http://www.isc.org/software/rpz On Nov 20, 2011 12:10 PM, "Milton L Mueller" <[log in to unmask]> wrote: > Does anyone on this list know more about the way BIND is being amended > to allow the “rewriting” of DNS answers? Jorge? Timothe?**** > > ** ** > > *From:* NCSG-Discuss [mailto:[log in to unmask]] *On Behalf Of > *William Drake > *Sent:* Sunday, November 20, 2011 10:22 AM > *To:* [log in to unmask] > *Subject:* [NCSG-Discuss] beyond take down**** > > ** ** > Hi**** As discussed on our call the other night, some of the key > developments from a global public interest standpoint go beyond GNSO & > ICANN policies but we might still consider whether there's grounds for > useful NC engagement…**** > > & BTW Monika quotes Wendy in the below...**** > > > http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/ > > Filtering and Blocking Closer To The Core Of The Internet? > By Monika Ermert for Intellectual Property Watch on 20/11/2011 @ 1:00 pm** > ** > With protests against draft US legislation like the Stop Online Piracy Act > (SOPA) and the Protect IP Act ongoing and the European Parliament voting on > 17 November for a resolution to request that the United States should be > “refraining from unilateral measures to revoke IP addresses or domain > names,” politicians are talking a lot about technology for the internet > domain name system. But at the same time, engineers are getting more > political and are intensively discussing technology providing the tools for > blocking – by governments and private parties. > > For the community that cares for the functioning of the domain name system > (DNS), it came as a shock when Paul Vixie, founder of the Internet Software > Consortium (ISC), said that the BIND software would allow the filtering out > of sites with a bad “reputation” – like listed malware sites – and also the > “rewriting” of DNS answers – manipulating what people get to see when > asking for domain names. > > Vixie is a guru of the DNS and one of the authors of the letter by > well-known experts against DNS blocking in the Protect IP Act. But he is > perhaps best-known for being the father of BIND, which has for a decade > been the open source tool that makes the DNS work. > > More Filter-Friendly DNS Software > > Jim Reid, one of the chairs of the DNS working group at the Réseaux IP > Europeéns, said during a recent debate about principles that he was “rather > saddened” by ISC’s decision to allow the rewriting. “We’re giving the bad > guys tools,” Reid warned. > > The rewriting – which sends back a “lie” upon a request to the DNS from > someone looking for a website – “also sends a rather nasty message saying > it’s okay to do this kind of thing.“ What is worse from the engineers’ > standpoint with the rewriting is that it breaks new measures to secure the > DNS, because the “lies” are detected and dropped without users knowing what > happened. > > The “lying” is currently happening for domains seized by the US government > agency ICE (US Immigration and Customs Enforcement), some of them legal in > their country of origin, like the Spanish RojaDirecta.com, (a > case discussed intensively by the experts). When typing RojaDirecta.com, > users do not get to that site, but to a warning/blocking site by the ICE. > > It is this kind of case that has stirred up debate in the European > Parliament, pushed by the European Digital Right initiative (EDRi). “By > this you render a site and the data inaccessible without having any court > order in the site owner’s country,” said Joe McNamee, who fought for the > declaration now officially included in the Parliament’s resolution on the > upcoming European Union-US Summit of 28 November 2011. > > The text of the Parliament resolution is here [1]. > > Under the topic “Freedom and Security,” the declaration stresses the need > “to protect the integrity of the global internet and freedom of > communication by refraining from unilateral measures to revoke IP addresses > or domain names.” > > SOPA, McNamee warned, would be so broad that “it could be interpreted in a > way that would mean that no online resource in the global internet would be > outside US jurisdiction.” > > Of those who provide users with domain names – with the so-called DNS > registrars closer to the user and the user’s jurisdictions – it is the > registry companies who manage the central database for zones like .com (for > example) who are an easy target when it comes to take-downs. They keep the > record of who every .com domain name is delegated to and inform those > looking for a site where to go. So they can from a top spot in the DNS > hierarchy point to a “wrong” location. > > What makes things difficult is that many large registries, like VeriSign > (registry for .com and .net) which changed the rojadirecta.com record, > are located in the United States and while offering services globally in > name, they in fact are bound by US law. > > Registries – Target for Take-Downs > > VeriSign recently tried to get a new registry policy acknowledged by the > Internet Corporation for Assigned Names and Numbers (ICANN), the DNS > technical oversight body, which would have allowed the dot com and .dot net > registry (VeriSign) “to comply with any applicable court orders, laws, > government rules or requirements, requests of law enforcement or other > governmental or quasi-governmental agency, or any dispute resolution > process.” After a first wave of protests, the company backed off and > withdrew the test for the time being. > > Matt Pounsett from Afilias, the registry for .info and some other TLDs, > explained the dilemma. While the registries certainly like people to see > the correct DNS-answers that they send, “there are cases where even we > participate in things like that, particularly domain take-down.“ Many > take-downs were made when it was found out “that a particular domain is > being used in a way that violates acceptable use.” > > Registry operators and a software providers like ISC underline that the > fight against malware mainly drives their interventions. BIND’s filtering > function will help the manager of a local domain to protect his network. > Customers are pushing, for example, for options like rewriting, said Joao > Damas, a developer at ISC. > > The rewriting not only allows ICE to lead people to their website instead > of Rojadirecta’s, it also allows commercial companies to attract traffic to > their search engine with recommendations and paid ads. Some big > telecommunications providers, for example, lure users to their search site > every time they mistype a domain name or simply look for something that > does not exist. > > “If we do not do offer functionalities like the rewriting in our BIND > software, we will drive them away from BIND,” said Damas. BIND’s new > “reputation policy zone” function allows people to have names checked > against lists of alleged bad actors, known spammers or > malware-distributers, and in case of a match do not display the respective > sites. > > More Private Filtering > > But what about the governance of increased private manipulation and also > filtering that is enabled by better tools, asked Peter Koch, a DNS expert > at Denic, the registry for the .de. country code TLD of Germany. “When we > talk about a near real-time facility that would enable certain groups to > influence resolvers to block or rewrite resolution data,” Koch warned, > collateral damage and even liability issues could arise. The more sceptical > engineers also warn that such interventions could make the deployment of > secure DNS on the last mile to the user very difficult. As they, > including Vixie, have worked for a decade to implement this kind of > security, they oppose it from an architectural standpoint. > > Civil liberty advocates like McNamee or Wendy Seltzer, co-founder of the > project Chilling Effects, point to the difficulties for victims of the > varieties of filtering possibilities to push back. Why can a DMCA > (US Digital Millennium Copyright Act [2]) request from a private party lead > to Google even filtering a part of the rojadirecta website included in the > Spanish version and housed under .es, the country code TLD of Spain – as > actually happened? > > “Today the biggest problem is there’s too many things happening not based > on legislation,” said Patrik Fältström, chair of the Security and Stability > Advisory Committee of the ICANN. Fältström belongs to the engineers hoping > that fixing the political code might be the first necessary step to solve > the problems. Only then would the next step be addressed, Fältström said, > in addressing conflicting national legislations. A mega-size example is > coming with regard to this problem: the introduction of new TLDs as > approved by ICANN. > > Could ICANN approve a domain name that is illegal in one jurisdiction? > asked Fältström. Several jurisdictions have announced they would otherwise > block complete TLDs, with new top level domains like .gay being only one > example not being welcome everywhere in the world. Or should controversial > new address zones be blocked at the outset by ICANN? > > If the registries are close to the core, the root zone that lists existing > TLDs (like .com, .net, .ch) and future ones could be seen as one core spot > of the global internet. > > With the new contract for the managing of this root function, the Internet > Assigned Numbers Authority (IANA) contract, the US administration seems to > have put itself in a difficult spot. The contract has been performed by > the ICANN so far, and the US National Telecommunications and Information > Administration oversees the work. The difficult spot for NTIA is that they > will for every new TLD check if ICANN’s procedure for approving a new TLD > has been supportive of the “global public interest”. What will the US do > about potential knocks at their door from those who do not like to have a > .gay or a .sex? It will be a difficult filtering function, close to the > core. > > Related Articles:**** > • IP Enforcement Permeates ICANN, US Internet Policy [3]**** > • US Gets Threatening Over ICANN’s New Internet Domain Plan [4] > **** > • ICANN Board Approval Opens Internet To Many New Domains [5]** > ** > Categories: Access to Knowledge,Enforcement,English,Features,Human > Rights,Information and Communications Technology/ Broadcasting,IP > Policies,Language,Themes,Trademarks/Geographical Indications/Domains,United > Nations,US Policy,Venues > Article printed from Intellectual Property Watch: > http://www.ip-watch.org/weblog > > URL to article: > http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/ > > URLs in this post: > > [1] resolution is here: > http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577 > [2] Digital Millennium Copyright Act: > http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act > [3] IP Enforcement Permeates ICANN, US Internet Policy: > http://www.ip-watch.org/weblog/2011/03/13/ip-enforcement-permeates-icann-us-internet-policy/ > [4] US Gets Threatening Over ICANN’s New Internet Domain Plan: > http://www.ip-watch.org/weblog/2011/05/06/us-gets-threatening-over-icann%e2%80%99s-new-internet-domain-plan/ > [5] ICANN Board Approval Opens Internet To Many New Domains: > http://www.ip-watch.org/weblog/2011/06/20/icann-board-approves-long-awaited-plan-for-new-internet-domains/ > **** >