Paul Vixie Explains, In Great Detail, Why You Don't Want 'Policy Analysts' Determining DNS Rules

from the let-the-geeks-be-geeks-please dept

There's been plenty of talk, obviously, about the problems with SOPA and PIPA and how they treat DNS as a tool for blocking, despite the massive problems it causes for security efforts like DNSSEC. Every single working engineer who's spoken out on this issue (that we've seen, at least), has made this same point. We've even heard from techies within the government saying the same thing. And, of course, even Comcast itself (despite supposedly being in favor of the bill) proudly admits that DNS blocking is incompatible with DNSSEC. Even as the House and Senate are trying to punt on DNS issue, they still fully expect to put it in place at a later date, so it's important to discuss why it's a bad, bad idea.

So far, the "pro-SOPA/PIPA" folks haven't been able to find a legitimate working technologist who says that these plans make sense. Instead, they've brought out some "policy analysts" who have some basic technology background, but not a deep understanding of DNS. But, because they can toss around some tech terms, SOPA/PIPA supporters think they sound credible. However, in his latest post on the subject, Vixie walks through a step-by-step explanation for why each suggested method of DNS blocking won't work and/or breaks DNSSEC. Basically, these "policy analysts" keep suggesting different ways that they think DNS blocking could work, and Vixie explains why they're wrong each time, and points out the importance of actually having DNS engineers do DNS engineering -- not policy analysts.
For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an "FBI Warning" page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was "just don't answer". That is, simulate network loss and let the question "time out". When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in "retry logic" of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of "time out" as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we've travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers....
And yet... it's not being designed by DNS engineers at all. It's being designed by policy people, with a smattering of help from some former technologists who don't really understand DNS. That seems like a pretty big problem.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Marcus Carab (profile), Jan 12th, 2012 @ 3:46pm

    It's worth noting, I think, that he then goes on to explain in great detail why the latest idea won't work either (just in case you didn't click through):

    The preeminent DNS software on the Internet is BIND, whose market share has declined from 99% to 85% in the last 25 years. I maintained and rewrote BIND from 1989 or so until 1999 or so and I am also the author or co-author of a half dozen or so Internet RFC documents on the subject of DNS. So I know that we send REFUSED in response to a query when we don't like the client's IP address — DNS servers do not even look at the question before deciding whether to send REFUSED. On the client side, if we hear a REFUSED we give up on that server and move on to the next server — which means we assume that it was the client's IP address that the server is refusing, not the question we happened to be asking at that moment. Microsoft Windows will actually "de-preference" a name server if they hear too many REFUSED messages from it — so BIND is not the only DNS software that interprets REFUSED in this way. ... This means a classic non-secured DNS client will react to a REFUSED signal by treating the server as broken and just asking the next available server — hoping to find a server that is not broken. Whereas a newer DNSSEC client will react to REFUSED by ignoring it and continuing to wait — hoping for a real answer that might follow close on the heels of the potential forgery. In the unsecure case, the client will often do what the proponents of SOPA and PIPA would seem to want — display an error message in the web browser — but will occasionally just repeat the whole transaction a fraction of a second later, increasing the load on the ISP's name servers. In the DNSSEC case, the client will not do PIPA or SOPA are asking, there will just be delay followed by trying some other server, or retrying through a proxy, or otherwise circumventing what will look to DNSSEC like just another broken hotel or coffee shop wireless network.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    xenomancer (profile), Jan 12th, 2012 @ 3:59pm

    Tangent, But Important

    Attention everyone! I've finally got the CENSOR ME plugin I wrote yesterday up on the WordPress plugin directory. See it in action here. If you operate a WordPress blog and wish to participate in a blackout, its essentially an on/off switch. Simply activate it to blackout and deactivate it to go back to normal.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 4:10pm

    Wreckers and saboteurs

    And what accomplished villains these old engineers were! What diabolical ways to sabotage they found! Nikolai Karlovich von Meck, of the People's Commissariat of Railroads ... would hold forth for hours on end about the economic problems involved in the construction of socialism, and he loved to give advice. One such pernicious piece of advice was to increase the size of freight trains and not worry about heavier than average loads. The GPU exposed van Meck, and he was shot: his objective had been to wear out rails and roadbeds, freight cars and locomotives, so as to leave the Republic without railroads in case of foreign military intervention! When, not long afterward, the new People's Commissar of Railroads ordered that average loads should be increased, and even doubled and tripled them, the malicious engineers who protested became known as limiters ... they were rightly shot for their lack of faith in the possibilities of socialist transport.

               ——Aleksandr I. Solzhenitsyn, The Gulag Archipelago

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 4:23pm

    Institutionalized Lying

    The real problem with poisoning the DNS is that it constitutes institutionalized lying. The owner of a domain name tells the DNS what their server IP address is. If any other entity somehow makes the DNS produce the wrong IP address, then that is no different from anybody else who is in a position of trust telling lies. We are rightly outraged when anybody else does it. It is no different when the DNS is lying. It is shocking that Congress should be proposing that the DNS should be perverted to tell lies. It proves that they are personally dishonest individuals. Vote the bums out.

    The key to understanding America, is to figure out who is lying to who and why.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Suja (profile), Jan 12th, 2012 @ 4:39pm

      Re: Institutionalized Lying

      The key to understanding the world, is to figure out who is lying to who and why.


      FTFY

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 12th, 2012 @ 4:45pm

      Re: Institutionalized Lying

      Oops, sorry grammar nazis, should be "who is lying to whom".

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      New Mexico Mark, Jan 12th, 2012 @ 5:32pm

      Re: Institutionalized Lying

      Maybe congress could enact a bill that could force map companies (or web mapping sites or gps) to produce altered maps preventing travelers from reaching unacceptable destinations?

      What about forcing phone books (or phone number lookup sites) to remove or change phone numbers for un-persons?

      The possibilities are endless since our "representatives" (tm) are now enacting laws based on the principle of "liberty and justice for the highest bidder".

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Al Bert (profile), Jan 12th, 2012 @ 6:04pm

      Re: Institutionalized Lying

      I think more important to the task of any actual reform would be to ask:

      Why and in what circles has it become acceptable to suggest that lying is okay?

      The answer to "who and why" only reveals the criminals and their motives. The answer to "why is it acceptable" reveals the criminal culture, i.e: the root of the parasitic plant.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    TtfnJohn (profile), Jan 12th, 2012 @ 5:15pm

    The issue Vixie is outlining isn't just that DNS won't do what PIPA/SOPA want it to do but that there is nothing, no signal, no nothing that won't look to DNSSEC as an attack or potential attack. Or just a failure and the lookup will try again and keep trying overloading ISP servers.

    Any way you look at it technically it can't be done the way SOPA/PIPA supporters want it to be done.

    All to legislate a potential future, not a real one, for two failing entertainment sectors. Both failing at their own hand, I might add. (Again. ;-))

    As for governments institutionalizing lying, even in the west, I'm afraid that happened decades ago. You know, things like domino theories and all that stuff, weapons of mass destruction found in Iraq that were never found once the troops landed and so on.

    So why not now? Why not try to poison DNS so that it lies too. That way governments think they have control over something they've had no control of to now.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      blaktron (profile), Jan 12th, 2012 @ 7:55pm

      Re:

      It goes worse than that. The only way to actually do it is to NAT the entire USA. People dont understand that you can just use a DNS server in another country unless you actively re-routing DNS requests to government servers.

      The technical realities of implementing a system like this is automatically freedom killing because its so easy to bypass without a single tool that the only way to ensure compliance is to intercept every DNS request in the USA.

      Also, once the requests have left the safe confines of a DNSSEC backbone, nothing at all will stop people from redirecting the redirections.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jan 13th, 2012 @ 1:35am

        Re: Re:

        Not to mention that there's DNS phonebook service on the web that, if a domain you wanted to go to is blocked, you could just query them in the way-back-machine add find an archived copy, and then add the entry to your hosts file.

        Problem solved. :)

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Jan 13th, 2012 @ 5:16am

          Re: Re: Re:

          Rightclicking yer network card - properties - clicking ipv4/6 - configure - specify a non US dns server.

          There, fixed it for you =)

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            blaktron (profile), Jan 13th, 2012 @ 11:45am

            Re: Re: Re: Re:

            Unless, like China, they redirect all DNS requests at the border.....

             

            reply to this | link to this | view in chronology ]

            •  
              icon
              A Guy (profile), Jan 13th, 2012 @ 12:31pm

              Re: Re: Re: Re: Re:

              That is also easy to bypass. An encrypted proxy or VPN that is only used for DNS requests is cheap and easy. Non traditional DNS tools can/will/have been developed. I bet if I were dropped in China with a laptop and an internet connection, I could bypass the "Great Firewall" in less than 3 minutes.

               

              reply to this | link to this | view in chronology ]

  •  
    identicon
    MrWilson, Jan 12th, 2012 @ 5:53pm

    Translation: You can't Jedi mind trick a DNS client.

    ::waves fingers::

    "These aren't the domain names you're looking for.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 5:54pm

    Vixie's last sentence sounds much like an "olive branch" being extended to see what might be done technically to solve the DNS/DNSSEC issue. Sounds like Leahy may very well be on the right track after all.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      blaktron (profile), Jan 12th, 2012 @ 8:08pm

      Re:

      UGH, thats because you dont understand DNS, hes not being actually serious but commenting on how stupid the people suggesting these ideas are. The admin denial command is not used like that in the slightest, its used to breakup requests to prevent denial of service attacks when requesting big lists from the DNS server, not to permanently prevent access to a domain.

      If you understood any of that you would be anti-SOPA/PIPA, and thats the problem.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Richard (profile), Jan 13th, 2012 @ 3:51am

      Re:

      Vixie's last sentence sounds much like an "olive branch" being extended to see what might be done technically to solve the DNS/DNSSEC issue. Sounds like Leahy may very well be on the right track after all.

      Paul has been really careless saying something that enabled you to misinterpret him like that.

      However you have been pretty wilful in your misinterpretation - so I guess he had a difficult task!

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jan 13th, 2012 @ 8:04am

        Re: Re:

        You might want to consider conferring a benefit here by interpreting what he really meant.

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          A Guy (profile), Jan 13th, 2012 @ 12:38pm

          Re: Re: Re:

          He meant, if you want to spend the next 10 (20? 30?) years rewriting DNS and internet routing in general, and then spending the untold millions (billions? trillions?) to roll out the changes, good luck with that. He welcomes you to the industry debate.

          It was hard enough getting stakeholders together to do something (anything) about DNS security. Getting stakeholders together to completely redo the internet isn't going to happen quickly, and you probably won't be happy with the result.

           

          reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 6:03pm

    DNSSEC is all hot air. No one uses it, no one wants to use it, no one will use it. Except to attack others. Why keep talking about it?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), Jan 12th, 2012 @ 6:20pm

      Re:

      DNSSEC is all hot air. No one uses it, no one wants to use it, no one will use it.

      Wow. That's not even close to true.

      Hell, just yesterday we noted that Comcast has a complete rollout of DNSSEC.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        blaktron (profile), Jan 12th, 2012 @ 7:57pm

        Re: Re:

        Of course its hot air Mike. Just like the internet. Just like the ideals that frame the constitution.

        Hes technically correct, yet displaying a stunning level of ignorance at the same time.

        Please AC, I wont interfere with your finger painting, you dont interfere with my network implementations.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 12th, 2012 @ 6:52pm

      Re:

      Do you have to undergo training to be that stupid or is it just a natural talent?

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jan 13th, 2012 @ 2:33am

        Re: Re:

        I think it's some new kind of trolling: instead of trying to make us look stupid, the trolls try (disturbingly hard) to make themselves look stupid.

        Kids these days...

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 6:04pm

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 6:46pm

    Keep in mind Paul Vixie also wrote "whenever the goal of "DNS blocking'' is merely domain name disappearance and not content insertion then "DNS blocking'' will not break Secure DNS or even slow it down" so he has also clearly said that domain blocking with DNSSEC is possible.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    A Guy (profile), Jan 12th, 2012 @ 7:21pm

    Adding a "blocked" signal to the DNS protocol will not make piracy magically disappear.

    Well, I guess if it will keep censorship proponents busy for the next 5-10 years developing and rolling the new DNS protocol, that's not so bad. It will give the rest of us time to innovate and move onto whatever comes next.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 12th, 2012 @ 7:58pm

    Vixie still hasn't really explained why a "simulated network loss" as he calls it wouldn't be effective. He only says it makes websites appear slow -- well, that would be the point of blocking these sites, right?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 13th, 2012 @ 1:40am

      Re:

      It makes everyone in the ISP slow because everyone will be asking redundent DNS query on blocked entries. Those who want to go to other websites will have to wait until the DNS servers have free time to serve them.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      A Guy (profile), Jan 14th, 2012 @ 12:06pm

      Re:

      Another word for this is distributed denial of service attack. The only difference being that instead of DDOSing a website to make it unviewable, you'd be doing it to yourself and your neighbors.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jan 13th, 2012 @ 1:46am

    I'll add that as soon as DNS blocking rule on the U.S. is passed, I'll have to patch my local BIND source to block those kind of faulty DNS update entries. Just like what I did years ago to ignore the buggy 0.0.0.0 when queries certain server from China DNS and increase the TTL of that cached entry to insane value in order to prevent it to ask the same question in the future.

    So please don't pass these laws, it makes my life more difficult.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Rich Kulawiec, Jan 13th, 2012 @ 2:17am

    What some of you are missing...

    ...particularly the AC's, is that decisions made about the architecture of DNS have repercussions in the operation of DNS: it doesn't operate in an abstract environment with infinite bandwidth, CPU and memory resources. I provided links to a number of mailing lists in a comment a couple of days ago; if you want to really try to understand how protocol decisions impact the real world, then you should probably be on those lists and reading the comments of the people who actually have to make this stuff work.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jan 13th, 2012 @ 2:34am

      Re: What some of you are missing...

      ... if you want to really try to understand...


      Most senators and representatives, and most of their staffs, are utterly baffled by:
      $ ./configure
      $ make
      # make install


      In Hollywood, people in command will order that sequence changed for dramatic effect!

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Violated (profile), Jan 13th, 2012 @ 4:01am

    D... N... S...

    I think this also all about what we want our Internet data to be... Honest and trustworthy, or insecure and a liar.

    It does not take much pondering to arrive at the right answer which also means people can't lie to an honest system.

    I am looking forwards to Europe implementing DNSSEC when doing so will kill services like BT's CleanFeed system. The same system that currently denies you access to NewzBin2. I spot some more court fight due there.

    What I am currently thinking is that if DNSSEC uses Administrative Denied then this should be avoidable through changing your DNS look-up server.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This