NNSquad - Network Neutrality Squad
[ NNSquad ] [Vint Cerf]: Re: Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS"
Forwarded with Vint's permission. --Lauren-- ----- Forwarded message from Vint Cerf <vint@google.com> ----- Date: Mon, 18 Jul 2011 08:21:25 -0400 From: Vint Cerf <vint@google.com> Subject: Re: [ NNSquad ] Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" To: Lauren Weinstein <lauren@vortex.com> Lauren, George's argument seems flawed to me. Suppose you have a site that is NOT illegal but a government wants to suppress it or even re-direct to a counterfeit site. Without DNSSEC, such re-direction is possible without detection. With DNSSEC one of two things might happen: 1. the site looks invalid because the DNSSEC check fails in which case counterfeiting the site doesn't work. that's the good case I suppose except that the government "wins" since it suppresses access to the site for those relying on DNSSEC 2. the government produces a false but signed entry that passes the DNSSEC check (wouldn't that mean that it had falsified a certificate containing the public key of that domain name?) in which case the government succeeds in re-directing even a DNSSEC-checking user. Of course, if you ignore DNSSEC and accept whatever comes back as the IP address, you will be fooled (or denied access to the real site). vint On Sun, Jul 17, 2011 at 11:59 PM, Lauren Weinstein <lauren@vortex.com>wrote: > > Blocking DNS - 17 Mar 2011 - by Paul Vixie - "COICA and Secure DNS" > > http://j.mp/qHnkDB (ISC) > > "Nevertheless the raw uncomfortable truth of the matter is that any > form of mandated "DNS blocking'' whose goal is to make certain domain > names unreachable will be indistinguishable from the result of a > Secure DNS failure - and a failure is a failure is a failure." > > - - - > > It should be noted that the MPAA's response on these issues is the > assertion that most > users are too stupid to understand how to change their DNS (presumably even > after > being given step by step instructions) and that not permitting content > owners to > manipulate the DNS to protect their profit centers would amount to allowing > the > Internet to "decay into a lawless Wild West." > > --Lauren-- > Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren > Co-Founder: People For Internet Responsibility: http://www.pfir.org > Founder: > - Network Neutrality Squad: http://www.nnsquad.org > - Global Coalition for Transparent Internet Performance: > http://www.gctip.org > - PRIVACY Forum: http://www.vortex.com > Member: ACM Committee on Computers and Public Policy > Blog: http://lauren.vortex.com > Google+: http://vortex.com/g+lauren > Twitter: https://twitter.com/laurenweinstein > Tel: +1 (818) 225-2800 / Skype: vortex.com > > > ----- End forwarded message -----