If people want to prevent their TCP/IP enabled lightswitches from viewing porn as well as stopping them from accessing malware sites, then I guess they could use this mechanism. I do not consider stopping my computer from accessing malware or crimeware sites to be 'censorship'. Censorship is what people do to other people. I have never heard of a anti-porn crusader who says that they need to be protected from porn, they always worry about what it would do to other people. The fact that the DNS can be used as a censorship point only reinforces the need for the endpoint to be more careful in their choice of resolution service. The current DNS model was conceived when a VAX 11/780 only just fit in a standard elevator and cell phones were considered futuristic spy gadgets. Had the need for endpoints to move about been considered I don't think the default of taking DNS resolution service from your local network provider would have been acceptable. For a whole host of reasons it is a really bad idea for ICANN or any other single point authority to be in the business of filtering domain name issue. Since it is also a bad idea to route packets to names controlled by the Russian Business Network it follows that most end points should not be using the authoritative DNS name space. Given that the vast majority of medium to large sized businesses seem to already have some form of restriction on Internet access, I don't see that trying to enforce this by making the DNSSEC protocol issue failure reports is going to change anything. If the technical measures were effective then the businesses would simply turn off DNSSEC. But it is rather more likely that they won't work at all because nobody has yet worked out what a Web browser should do if it is told that the site exists but the resolution of the DNS request is blocked. Perhaps they could send a request for the missing packets by carrier pigeon. On Thu, Feb 18, 2010 at 8:59 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > On Thu, 18 Feb 2010, Phillip Hallam-Baker wrote: > >> The key point is choice. Just as some people CHOOSE to install >> products such as Norton Anti-Virus that stop certain applications >> running on their machine, the typical Internet user should probably >> CHOOSE to use a DNS service that has the known crimeware sites >> eliminated. > > Should they also CHOOSE for a porn filter. And a filter on politically > sensitive words? Where does our job end to let the user CHOOSE their > censorship? And again, you make it sound like DNSSEC is taking away that > choice, which is clearly not the case. > >> The point is that the particular obsession with 'end to end' solutions >> means that we loose the ability to deploy architectures that provide >> greater protection against the attacks that actually matter. > > It prevents hacking the protocol (for good AND for evil). And that is > a good thing. > >> DNS hijacking is a very rare type of attack. > > No it is not. It depends on your environment. I'll grant you that its > more likely you'll end up on a phising side then caught in a DNS spoof, > but that does not validate your opinion of not rolling out stronger > security just so people can play games with protocols. > > And as Mark showed, there are legitimate ways of piggypacking filtering > services with DNS using EDNS options. > >> Securing the mapping of >> DNS names to IP addresses will not provide a major reduction in >> expected losses due to attacks. > > It will greatly improve security by providing a hierarchical distributed > signed database. You will see many new applications leveling this new > option. > >> We already have domain validated SSL >> certificates that meet that need quite adequately. > > You haven't been around in the last year? When we had SSL attack after SSL > attack? A 2 second email verification for a "valid for the entire world" > certificate is not what I would call "quite adequately". > >> The value in DNSSEC lies in being able to establish a coherent network >> based system of security policy distribution. > > Sorry, I am not sure what this means. But if it is another application of > distributed signed data, then yes, it is another case for the adoption of > DNSSEC, not for critisism that it would block some filtering technique, > which it doesn't) > > Paul > -- -- New Website: http://hallambaker.com/ View Quantum of Stupid podcasts, Tuesday and Thursday each week, http://quantumofstupid.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf