The Big Debate on DNS Filtering and DNSSEC

Earlier this week, I participated on a panel debating the use of Domain Name System (DNS) filtering and the Protect Intellectual Property (IP) Act at the third Internet Governance Forum-USA.  Video of the event is being updated here.

workshop_criticalresources_crocker_ou001

Photo credit: Elon University

The PROTECT IP Act would authorize a court to issue an order blocking access and service in the U.S. to sites that peddle illegal wares once criminality was established.  These orders would then be served on ISPs, search engines, payment processors and ad networks to comply with the order.  The ISPs would use a technique called DNS filtering to comply with the court order but some engineers are objecting to the use of this technology.

Stephen Crocker (pictured left above) and four other engineers argued in a letter that DNS filtering would destabilize and weaken the security of the Internet by breaking the DNS security extensions standard called DNSSEC.  I wrote an extensive rebuttal to these arguments and the Internet Governance Forum set up a debate between myself, Stephen CrockerDon Blumenthal, David Sohn (CDT), James Galvin, and Paul Brigner (MPAA) with moderator Sally Wentworth.

As I was told, the idea behind this particular debate was to avoid the use of canned PowerPoint presentations and talking points in favor of a technical dialog.  I made the statement that DNS filtering only affected the sites that are being filtered (those that have been deemed illegal by the courts) and that it does not break anything on unfiltered legal websites which means that DNS filtering has no general effect on the DNSSEC standard.  This is by definition what the proposed Protect IP Act authorizes, yet Stephen Crocker interrupt me and vehemently asserted that DNS filtering will affect unfiltered sites.  When I asked him to explain how he could come to this conclusion, Dr. Crocker wouldn’t do so and instead accused me of not paying attention.  I was stunned by this behavior especially in light of the fact that Dr. Crocker spent more time showing a PowerPoint that talked about a 17th century warship than explaining what DNS filtering has to do with the entire DNSSEC standard.

Since we couldn’t really debate in the allotted time, I will attempt to continue a meaningful debate here on our High Tech Forum blog.  Dr. Crocker or anyone else on the panel will be welcome to respond and their full unedited comments will be added to this post.

A meaningful debate on DNS filtering

Stephen Crocker wouldn’t elaborate how DNS filtering broke the DNSSEC standard during the panel, but I’m pleased to have Vint Cerf and Lauren Weinstein chime in on the debate on the NNSQUAD mailing list.  While I disagree and intend to refute them, Cerf and Weinstein at least expressed some clear and concise concerns for DNSSEC.

Vint Cerf began with some legal arguments:

Vint Cerf: “George’s argument seems flawed to me. Suppose you have a site that is NOT illegal but a government wants to suppress it or even re-direct to a counterfeit site.”

This is irrelevant to the discussion since the Protect IP Act only authorizes courts to impose DNS filtering on websites that are primarily dedicated to selling counterfeit goods.  The goal of the Protect IP Act is not to censor speech – unless we are under some strange notion that content infringement is protected as free speech.  Others have suggested that the courts have bypassed due process for the accused websites and therefore these DNS filtered websites don’t meet the legal requirement of guilt.

However, this is no longer a pure and objective engineering argument.  It falls more under legal hair splitting.  My colleague Richard Bennett pointed out that only one of the accused website owners appeared in court, which is why they were pronounced guilty.  That shouldn’t be surprising considering the fact that these were criminals selling counterfeit goods.  No amount of due process would vindicate a website whose owner doesn’t show up when they are summoned to court.

Vint Cerf continues by arguing how DNSSEC operation of filtered websites are disrupted.

Vint Cerf:“Without DNSSEC, such re-direction is possible without detection. With DNSSEC one of two things might happen:  1. the site looks invalid because the DNSSEC check fails in which case counterfeiting the site doesn’t work. that’s the good case I suppose except that the government “wins” since it suppresses access to the site for those relying on DNSSEC.  2. the government produces a false but signed entry that passes the DNSSEC check (wouldn’t that mean that it had falsified a certificate containing the public key of that domain name?) in which case the government succeeds in re-directing even a DNSSEC-checking user.”

First, the result of failed access is precisely the goal of the Protect IP Act which is to block access to counterfeit goods websites.  Anyone who suggest that this somehow breaks the entire DNSSEC standard is out of touch with reality.  It would be as ludicrous as suggesting that if the courts blocked HTTP web access to a child pornography website because the owner didn’t show up to defend himself, then the court is breaking the HTTP web protocol for the entire Internet.

Second, this is again irrelevant to the Protect IP Act.  Vint Cerf is suggesting is that the government would be secretly redirecting and wiretapping websites.  The Protect IP Act gives no such authorization on wiretapping and covert redirection.  In fact, the Protect IP Act specifically calls for a clear notice of redirection along with an explanation of why the user was redirected.  The Protect IP act calls for overt redirection of illegal websites while DNSSEC is designed to protect users from covert redirection.

Vint Cerf goes on to say that DNS filtering could pose security risks for filtered websites running DNSSEC.

Vint Cerf: “Of course, if you ignore DNSSEC and accept whatever comes back as the IP address, you will be fooled (or denied access to the real site).

This would be a flagrantly negligent implementation of DNSSEC.  A DNSSEC implementation is only secure if it enforces the authentication checks.  This has nothing to do with the DNS filtering aspect of the Protect IP Act.

At this point, Lauren Weinstein chimed in and said:

Lauren Weinstein: “Even “guilty” sites (as per government claims) — and especially innocent sites — deserve to have their users properly notified of government actions. Various artificially induced error conditions are not an acceptable substitute for court-ordered blocking-related notifications to users.”

The primary purpose of the Protect IP Act is to take down illegal websites.  The secondary purpose calls for overt DNS redirection for informational purposes but the Act doesn’t account for the handling of DNSSEC.  This is understandable since the DNSSEC standard is nascent and rarely used by anyone.  Weinstein insists that the government give proper notification for future hypothetical users of court-filtered domains that require DNSSEC, but the DNSSEC standard is designed to block all DNS redirection regardless of whether it is overt or covert.  So until the DNSSEC standard can accommodate overt DNSSEC redirection, we can’t even begin to consider requiring it by law.  As it stands today, the Protect IP Act is every bit reasonable and technically sound.

  • Pingback: The Big Debate on DNS Filtering and DNSSEC | High Tech Forum | DNS Internet()

  • It seems that the most common argument against PROTECT IP is: “It would be bad if these measures were deployed against innocent sites.”

    That implies that the measures are effective. Then the critics go on to say: “These measures aren’t going to be effective.”

    So I scratch my head.

  • George Ou

    I think Lauren pin pointed what they’re complaining about most, which is the fact that there is no way to implement a court-ordered DNS redirection when DNSSEC is designed to block redirection. But the DNSSEC standard should support overt redirection, at least from a government authority. This doesn’t violate the intent of DNSSEC security since the end user would know that they’re being redirected.

    But they’re trying to hang on this obscure scenario to suggest that we can’t implement a court-ordered block if we have no mechanism to notify them using DNSSEC. That would be like saying we can’t shut down a child abuse website if we can’t contact the website’s owners.

  • Anonymous Entry

    “PROTECT IP Act would authorize a court to issue an order blocking access and service in the U.S. to sites that peddle illegal wares once criminality was established.” I think the “once criminality was established”. My concern with this is that this Act should not be determined by a government court because it simply sets up the foundation for government controlling what is criminal and what is not criminal, and then shutting down free speech. It’s about goverment control and the progressive movement toward communist control. The People’s Republic of China is the best example of this. What started as “securing unsafe internet” now has become censorship against those standing up for human rights and call against freedom of speech, and the end to political corruption. Governmental authorities not only block website content but also monitor the Internet access of individuals. Amnesty International notes that China “has the largest recorded number of imprisoned journalists and cyber-dissidents in the world.” To feel this is just about counterfeit goods seems a bit naive to me. An illegal ware could simply be someone who speaks out against government corruption some time in the future – and who determines that? I think we need to wake up a bit.

  • George Ou

    “My concern with this is that this Act should not be determined by a government court because it simply sets up the foundation for government controlling what is criminal and what is not criminal, and then shutting down free speech.”

    So long as you consider selling counterfeit goods a form of free speech.

  • George — interesting argument. I’m sorry to hear you say that Crocker wouldn’t address your points. If true, that was a disservice to the audience and the event.

    I’m not an engineer and can’t comment on the DNSSEC question. But two points:

    1. I think you’re being a bit unfair describing Vixie’s position on using RPZ to filter DNS. I’ve followed this discussion over the past few months, and what I think he’s saying is that it won’t work because there are too many people (end users) who don’t care about online copyright. Too many lawbreakers, as you’d put it. And there are too many ways around the blocking using current Internet protocols.

    2. Putting aside the efficacy question, let’s not assume that a sanctioned process for governmental site blockage won’t be abused. We only have to look back a few years at the illegal wiretapping that occurred after 9/11.

    There was a process (FISA), and the government simply decided to ignore it. Only one telco protested, Qwest if my memory serves. In today’s economic and political climate, what ISP or telco would refuse today?

  • George Ou

    @ Chris Parente

    In response to your points.
    1. DNS filters aren’t designed to go after determined pirates but those people aren’t trying to use these for-fee websites that are being filtered. Determined pirates use other technologies that don’t cost anything. These for-fee websites pose as legitimate sites to unsuspecting consumers wanting to pay money to access content. Anyone who pays for content when they can completely steal the content is less likely to work around the DNS filter.

    2. Like I said in the article above, this has nothing to do with wiretapping. The government isn’t covertly redirecting users to a site that gathers information. The government is overtly telling users that they’re being redirected.

    • George — your #1 answer is a bit confusing — are you saying that Yes, anyone determined enough can get around the blocking but it will protect people who don’t think they are doing something wrong? In other words, create a big, bold line in cyberspace that denotes access to illegal material?

      #2 — your response did not address my point. My point is, like with FISA the state will be tempted to circumvent the legal process and pressure ISPs and telcos to block sites it deems malicious.

  • Pingback: Should Uncle Sam Mess with the DNS? « Work, Wine and Wheels()

  • Pingback: My DNS Filtering Research before House SOPA Panel « High Tech Forum()