[ih] Fwd: [IP] EFF calls for signatures from Internet Engineers against censorship

Mon Dec 19 12:35:28 PST 2011

The main question that the lawmakers considering SOPA and PROTECT-IP 
need an answer to pertains to the effect of mandating domain filtering 
on the deployment of DNSSEC. The EFF's letter is being waved around in 
committee as "proof" that SOPA will somehow undermine DNSSEC or impede 
its eventual deployment, as in "these 83 security experts say that this 
bill threatens the security of the Internet."

The implications of adopting a law that requires U. S. ISPs to alter 
their response to certain DNS lookups depends to a great extent on the 
expected user response to a lookup failure, which is a very interesting 
discussion but not really technical.

To me, the more interesting question is whether there's a direct 
conflict between DNS filtering and the DNS itself. The bill is based on 
the RPZ feature in BIND9 that allows a DNS administrator to attach 
policy to DNS queries. This feature is controversial in some quarters in 
its own right, but there's not much of an issue with its current 
implementation and DNSSEC. When BIND9 finds a user looking up a signed 
domain, it simply bypasses the RPZ logic and gives a straight answer.

The intent of SOPA is to have it follow the RPZ implementation, and 
Congress needs to know whether doing so undermines Internet security, 
impedes the deployment of DNSSEC, or threatens the Internet or DNS in 
some way.

The alternative to DNS-level filtering is to have ISPs use ACLs to block 
access to particular subdomains or even smaller units. That seems a bit 
problematic from and overhead perspective so I'd rather not go there. 
That seems to be going on in the Goodlatte amendment.

Anyhow, I'm interested in the topic, and if this isn't the most 
appropriate venue for discussing it, I'm happy to move the discussion 
somewhere else.

Thanks

On 12/19/2011 7:25 AM, Dave CROCKER wrote:
>
>
> On 12/19/2011 6:33 AM, Vint Cerf wrote:
>> These people have NO CLUE how the Internet works. I am particularly
>> unhappy with the fact that this amendment comes from Bob Goodlatte.
>
>
> (Lack of clue appears to be common in these types of policy 
> activities. Note that it's difficult for non-techies to know the 
> technical details of a complex, large-scale service.  In the run-up to 
> ICANN formation, there was a US Gov't cross-agency working group 
> trying to formulate recommendations for the future handling of 
> Internet registration issues -- that is, the stuff that is now covered 
> by ICANN.  I was on the IAHC, a committee active at the time to 
> formulate a proposal for new gTLDs.  So we met with the cross-agency 
> committee repeatedly.  They met for about a year and towards the end I 
> discovered that none of the members actually understood DNS 
> technology.  We quickly organized a tutorial by Mockapetris, Vixie, 
> etc.  I have no idea how much that helped...)
>
>
> It occurs to me that it might be helpful to formulate a non-technical 
> description of the technical details that are being mandated.  That 
> is, formulate a statement by technical experts that describe the 
> specific changes in Internet operation and use that would be required 
> by SOPA. The formulation would target a non-technical audience.
>
> The open letter that was signed by 83 folk was generic.  It was a 
> statement against policy by a collection of long-time techies, but it 
> had no specifics.
>
> I'm suggesting a follow-on that would be a little like a product 
> data-sheet, in that it would define specific usage and functional 
> changes, and could also be signed by technical experts.  The existing 
> open letter was an opinion letter. This would be a factual letter.
>
> d/

-- 
Richard Bennett