[ih] Fwd: [IP] EFF calls for signatures from Internet Engineers against censorship
richard at bennett.com
Mon Dec 19 12:35:28 PST 2011
The main question that the lawmakers considering SOPA and PROTECT-IP
need an answer to pertains to the effect of mandating domain filtering
on the deployment of DNSSEC. The EFF's letter is being waved around in
committee as "proof" that SOPA will somehow undermine DNSSEC or impede
its eventual deployment, as in "these 83 security experts say that this
bill threatens the security of the Internet."
The implications of adopting a law that requires U. S. ISPs to alter
their response to certain DNS lookups depends to a great extent on the
expected user response to a lookup failure, which is a very interesting
discussion but not really technical.
To me, the more interesting question is whether there's a direct
conflict between DNS filtering and the DNS itself. The bill is based on
the RPZ feature in BIND9 that allows a DNS administrator to attach
policy to DNS queries. This feature is controversial in some quarters in
its own right, but there's not much of an issue with its current
implementation and DNSSEC. When BIND9 finds a user looking up a signed
domain, it simply bypasses the RPZ logic and gives a straight answer.
The intent of SOPA is to have it follow the RPZ implementation, and
Congress needs to know whether doing so undermines Internet security,
impedes the deployment of DNSSEC, or threatens the Internet or DNS in
The alternative to DNS-level filtering is to have ISPs use ACLs to block
access to particular subdomains or even smaller units. That seems a bit
problematic from and overhead perspective so I'd rather not go there.
That seems to be going on in the Goodlatte amendment.
Anyhow, I'm interested in the topic, and if this isn't the most
appropriate venue for discussing it, I'm happy to move the discussion
On 12/19/2011 7:25 AM, Dave CROCKER wrote:
> On 12/19/2011 6:33 AM, Vint Cerf wrote:
>> These people have NO CLUE how the Internet works. I am particularly
>> unhappy with the fact that this amendment comes from Bob Goodlatte.
> (Lack of clue appears to be common in these types of policy
> activities. Note that it's difficult for non-techies to know the
> technical details of a complex, large-scale service. In the run-up to
> ICANN formation, there was a US Gov't cross-agency working group
> trying to formulate recommendations for the future handling of
> Internet registration issues -- that is, the stuff that is now covered
> by ICANN. I was on the IAHC, a committee active at the time to
> formulate a proposal for new gTLDs. So we met with the cross-agency
> committee repeatedly. They met for about a year and towards the end I
> discovered that none of the members actually understood DNS
> technology. We quickly organized a tutorial by Mockapetris, Vixie,
> etc. I have no idea how much that helped...)
> It occurs to me that it might be helpful to formulate a non-technical
> description of the technical details that are being mandated. That
> is, formulate a statement by technical experts that describe the
> specific changes in Internet operation and use that would be required
> by SOPA. The formulation would target a non-technical audience.
> The open letter that was signed by 83 folk was generic. It was a
> statement against policy by a collection of long-time techies, but it
> had no specifics.
> I'm suggesting a follow-on that would be a little like a product
> data-sheet, in that it would define specific usage and functional
> changes, and could also be signed by technical experts. The existing
> open letter was an opinion letter. This would be a factual letter.
More information about the internet-history