The Big Debate on DNS Filtering and DNSSEC

Earlier this week, I participated on a panel debating the use of Domain Name System (DNS) filtering and the Protect Intellectual Property (IP) Act at the third Internet Governance Forum-USA.  Video of the event is being updated here.


Photo credit: Elon University

The PROTECT IP Act would authorize a court to issue an order blocking access and service in the U.S. to sites that peddle illegal wares once criminality was established.  These orders would then be served on ISPs, search engines, payment processors and ad networks to comply with the order.  The ISPs would use a technique called DNS filtering to comply with the court order but some engineers are objecting to the use of this technology.

Stephen Crocker (pictured left above) and four other engineers argued in a letter that DNS filtering would destabilize and weaken the security of the Internet by breaking the DNS security extensions standard called DNSSEC.  I wrote an extensive rebuttal to these arguments and the Internet Governance Forum set up a debate between myself, Stephen CrockerDon Blumenthal, David Sohn (CDT), James Galvin, and Paul Brigner (MPAA) with moderator Sally Wentworth.

As I was told, the idea behind this particular debate was to avoid the use of canned PowerPoint presentations and talking points in favor of a technical dialog.  I made the statement that DNS filtering only affected the sites that are being filtered (those that have been deemed illegal by the courts) and that it does not break anything on unfiltered legal websites which means that DNS filtering has no general effect on the DNSSEC standard.  This is by definition what the proposed Protect IP Act authorizes, yet Stephen Crocker interrupt me and vehemently asserted that DNS filtering will affect unfiltered sites.  When I asked him to explain how he could come to this conclusion, Dr. Crocker wouldn’t do so and instead accused me of not paying attention.  I was stunned by this behavior especially in light of the fact that Dr. Crocker spent more time showing a PowerPoint that talked about a 17th century warship than explaining what DNS filtering has to do with the entire DNSSEC standard.

Since we couldn’t really debate in the allotted time, I will attempt to continue a meaningful debate here on our High Tech Forum blog.  Dr. Crocker or anyone else on the panel will be welcome to respond and their full unedited comments will be added to this post.

A meaningful debate on DNS filtering

Stephen Crocker wouldn’t elaborate how DNS filtering broke the DNSSEC standard during the panel, but I’m pleased to have Vint Cerf and Lauren Weinstein chime in on the debate on the NNSQUAD mailing list.  While I disagree and intend to refute them, Cerf and Weinstein at least expressed some clear and concise concerns for DNSSEC.

Vint Cerf began with some legal arguments:

Vint Cerf: “George’s argument seems flawed to me. Suppose you have a site that is NOT illegal but a government wants to suppress it or even re-direct to a counterfeit site.”

This is irrelevant to the discussion since the Protect IP Act only authorizes courts to impose DNS filtering on websites that are primarily dedicated to selling counterfeit goods.  The goal of the Protect IP Act is not to censor speech – unless we are under some strange notion that content infringement is protected as free speech.  Others have suggested that the courts have bypassed due process for the accused websites and therefore these DNS filtered websites don’t meet the legal requirement of guilt.

However, this is no longer a pure and objective engineering argument.  It falls more under legal hair splitting.  My colleague Richard Bennett pointed out that only one of the accused website owners appeared in court, which is why they were pronounced guilty.  That shouldn’t be surprising considering the fact that these were criminals selling counterfeit goods.  No amount of due process would vindicate a website whose owner doesn’t show up when they are summoned to court.

Vint Cerf continues by arguing how DNSSEC operation of filtered websites are disrupted.

Vint Cerf:“Without DNSSEC, such re-direction is possible without detection. With DNSSEC one of two things might happen:  1. the site looks invalid because the DNSSEC check fails in which case counterfeiting the site doesn’t work. that’s the good case I suppose except that the government “wins” since it suppresses access to the site for those relying on DNSSEC.  2. the government produces a false but signed entry that passes the DNSSEC check (wouldn’t that mean that it had falsified a certificate containing the public key of that domain name?) in which case the government succeeds in re-directing even a DNSSEC-checking user.”

First, the result of failed access is precisely the goal of the Protect IP Act which is to block access to counterfeit goods websites.  Anyone who suggest that this somehow breaks the entire DNSSEC standard is out of touch with reality.  It would be as ludicrous as suggesting that if the courts blocked HTTP web access to a child pornography website because the owner didn’t show up to defend himself, then the court is breaking the HTTP web protocol for the entire Internet.

Second, this is again irrelevant to the Protect IP Act.  Vint Cerf is suggesting is that the government would be secretly redirecting and wiretapping websites.  The Protect IP Act gives no such authorization on wiretapping and covert redirection.  In fact, the Protect IP Act specifically calls for a clear notice of redirection along with an explanation of why the user was redirected.  The Protect IP act calls for overt redirection of illegal websites while DNSSEC is designed to protect users from covert redirection.

Vint Cerf goes on to say that DNS filtering could pose security risks for filtered websites running DNSSEC.

Vint Cerf: “Of course, if you ignore DNSSEC and accept whatever comes back as the IP address, you will be fooled (or denied access to the real site).

This would be a flagrantly negligent implementation of DNSSEC.  A DNSSEC implementation is only secure if it enforces the authentication checks.  This has nothing to do with the DNS filtering aspect of the Protect IP Act.

At this point, Lauren Weinstein chimed in and said:

Lauren Weinstein: “Even “guilty” sites (as per government claims) — and especially innocent sites — deserve to have their users properly notified of government actions. Various artificially induced error conditions are not an acceptable substitute for court-ordered blocking-related notifications to users.”

The primary purpose of the Protect IP Act is to take down illegal websites.  The secondary purpose calls for overt DNS redirection for informational purposes but the Act doesn’t account for the handling of DNSSEC.  This is understandable since the DNSSEC standard is nascent and rarely used by anyone.  Weinstein insists that the government give proper notification for future hypothetical users of court-filtered domains that require DNSSEC, but the DNSSEC standard is designed to block all DNS redirection regardless of whether it is overt or covert.  So until the DNSSEC standard can accommodate overt DNSSEC redirection, we can’t even begin to consider requiring it by law.  As it stands today, the Protect IP Act is every bit reasonable and technically sound.