[dns-operations] DNS filtering in the UK

Georg Kahest georg.kahest at internet.ee
Fri Sep 16 12:02:02 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09/15/2016 06:31 PM, Viktor Dukhovni wrote:
> It seems to me that the paper focuses on a DNS filtering regime in 
> which access to the authoritative DNS data is not only blocked, but
> there is a requirement that non-authoritative responses be injected
> and honoured.  If that's the case I fully agree that that would be
> a fundamental obstacle to DNSSEC.
> 
> Similarly, if one attempted to block DNS access for a broad slice 
> of the population, then circumvention fallout becomes an issue as 
> noted in the paper.
> 
> If, however, the technical measures are simply SERVFAIL or REFUSED 
> responses, or perhaps a modified response for any insecure clients 
> that nobody expects DNSSEC clients to trust and, furthermore, the 
> scope of the filters is narrowly focused on just the most extreme 
> and uncommon criminal violations of social norms, rather than 
> protection of copyright holders' monopolies, then it seems that 
> DNSSEC and such filtering can coexist just fine.

Atleast here in .ee the dns filtering done on isps on behalf of gov
works exactly like that, the users are sent to gov page rather then
getting SERVFAIL or REFUSED response.

I would guess thats what is done at most places, because you want to
inform the users about the blocked content not just fail.


- -- 
Georg Kahest
System Administrator / Süsteemiadministraator

Eesti Interneti SA   Paldiski mnt 80, 10617 Tallinn
Tel 727 1016
www.internet.ee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX2986AAoJEFDOdES6xIFj43EQAKchYLnEHSFP8gFNFlpoPEyx
KF5YJW7kRSD63rHhivlYuKyulAn/4vHZ4ck5XZMu95I0qg4COa7x8xmQrXyDUzZT
fdcHLJ46NssUc42HFuCpc4bntHWm5k0BD9o1iT3x2JBw0VV2V5/W3if3g/Z/+ud4
B2yqaBLwrET6SrG2gw4mU8hjj/KnBwN/DtsnDTrabj2ThSYkvdr6J+oHZgIFPJwn
SGuKaULEW8rNQo9PC3fuYt9GUEwYHPkiTHzVQi6UQfQBcVWZQ4qlJjGfvlNQhYGs
Aog5Axq1nTrjQOZ655tNpHCrL17sAMVYLxislGUxjA2EttZd6nPGgMcz7HVnCLv5
LK3KY2OkHv4KgTouUSOpruUgeGkR8j4jwBuT2bdXTZGE+5MYUiLTjiAnygIcEM3D
ceIsP2H45kyH/bl1UDQTu3SYDGucYKHVjo1ZMYcq7LU3TLrZKX6krbdQANyaWEvH
cjBo658M+qzPMcpLNos8aD1erMsoXBPeq+h/o60SWtoKMAtsbX+EbCRZ8aBuTz2f
zqivxUs99ZnT0ykIkdurbjNBlcqPDKdPyAvsJqkfXUn2xXGoxV9dGq5Tnio2+ZDp
FygCKax09FX+JKXHEKFGeh8ZCrTqnO00DJRaC+7PG+nzPWwEU6GMECQ8qV66SilF
3aR0/z7MNwVz/1tZ1B3m
=Z49f
-----END PGP SIGNATURE-----

More information about the dns-operations mailing list