Paul Vixie Explains, In Great Detail, Why You Don't Want 'Policy Analysts' Determining DNS Rules

from the let-the-geeks-be-geeks-please dept

There’s been plenty of talk, obviously, about the problems with SOPA and PIPA and how they treat DNS as a tool for blocking, despite the massive problems it causes for security efforts like DNSSEC. Every single working engineer who’s spoken out on this issue (that we’ve seen, at least), has made this same point. We’ve even heard from techies within the government saying the same thing. And, of course, even Comcast itself (despite supposedly being in favor of the bill) proudly admits that DNS blocking is incompatible with DNSSEC. Even as the House and Senate are trying to punt on DNS issue, they still fully expect to put it in place at a later date, so it’s important to discuss why it’s a bad, bad idea.

So far, the “pro-SOPA/PIPA” folks haven’t been able to find a legitimate working technologist who says that these plans make sense. Instead, they’ve brought out some “policy analysts” who have some basic technology background, but not a deep understanding of DNS. But, because they can toss around some tech terms, SOPA/PIPA supporters think they sound credible. However, in his latest post on the subject, Vixie walks through a step-by-step explanation for why each suggested method of DNS blocking won’t work and/or breaks DNSSEC. Basically, these “policy analysts” keep suggesting different ways that they think DNS blocking could work, and Vixie explains why they’re wrong each time, and points out the importance of actually having DNS engineers do DNS engineering — not policy analysts.

For example an early draft of this legislative package called for DNS redirection of malicious domain names in conflict with the end-to-end DNS Security system (DNSSEC). Any such redirection would be trivially detected as a man in the middle attack by secure clients and would thus be indistinguishable from the kind of malevolent attacks that DNSSEC is designed to prevent. After the impossibility of redirection was shown supporters of PIPA and SOPA admitted that a redirection (for example, showing an “FBI Warning” page when an American consumer tried to access a web site dedicated to piracy or infringement) was not actually necessary. Their next idea was no better: to return a false No Such Domain (NXDOMAIN) signal. When the DNS technical community pointed out that NXDOMAIN had the same end-to-end security as a normal DNS answer and that false NXDOMAIN would be detected and rejected by secure clients the supporters SOPA and PIPA changed their proposal once again.

The second to latest idea for some technologically noninvasive way to respond to a DNS lookup request for a pirate or infringing domain name was “just don’t answer”. That is, simulate network loss and let the question “time out”. When the DNS technical community explained that this would lead to long and mysterious delays in web browser behavior as well as an increased traffic load on ISP name servers due to the built in “retry logic” of all DNS clients in all consumer facing devices, we were ignored. However when we also observed that a DNSSEC client would treat this kind of “time out” as evidence of damage by the local hotel or coffee shop wireless gateway and could reasonably respond by trying alternative servers or proxies or even VPN paths in order to get a secure answer, the supporters of SOPA and PIPA agreed with this and moved right along.

The latest idea is to use the Administrative Denial (REFUSED) response code, which as originally defined seemed perfect for this situation. To me this latest proposal as well as the road we’ve travelled getting to this point seems like an excellent example of why network protocols should be designed by engineers….

And yet… it’s not being designed by DNS engineers at all. It’s being designed by policy people, with a smattering of help from some former technologists who don’t really understand DNS. That seems like a pretty big problem.

Filed Under: , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Paul Vixie Explains, In Great Detail, Why You Don't Want 'Policy Analysts' Determining DNS Rules”

Subscribe: RSS Leave a comment
Marcus Carab (profile) says:

It’s worth noting, I think, that he then goes on to explain in great detail why the latest idea won’t work either (just in case you didn’t click through):

The preeminent DNS software on the Internet is BIND, whose market share has declined from 99% to 85% in the last 25 years. I maintained and rewrote BIND from 1989 or so until 1999 or so and I am also the author or co-author of a half dozen or so Internet RFC documents on the subject of DNS. So I know that we send REFUSED in response to a query when we don’t like the client’s IP address ? DNS servers do not even look at the question before deciding whether to send REFUSED. On the client side, if we hear a REFUSED we give up on that server and move on to the next server ? which means we assume that it was the client’s IP address that the server is refusing, not the question we happened to be asking at that moment. Microsoft Windows will actually “de-preference” a name server if they hear too many REFUSED messages from it ? so BIND is not the only DNS software that interprets REFUSED in this way. … This means a classic non-secured DNS client will react to a REFUSED signal by treating the server as broken and just asking the next available server ? hoping to find a server that is not broken. Whereas a newer DNSSEC client will react to REFUSED by ignoring it and continuing to wait ? hoping for a real answer that might follow close on the heels of the potential forgery. In the unsecure case, the client will often do what the proponents of SOPA and PIPA would seem to want ? display an error message in the web browser ? but will occasionally just repeat the whole transaction a fraction of a second later, increasing the load on the ISP’s name servers. In the DNSSEC case, the client will not do PIPA or SOPA are asking, there will just be delay followed by trying some other server, or retrying through a proxy, or otherwise circumventing what will look to DNSSEC like just another broken hotel or coffee shop wireless network.

xenomancer (profile) says:

Tangent, But Important

Attention everyone! I’ve finally got the CENSOR ME plugin I wrote yesterday up on the WordPress plugin directory. See it in action here. If you operate a WordPress blog and wish to participate in a blackout, its essentially an on/off switch. Simply activate it to blackout and deactivate it to go back to normal.

Anonymous Coward says:

Wreckers and saboteurs

And what accomplished villains these old engineers were! What diabolical ways to sabotage they found! Nikolai Karlovich von Meck, of the People’s Commissariat of Railroads … would hold forth for hours on end about the economic problems involved in the construction of socialism, and he loved to give advice. One such pernicious piece of advice was to increase the size of freight trains and not worry about heavier than average loads. The GPU exposed van Meck, and he was shot: his objective had been to wear out rails and roadbeds, freight cars and locomotives, so as to leave the Republic without railroads in case of foreign military intervention! When, not long afterward, the new People’s Commissar of Railroads ordered that average loads should be increased, and even doubled and tripled them, the malicious engineers who protested became known as limiters … they were rightly shot for their lack of faith in the possibilities of socialist transport.

?????????? ??Aleksandr I. Solzhenitsyn, The Gulag Archipelago

Anonymous Coward says:

Institutionalized Lying

The real problem with poisoning the DNS is that it constitutes institutionalized lying. The owner of a domain name tells the DNS what their server IP address is. If any other entity somehow makes the DNS produce the wrong IP address, then that is no different from anybody else who is in a position of trust telling lies. We are rightly outraged when anybody else does it. It is no different when the DNS is lying. It is shocking that Congress should be proposing that the DNS should be perverted to tell lies. It proves that they are personally dishonest individuals. Vote the bums out.

The key to understanding America, is to figure out who is lying to who and why.

New Mexico Mark says:

Re: Institutionalized Lying

Maybe congress could enact a bill that could force map companies (or web mapping sites or gps) to produce altered maps preventing travelers from reaching unacceptable destinations?

What about forcing phone books (or phone number lookup sites) to remove or change phone numbers for un-persons?

The possibilities are endless since our “representatives” ™ are now enacting laws based on the principle of “liberty and justice for the highest bidder”.

Al Bert (profile) says:

Re: Institutionalized Lying

I think more important to the task of any actual reform would be to ask:

Why and in what circles has it become acceptable to suggest that lying is okay?

The answer to “who and why” only reveals the criminals and their motives. The answer to “why is it acceptable” reveals the criminal culture, i.e: the root of the parasitic plant.

TtfnJohn (profile) says:

The issue Vixie is outlining isn’t just that DNS won’t do what PIPA/SOPA want it to do but that there is nothing, no signal, no nothing that won’t look to DNSSEC as an attack or potential attack. Or just a failure and the lookup will try again and keep trying overloading ISP servers.

Any way you look at it technically it can’t be done the way SOPA/PIPA supporters want it to be done.

All to legislate a potential future, not a real one, for two failing entertainment sectors. Both failing at their own hand, I might add. (Again. ;-))

As for governments institutionalizing lying, even in the west, I’m afraid that happened decades ago. You know, things like domino theories and all that stuff, weapons of mass destruction found in Iraq that were never found once the troops landed and so on.

So why not now? Why not try to poison DNS so that it lies too. That way governments think they have control over something they’ve had no control of to now.

blaktron (profile) says:

Re: Re:

It goes worse than that. The only way to actually do it is to NAT the entire USA. People dont understand that you can just use a DNS server in another country unless you actively re-routing DNS requests to government servers.

The technical realities of implementing a system like this is automatically freedom killing because its so easy to bypass without a single tool that the only way to ensure compliance is to intercept every DNS request in the USA.

Also, once the requests have left the safe confines of a DNSSEC backbone, nothing at all will stop people from redirecting the redirections.

blaktron (profile) says:

Re: Re:

UGH, thats because you dont understand DNS, hes not being actually serious but commenting on how stupid the people suggesting these ideas are. The admin denial command is not used like that in the slightest, its used to breakup requests to prevent denial of service attacks when requesting big lists from the DNS server, not to permanently prevent access to a domain.

If you understood any of that you would be anti-SOPA/PIPA, and thats the problem.

Richard (profile) says:

Re: Re:

Vixie’s last sentence sounds much like an “olive branch” being extended to see what might be done technically to solve the DNS/DNSSEC issue. Sounds like Leahy may very well be on the right track after all.

Paul has been really careless saying something that enabled you to misinterpret him like that.

However you have been pretty wilful in your misinterpretation – so I guess he had a difficult task!

A Guy (profile) says:

Re: Re: Re: Re:

He meant, if you want to spend the next 10 (20? 30?) years rewriting DNS and internet routing in general, and then spending the untold millions (billions? trillions?) to roll out the changes, good luck with that. He welcomes you to the industry debate.

It was hard enough getting stakeholders together to do something (anything) about DNS security. Getting stakeholders together to completely redo the internet isn’t going to happen quickly, and you probably won’t be happy with the result.

Anonymous Coward says:

I’ll add that as soon as DNS blocking rule on the U.S. is passed, I’ll have to patch my local BIND source to block those kind of faulty DNS update entries. Just like what I did years ago to ignore the buggy when queries certain server from China DNS and increase the TTL of that cached entry to insane value in order to prevent it to ask the same question in the future.

So please don’t pass these laws, it makes my life more difficult.

Rich Kulawiec (profile) says:

What some of you are missing...

…particularly the AC’s, is that decisions made about the architecture of DNS have repercussions in the operation of DNS: it doesn’t operate in an abstract environment with infinite bandwidth, CPU and memory resources. I provided links to a number of mailing lists in a comment a couple of days ago; if you want to really try to understand how protocol decisions impact the real world, then you should probably be on those lists and reading the comments of the people who actually have to make this stuff work.

Violated (profile) says:

D... N... S...

I think this also all about what we want our Internet data to be… Honest and trustworthy, or insecure and a liar.

It does not take much pondering to arrive at the right answer which also means people can’t lie to an honest system.

I am looking forwards to Europe implementing DNSSEC when doing so will kill services like BT’s CleanFeed system. The same system that currently denies you access to NewzBin2. I spot some more court fight due there.

What I am currently thinking is that if DNSSEC uses Administrative Denied then this should be avoidable through changing your DNS look-up server.

Albert Klausevits (user link) says:

I had a trouble with the body’s weight, neck and back pain as well as motion security. After physical medicine rehab in New York Dynamic Neuromuscular Recovery (NYDNR) I really feel wonderfull!!! During DNS treatment, I alleviated for imbalances, dysfunctions, problems with position as well as control dysfunctions with a method that takes the individual back to placements of early advancement as well as makes use of treatment to progress feature as it is tolerated. The training is performed in one of the most all-natural (perfect) body positions. When learnt in this manner, the main activity systems become automatic supplying basis for healthy and balanced.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...