Why PROTECT IP Breaks The Internet
from the collateral-damage dept
Last year, after the entertainment foisted COICA on an unsuspecting public, Paul Vixie -- a guy you should listen to when he's concerned about the technical impact of something on the internet -- explained why COICA's reliance on DNS block was incredibly stupid. Not only would it not work, but it would fundamentally fracture the way the internet works, creating massive collateral damage. Last week, when the Senate Judiciary Committee pushed forward with PROTECT IP, we mentioned in passing a new report from Vixie and other internet technology gurus explaining why PROTECT IP's focus on the DNS system would cause tremendous damage. While we had mentioned it, lots of folks keep submitting it, and judging from the ridiculous claims of those in favor of PROTECT IP, the folks in DC pushing for this bill are apparently still ignorant of what the report says -- so we're posting about it again. The report, titled Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill (pdf) is worth a read. The five authors are incredibly well respected, and the entertainment industry folks who are trying to claim this paper can be ignored are going to come out of this looking quite silly.These are concerns that shouldn't be taken lightly. The paper's authors also make it clear that they're not in favor of infringement, and in fact support enforcement of IP laws. They just recognize that this particular solution is dumb and counterproductive:
Two likely situations ways can be identified in which DNS filtering could lead to non-targeted and perfectly innocent domains being filtered. The likelihood of such collateral damage means that mandatory DNS filtering could have far more than the desired effects, affecting the stability of large portions of the DNS.The defenders of propping up the business models of dying industries will brush these unintended consequences as no big deal or a "small issue" at the expense of "saving" the entertainment industry. This is because they don't understand the technology at play, the First Amendment or the nature of collateral damage. It's pretty ridiculous in this day and age that we still have to deal with technically illiterate "policy people" and politicians trying to regulate technology they clearly have little knowledge about. Only those who don't understand the technology think the collateral damage described above is minimal.
First, it is common for different services offered by a domain to themselves have names in some other domain, so that example.com’s DNS service might be provided by isp.net and its e-mail service might be provided by asp.info. This means that variation in the meaning or accessibility of asp.info or isp.net could indirectly but quite powerfully affect the usefulness of example.com. If a legitimate site points to a filtered domain for its authoritative DNS server, lookups from filtering nameservers for the legitimate domain will also fail. These dependencies are unpredictable and fluid, and extremely difficult to enumerate. When evaluating a targeted domain, it will not be apparent what other domains might point to it in their DNS records.
In addition, one IP address may support multiple domain names and websites; this practice is called “virtual hosting” and is very common. Under PROTECT IP, implementation choices are (properly) left up to DNS server operators, but unintended consequences will inevitably result. If an operator or filters the DNS traffic to and from one IP address or host, it will bring down all of the websites supported by that IP number or host. The bottom line is that the filtering of one domain name or hostname can pull down unrelated sites down across the globe.
Second, some domain names use “subdomains” to identify specific customers. For example, blogspot.com uses subdomains to support its thousands of users; blogspot.com may have customers named Larry and Sergey whose blog services are at larry.blogspot.com and sergey.blogspot.com. If Larry is an e-criminal and the subject of an action under PROTECT IP, it is possible that blogspot.com could be filtered, in which case Sergey would also be affected, although he may well have had no knowledge of Larry’s misdealings. This type of collateral damage was demonstrated vividly by the ICE seizure of mooo.com, in which over 84,000 subdomains were mistakenly filtered.
Filed Under: dns, internet, paul vixie, protect ip