[Chapter-delegates] Input Request: DNS Blocking

[Marcin Cieslak]

Sally,


On Mon, 17 Jan 2011, Sally Wentworth wrote:

> We have noted that a number of governments are considering and/or implementing public policies to try to address illegal online sites (also known sometimes as “rogue websites” or "sites dedicated to infringing activities") that would require ISPs to block DNS resolution to sites containing illegal content.  While we recognize the need for development of public policy by governments (in consultation with all stakeholders), we believe that policies of this sort would have negative implications for the global DNS and for the implementation of DNSSEC, among other issues.

Yes, we are currently facing this problem in the E.U. and in Poland in particular. I think that such a common approach can be useful.
>
> We are thinking of principles along the following lines:
>
> - The Internet is a global network of networks that provides for the neutral passage of packets - requirements to adjust or prevent DNS responses would impair this neutrality.
>
> - For the Internet to be truly global it must be consistent - in general, what an Internet user "sees" when accessing a particular domain name from one location should be the same as what is seen when accessing the same domain name from another location

This is only partially true. DNS "views" have become a common administrative measure. I think it's mostly applied to "internal" vs. "external"
user scenario, but definition of internal vs external varies and can also be used to justify many content filtering methods (along the lines of "We provide
a family friendly Internet environment to our customers/employees/whatever").

> - Policies should be narrowly tailored and consistent with open standards and accepted operational practices: technical “fixes” to short-circuit due process or violate fundamental and accepted procedures may harm the global Internet.

What is "accepted operational practice" varies over time. When I started using the Internet, issuing an AXFR DNS query was a common
learning and troubleshooting practice. I think that's how I learned how DNS zone looks like.
Until pretty recently many DNS servers on the Internet also provided recursive resolution.

On the other hand, we are still far away from including DNSSEC as the "widely accepted operational practice" today.

One may argue (wrongly imho but still) that introducing various filtering measures is no different than applying policy rules 
like DNS views and/or resolution or zone transfer access control.

> - The Internet is global. International cooperation (rather than country-by-country solutions) at the technical and policy levels is essential.

Additional point to be made (that is also addressing URL-based filtering schemes) that it is wrong to perceive Internet as the Web only.

Mangling DNS (like redirecting to some page instead of NXDOMAIN, false NXDOMAIN or retriable errors) may disrupt many other
vital services, most notably instant messaging and email. Anyone who has seen the instant messenger or VPN client to go crazy 
because some stupid Web form needs to be filled-in in order to get access to the wireless network knows what I mean.
Some people may remember an old "sitefinder" Verisign case. Unfortunately, many ISP's are doing this too (HTTP redirect instead of
NXDOMAIN).

I think this could also be part of a broader, long-time action to leave layer 3 alone - also to implement other methods to authenticate to level 2 networks, I don't know even if are there any user-friendly Wifi provisioning solutions for that are easier and more user-friendly than 802.11i or 802.1x.

Finally: thank your for this. I like this way of working on policy issues.

//Marcin