[dns-operations] blockchain DNS

Paul Vixie paul at redbarn.org
Thu Feb 1 04:16:06 UTC 2018

i think this was well answered by others, but i want to ask a question,
and along the way i want to amplify some points made by others down-thread.

Jimmy Hess wrote:
> ...
> The DNS registry is not (or should not) be the content police force;
> they may be targeted because the central entity appears a
> "responsible" authority for the presence of a domain in the DNS:
> they are a convenient entity to send orders to, and can easily
> disrupt availability to a domain -- even if the website is located
> in another jurisdiction: E.G. the registry or a Root server may be
> in the US,  and the website, and its users in the UK or Russia.

if you provide material support for someone who is hurting me, then 
you'll be hearing from me in various forms, starting with a complaint. 
your best move is to remove them as a customer. as others here also 
said, it is the norm for a dns registry to process tens of thousands of 
complaints per day, and for a dns registry and its registrars to 
variously remove thousands of domains per day.

so, when you say "is not (or should not be)", you're twice wrong.

> The larger concern with the traditional DNS is a content publisher
> and the viewing user are in country B, and the .COM or some
> internationally-used ccTLD's infrastructure is in country A, then
> country A can and will eventually try to apply their own policies and
> censor country B users' access even to a domain that is legitimate in
> country B ----- with no way of restoring access according to the laws
> of country B, or the registrar may be directed to tamper with DNSSEC
> published data allowing impersonation of a domain registered from
> country B.

indeed, extra-territoriality has always been a favorite shell game for 
criminals and their enablers. even apart from technical advances like 
dns, treaties have never been able to keep pace with this. one famous 
fictional work ("the lensmen series") posited a need for a single police 
force covering all of "civilization" as the only workable answer. 
fortunately i see no signs of that happening in our world, since not 
everything is equally illegal everywhere. i do want to point to crimes 
against children, especially sexual, especially online, are the same 
kind of illegal everywhere, and do get better law enforcement 
cooperation. however, we can't demand that standard for everything else.

> A thought would be to deal with malicious websites... you can think
> about a "Reputation data" chain,  (potentially) -- that could also
> just be implemented using existing RPZ technology without a
> reputation blockchain;
> But in a similar way you can publish and discover resolution data;
> you can have a way for 3rd parties to publish and you to discover
> "Reputation Data" -- or "User Advisories against domain X".
> Then the resolvers can subscribe to the data provided by the
> appropriate regional censorship authorities and "malicious sites info
> providers" to  interdict DNS queries regarding  domains of interest.

this is where you begin to interest me. as the co-inventor of both the 
RBL and RPZ (with eric ziegast and vernon schryver, respectively), i'm 
much in favour of private right of action, where that action is to shun. 
cooperation between reputation providers and reputation consumers has 
often been called censorship -- by spammers and their enablers, at least.

one problem with this approach is anti-trust law. i co-founded with dave 
rand the first anti-spam company (MAPS) in 1996, and i found that my 
legal costs for explaining to judges and juries why our activities did 
not meet the standard for "conspiracy in restraint of trade" were very 
much higher than our subscribers could possibly afford to pay us, and 
once the NASDAQ crashed, dave and i were no longer able to afford our 
own lawyers. very messy. spamhaus has a more thoughtful defense against 
this kind of harrassment than we had, and they're succeeding.

so my first question is, are you aware of the spamhaus RPZ? this is a 
DNS-RPZ view of their SBL/ZEN/ROKSO content, and it's available for 
commercial subscription. my second question would be, would this type of 
RPZ meet your needs, and if not, why not, and what would?

P Vixie

More information about the dns-operations mailing list