carry authentication information, and don't break DNSSEC.

There would only be an issue if the mandated filters were required
to somehow ensure that end-user applications actually get redirected
to some other site.  If the filters simply return SERVFAIL or REFUSED,
DNSSEC does not enter the picture.

Perhaps PROTECT IP suffered from egregious overreach, all I am
saying is that it is possible, at least in principle, to be more
judicious.  And it seems that some folks reported filtering regimes
in some Northern Europe countries (where there is broad DNSSEC
adoption) that are more modest in their scope.

> if you don't agree, please argue in more detail against specific statements
> made in that document.
> 
> or, ask questions.

It seems to me that the paper focuses on a DNS filtering regime in
which access to the authoritative DNS data is not only blocked,
but there is a requirement that non-authoritative responses be
injected and honoured.  If that's the case I fully agree that
that would be a fundamental obstacle to DNSSEC.

Similarly, if one attempted to block DNS access for a broad slice
of the population, then circumvention fallout becomes an issue as
noted in the paper.

If, however, the technical measures are simply SERVFAIL or REFUSED
responses, or perhaps a modified response for any insecure clients
that nobody expects DNSSEC clients to trust and, furthermore, the
scope of the filters is narrowly focused on just the most extreme
and uncommon criminal violations of social norms, rather than
protection of copyright holders' monopolies, then it seems that
DNSSEC and such filtering can coexist just fine.

-- 
	Viktor.