[AfrICANN-discuss] PROTECT IP threatens the future of DNS security

Anne-Rachel Inné annerachel at gmail.com
Fri Aug 26 14:34:13 SAST 2011


PROTECT IP threatens the future of DNS security
http://www.afterdawn.com/news/article.cfm/2011/08/26/protect_ip_threatens_the_future_of_dns_security

Written by Rich Fiscus
<http://www.afterdawn.com/news/by_author.cfm/vurbal>@ 25 Aug 2011
23:46 User
comments (1)<http://www.afterdawn.com/news/article.cfm/2011/08/26/protect_ip_threatens_the_future_of_dns_security#comments>

 [image: PROTECT IP threatens the future of DNS security] PROTECT IP is the
name of a bill which is working its way through the US Senate with a version
also expected to be introduced in the House of Representatives next month.
It would require the Attorney General's office to compile of list of domain
names which DNS operators (in the US) will be required to block.
According to some critics, it threatens to undo more than a decade of
Internet security development in a single stroke.

To understand exactly what that means, I talked to one of those critics - *Paul
Vixie* of the *Internet Systems Consortium* (*ISC*). You may not be familiar
with *ISC*, but you almost certainly make use of their software every day.

*ISC* is a non-profit corporation which develops BIND, the most widely used
DNS server software on the planet. When you type a domain name like
AfterDawn.com into your web browser, your computer relies on a worldwide
network of DNS servers to translate it into an IP address.

As part of BIND development, *ISC* has put significant resources into making
DNS more secure through the use of an extension called DNSSEC. DNSSEC adds
an encrypted signature to DNS records, making it possible to ensure the IP
address you get from a DNS server is authentic.

DNSSEC support isn't finished yet, and if PROTECT IP is implemented *Paul
Vixie* says it never will be.

Under PROTECT IP, DNS server operators in the US would be required to
replace the correct IP address for a blacklisted domain name with an
alternate address provided by the Attorney General's office.

When I spoke with *Paul*, he talked about why this causes problems with
DNSSEC:

Ultimately there are two ways to modify DNSSEC data. You can either strip
off the signatures in which case your modified response will be ignored, or
you can just drop the query and never send a response at all. The trouble
with these as lawful mandates is that they're indistinguishable from what
evildoers will do. There's nothing in the DNSSEC protocol to say "this is a
lawful insert or modification, you should accept it."



He then went on to explain how PROTECT IP would make it impossible to
implement DNSSEC in the real world:

Say your browser, when it's trying to decide whether some web site is or is
not your bank's web site, sees the modifications or hears no response. It
has to be able to try some other mechanism like a proxy or a VPN as a backup
solution rather than just giving up (or just accepting the modification and
saying "who cares?"). Using a proxy or VPN as a backup solution would, under
PROTECT IP, break the law.

I have a special concern about this since we will have to implement backup
plans in the BIND validator. which we will not do if PROTECT IP passes. and
without this kind of backup plan, DNSSEC itself will never be commercially
viable.



In other words, if DNSSEC is going to work in the real world it needs to be
reliable. If the server doesn't have options to route around errors, no one
will use it.

If it does have those options, PROTECT IP says it's illegal.

Considering PROTECT IP is focused on mandating how DNS operates, you might
expect its authors to have at least consulted with *ISC*. Sadly they didn't.


That hasn't stopped Vixie from making his opinion known, both to legislators
and the public at large.

In May of this year he co-authored a
whitepaper<http://www.circleid.com/pdf/PROTECT-IP-Technical-Whitepaper-Final.pdf>outlining
the technical problems with PROTECT IP. Then, in July, along with
the other whitepaper authors, he met with members of Congress from both
parties to explain their concerns in person.

Supporters of PROTECT IP are hailing it as a magic bullet for preventing
online intellectual property infringement. The reality is it would do more
harm than good, and wouldn't even work.

Bypassing DNS filtering is trivially easy. All you need to do is configure
your computer to use DNS servers outside the US which won't be affected by
the law.

And ultimately that's the biggest technical problem with PROTECT IP. It can
only work to the extent the public allows.

Obviously whatever segment of the population is downloading illegally
doesn't want it to work at all, and they will be able to bypass it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20110826/6fb71750/attachment.htm


More information about the AfrICANN mailing list