[ih] Interesting correlation between RPZ and SOPA...

[Paul Vixie]

> Date: Mon, 19 Dec 2011 12:35:28 -0800
> From: Richard Bennett <richard at bennett.com>
> To: internet-history at postel.org
>
> The main question that the lawmakers considering SOPA and PROTECT-IP
> need an answer to pertains to the effect of mandating domain filtering
> on the deployment of DNSSEC. The EFF's letter is being waved around in
> committee as "proof" that SOPA will somehow undermine DNSSEC or impede
> its eventual deployment, as in "these 83 security experts say that this
> bill threatens the security of the Internet."

i consider it a compelling argument, but as it contains no formal logic,
folks shouldn't refer to it as a "proof".

> The implications of adopting a law that requires U. S. ISPs to alter
> their response to certain DNS lookups depends to a great extent on the
> expected user response to a lookup failure, which is a very interesting
> discussion but not really technical.

that's... utterly... fantastical.

the response of the operating systems, libraries, and applications that
users on the internet will be running at the time that a mandated dns
response (or mandated nonresponse) occurs is both interesting AND
technical. and it's central to understanding whether the adoption of
SOPA or PIPA in its proposed form would preempt DNSSEC in the
marketplace. therefore it's the place we'd have to start any serious
inquiry.

assuming for the purpose of this message that you were not serious,
let's proceed.

> To me, the more interesting question is whether there's a direct
> conflict between DNS filtering and the DNS itself.

i am far less interested in this since it's a settled point, we can look
at what happens today and what has happened in the recent past and know,
simply know, no guessing or computation required, that there is no such
conflict. however this does nothing to inform the more serious inquiry
described above, which is DNSSEC preemption.

> The bill is based on
> the RPZ feature in BIND9 that allows a DNS administrator to attach
> policy to DNS queries. This feature is controversial in some quarters in
> its own right, but there's not much of an issue with its current
> implementation and DNSSEC. When BIND9 finds a user looking up a signed
> domain, it simply bypasses the RPZ logic and gives a straight answer.

i suspect that your mention of RPZ is what caused alan clegg (thanks
alan!) to forward me your message, which led me to subscribe to this
mailing list (thanks joe!). in response to the above, which is
nonsequitur to the real inquiry (which is: whether SOPA and PIPA would
have a preemptive effect on DNSSEC in the market), is in three parts.

first, if you're right that this bill really is based on RPZ, then i am
extremely impressed. RPZ came out in summer 2010 and for it to reach the
level of attention where authors of federal legislation in any country,
especially in the U.S., would be impacted by it, astounds me. i thought
it was a coincidence, as in, folks wanted to do this for a long time,
but they couldn't see mandating it if the only dns filtering in
existence was a commercial product (hello nominum!), and when RPZ came
out, it was sort of like a door opened, allowing in what had been
previously kept out.

second, in the manager's amendment to SOPA, allowance is made for an ISP
to "not resolve" which broadly means "don't answer at all, just time
out." i think this would be bad engineering, even if it wasn't politics
(and thus not engineering at all). but since RPZ is based on a rulesets
containing a lot of <trigger,action> tuples i'd like to state for the
record that no "action" triggerable by RPZ includes "just drop the
query, don't answer." so if the SOPA folks were really basing their bill
on RPZ, they've gone outside the box with the manager's amendment.

third, you're right, no signed answer is affected by RPZ at present.
this is a problem in the design, and we're still trying to figure out
what to do about it. if a bad guy with a bad domain can drive right
through the RPZ just by signing his bad domain, then that'll either make
DNSSEC very successful (since many domains are "throw aways" used only
for e-crime) or it will make RPZ a total failure. on the risk that
DNSSEC market success will not be the result of this missing feature in
RPZ, i feel like some better answer is needed. but one thing i won't be
putting into RPZ is a way to break DNSSEC -- as SOPA would require for
effectiveness. if SOPA and PIPA were to be revised to say that any
criminal who signs their infringing web site's domain name with DNSSEC
shall be exempt from blocking under this law, then we'd really have
something to talk about.

> The intent of SOPA is to have it follow the RPZ implementation, and
> Congress needs to know whether doing so undermines Internet security,
> impedes the deployment of DNSSEC, or threatens the Internet or DNS in
> some way.

as stated above, if SOPA is counting on RPZ, then the proposed law needs
to say "and if criminals sign their domain names then they will not be
blocked under this law" or it needs to refer explicitly to the RPZ
specification, online at:

https://deepthought.isc.org/article/AA-00512/0

furthermore if they intend to be compatible with RPZ's actual
capabilities for unsigned domain names, they will have to state a
requirement that an unsigned NXDOMAIN, an unsigned CNAME, or an unsigned
replacement answer record set be sent in response to queries for domains
blocked under this law.

> The alternative to DNS-level filtering is to have ISPs use ACLs to block
> access to particular subdomains or even smaller units. That seems a bit
> problematic from and overhead perspective so I'd rather not go there.
> That seems to be going on in the Goodlatte amendment.

i don't know any ISP who has core (that is, the high speed stuff)
equipment capable of singling out DNS messages and doing a deep dive on
them and modifying those that contain subdomains of a hundred or so
(estimated by the SOPA proponents) parent domains. any requirement to do
this would run afoul of the "any reasonable technical measures" wording.
(this "technical measure" would never be "reasonable".)

> Anyhow, I'm interested in the topic, and if this isn't the most
> appropriate venue for discussing it, I'm happy to move the discussion
> somewhere else.

i'm new here and if this is off-topic then i hope to be forgiven my
unintentional trespass. certainly the name of this mailing list
(internet-history) does not sound inclusive of this topic. if this
thread moves elsewhere i will move with it.

paul