Paul Vixie Explains, In Great Detail, Why You Don't Want 'Policy Analysts' Determining DNS Rules
from the let-the-geeks-be-geeks-please dept
There's been plenty of talk, obviously, about the problems with SOPA and PIPA and how they treat DNS as a tool for blocking, despite the massive problems it causes for security efforts like DNSSEC. Every single working engineer who's spoken out on this issue (that we've seen, at least), has made this same point. We've even heard from techies within the government saying the same thing. And, of course, even Comcast itself (despite supposedly being in favor of the bill) proudly admits that DNS blocking is incompatible with DNSSEC. Even as the House and Senate are trying to punt on DNS issue, they still fully expect to put it in place at a later date, so it's important to discuss why it's a bad, bad idea.So far, the "pro-SOPA/PIPA" folks haven't been able to find a legitimate working technologist who says that these plans make sense. Instead, they've brought out some "policy analysts" who have some basic technology background, but not a deep understanding of DNS. But, because they can toss around some tech terms, SOPA/PIPA supporters think they sound credible. However, in his latest post on the subject, Vixie walks through a step-by-step explanation for why each suggested method of DNS blocking won't work and/or breaks DNSSEC. Basically, these "policy analysts" keep suggesting different ways that they think DNS blocking could work, and Vixie explains why they're wrong each time, and points out the importance of actually having DNS engineers do DNS engineering -- not policy analysts.
For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.And yet... it's not being designed by DNS engineers at all. It's being designed by policy people, with a smattering of help from some former technologists who don't really understand DNS. That seems like a pretty big problem.
The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.
The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers....
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blocking, dns, dnssec, paul vixie, pipa, policy, protect ip, sopa, technology
Reader Comments
Subscribe: RSS
View by: Time | Thread
The preeminent DNS software on the Internet is BIND, whose market share has declined from 99% to 85% in the last 25 years. I maintained and rewrote BIND from 1989 or so until 1999 or so and I am also the author or co-author of a half dozen or so Internet RFC documents on the subject of DNS. So I know that we send REFUSED in response to a query when we don't like the client's IP address — DNS servers do not even look at the question before deciding whether to send REFUSED. On the client side, if we hear a REFUSED we give up on that server and move on to the next server — which means we assume that it was the client's IP address that the server is refusing, not the question we happened to be asking at that moment. Microsoft Windows will actually "de-preference" a name server if they hear too many REFUSED messages from it — so BIND is not the only DNS software that interprets REFUSED in this way. ... This means a classic non-secured DNS client will react to a REFUSED signal by treating the server as broken and just asking the next available server — hoping to find a server that is not broken. Whereas a newer DNSSEC client will react to REFUSED by ignoring it and continuing to wait — hoping for a real answer that might follow close on the heels of the potential forgery. In the unsecure case, the client will often do what the proponents of SOPA and PIPA would seem to want — display an error message in the web browser — but will occasionally just repeat the whole transaction a fraction of a second later, increasing the load on the ISP's name servers. In the DNSSEC case, the client will not do PIPA or SOPA are asking, there will just be delay followed by trying some other server, or retrying through a proxy, or otherwise circumventing what will look to DNSSEC like just another broken hotel or coffee shop wireless network.
[ link to this | view in thread ]
Tangent, But Important
[ link to this | view in thread ]
Wreckers and saboteurs
——Aleksandr I. Solzhenitsyn, The Gulag Archipelago
[ link to this | view in thread ]
Institutionalized Lying
The key to understanding America, is to figure out who is lying to who and why.
[ link to this | view in thread ]
Re: Institutionalized Lying
FTFY
[ link to this | view in thread ]
Re: Institutionalized Lying
[ link to this | view in thread ]
Re: Re: Institutionalized Lying
[ link to this | view in thread ]
Any way you look at it technically it can't be done the way SOPA/PIPA supporters want it to be done.
All to legislate a potential future, not a real one, for two failing entertainment sectors. Both failing at their own hand, I might add. (Again. ;-))
As for governments institutionalizing lying, even in the west, I'm afraid that happened decades ago. You know, things like domino theories and all that stuff, weapons of mass destruction found in Iraq that were never found once the troops landed and so on.
So why not now? Why not try to poison DNS so that it lies too. That way governments think they have control over something they've had no control of to now.
[ link to this | view in thread ]
Re: Institutionalized Lying
What about forcing phone books (or phone number lookup sites) to remove or change phone numbers for un-persons?
The possibilities are endless since our "representatives" (tm) are now enacting laws based on the principle of "liberty and justice for the highest bidder".
[ link to this | view in thread ]
::waves fingers::
"These aren't the domain names you're looking for.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Another idiot in power declares SOPA to be good.
[ link to this | view in thread ]
Re: Institutionalized Lying
Why and in what circles has it become acceptable to suggest that lying is okay?
The answer to "who and why" only reveals the criminals and their motives. The answer to "why is it acceptable" reveals the criminal culture, i.e: the root of the parasitic plant.
[ link to this | view in thread ]
Re:
Wow. That's not even close to true.
Hell, just yesterday we noted that Comcast has a complete rollout of DNSSEC.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Well, I guess if it will keep censorship proponents busy for the next 5-10 years developing and rolling the new DNS protocol, that's not so bad. It will give the rest of us time to innovate and move onto whatever comes next.
[ link to this | view in thread ]
Re:
The technical realities of implementing a system like this is automatically freedom killing because its so easy to bypass without a single tool that the only way to ensure compliance is to intercept every DNS request in the USA.
Also, once the requests have left the safe confines of a DNSSEC backbone, nothing at all will stop people from redirecting the redirections.
[ link to this | view in thread ]
Re: Re:
Hes technically correct, yet displaying a stunning level of ignorance at the same time.
Please AC, I wont interfere with your finger painting, you dont interfere with my network implementations.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
If you understood any of that you would be anti-SOPA/PIPA, and thats the problem.
[ link to this | view in thread ]
Re: Re:
Problem solved. :)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
So please don't pass these laws, it makes my life more difficult.
[ link to this | view in thread ]
What some of you are missing...
[ link to this | view in thread ]
Re: Re:
Kids these days...
[ link to this | view in thread ]
Re: What some of you are missing...
Most senators and representatives, and most of their staffs, are utterly baffled by:
In Hollywood, people in command will order that sequence changed for dramatic effect!
[ link to this | view in thread ]
Re:
Paul has been really careless saying something that enabled you to misinterpret him like that.
However you have been pretty wilful in your misinterpretation - so I guess he had a difficult task!
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
D... N... S...
It does not take much pondering to arrive at the right answer which also means people can't lie to an honest system.
I am looking forwards to Europe implementing DNSSEC when doing so will kill services like BT's CleanFeed system. The same system that currently denies you access to NewzBin2. I spot some more court fight due there.
What I am currently thinking is that if DNSSEC uses Administrative Denied then this should be avoidable through changing your DNS look-up server.
[ link to this | view in thread ]
Re: Re: Re:
There, fixed it for you =)
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Tangent, But Important
Seriously, thanks for doing this.
[ link to this | view in thread ]
Re: Re: Re:
It was hard enough getting stakeholders together to do something (anything) about DNS security. Getting stakeholders together to completely redo the internet isn't going to happen quickly, and you probably won't be happy with the result.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]