If people want to prevent their TCP/IP enabled lightswitches from
viewing porn as well as stopping them from accessing malware sites,
then I guess they could use this mechanism.
I do not consider stopping my computer from accessing malware or
crimeware sites to be 'censorship'. Censorship is what people do to
other people. I have never heard of a anti-porn crusader who says that
they need to be protected from porn, they always worry about what it
would do to other people.
The fact that the DNS can be used as a censorship point only
reinforces the need for the endpoint to be more careful in their
choice of resolution service. The current DNS model was conceived when
a VAX 11/780 only just fit in a standard elevator and cell phones were
considered futuristic spy gadgets. Had the need for endpoints to move
about been considered I don't think the default of taking DNS
resolution service from your local network provider would have been
For a whole host of reasons it is a really bad idea for ICANN or any
other single point authority to be in the business of filtering domain
name issue. Since it is also a bad idea to route packets to names
controlled by the Russian Business Network it follows that most end
points should not be using the authoritative DNS name space.
Given that the vast majority of medium to large sized businesses seem
to already have some form of restriction on Internet access, I don't
see that trying to enforce this by making the DNSSEC protocol issue
failure reports is going to change anything. If the technical measures
were effective then the businesses would simply turn off DNSSEC. But
it is rather more likely that they won't work at all because nobody
has yet worked out what a Web browser should do if it is told that the
site exists but the resolution of the DNS request is blocked. Perhaps
they could send a request for the missing packets by carrier pigeon.
On Thu, Feb 18, 2010 at 8:59 PM, Paul Wouters <paul(_at_)xelerance(_dot_)com>
On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote:
The key point is choice. Just as some people CHOOSE to install
products such as Norton Anti-Virus that stop certain applications
running on their machine, the typical Internet user should probably
CHOOSE to use a DNS service that has the known crimeware sites
Should they also CHOOSE for a porn filter. And a filter on politically
sensitive words? Where does our job end to let the user CHOOSE their
censorship? And again, you make it sound like DNSSEC is taking away that
choice, which is clearly not the case.
The point is that the particular obsession with 'end to end' solutions
means that we loose the ability to deploy architectures that provide
greater protection against the attacks that actually matter.
It prevents hacking the protocol (for good AND for evil). And that is
a good thing.
DNS hijacking is a very rare type of attack.
No it is not. It depends on your environment. I'll grant you that its
more likely you'll end up on a phising side then caught in a DNS spoof,
but that does not validate your opinion of not rolling out stronger
security just so people can play games with protocols.
And as Mark showed, there are legitimate ways of piggypacking filtering
services with DNS using EDNS options.
Securing the mapping of
DNS names to IP addresses will not provide a major reduction in
expected losses due to attacks.
It will greatly improve security by providing a hierarchical distributed
signed database. You will see many new applications leveling this new
We already have domain validated SSL
certificates that meet that need quite adequately.
You haven't been around in the last year? When we had SSL attack after SSL
attack? A 2 second email verification for a "valid for the entire world"
certificate is not what I would call "quite adequately".
The value in DNSSEC lies in being able to establish a coherent network
based system of security policy distribution.
Sorry, I am not sure what this means. But if it is another application of
distributed signed data, then yes, it is another case for the adoption of
DNSSEC, not for critisism that it would block some filtering technique,
which it doesn't)
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
Ietf mailing list