PROTECT IP threatens the future of DNS security

PROTECT IP threatens the future of DNS security
PROTECT IP is the name of a bill which is working its way through the US Senate with a version also expected to be introduced in the House of Representatives next month. It would require the Attorney General's office to compile of list of domain names which DNS operators (in the US) will be required to block.

According to some critics, it threatens to undo more than a decade of Internet security development in a single stroke.



To understand exactly what that means, I talked to one of those critics - Paul Vixie of the Internet Systems Consortium (ISC). You may not be familiar with ISC, but you almost certainly make use of their software every day.

ISC is a non-profit corporation which develops BIND, the most widely used DNS server software on the planet. When you type a domain name like AfterDawn.com into your web browser, your computer relies on a worldwide network of DNS servers to translate it into an IP address.

As part of BIND development, ISC has put significant resources into making DNS more secure through the use of an extension called DNSSEC. DNSSEC adds an encrypted signature to DNS records, making it possible to ensure the IP address you get from a DNS server is authentic.

DNSSEC support isn't finished yet, and if PROTECT IP is implemented Paul Vixie says it never will be.

Under PROTECT IP, DNS server operators in the US would be required to replace the correct IP address for a blacklisted domain name with an alternate address provided by the Attorney General's office.

When I spoke with Paul, he talked about why this causes problems with DNSSEC:

Ultimately there are two ways to modify DNSSEC data. You can either strip off the signatures in which case your modified response will be ignored, or you can just drop the query and never send a response at all. The trouble with these as lawful mandates is that they're indistinguishable from what evildoers will do. There's nothing in the DNSSEC protocol to say "this is a lawful insert or modification, you should accept it."


He then went on to explain how PROTECT IP would make it impossible to implement DNSSEC in the real world:

Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.



I have a special concern about this since we will have to implement backup plans in the BIND validator. which we will not do if PROTECT IP passes. and without this kind of backup plan, DNSSEC itself will never be commercially viable.


In other words, if DNSSEC is going to work in the real world it needs to be reliable. If the server doesn't have options to route around errors, no one will use it.

If it does have those options, PROTECT IP says it's illegal.

Considering PROTECT IP is focused on mandating how DNS operates, you might expect its authors to have at least consulted with ISC. Sadly they didn't.

That hasn't stopped Vixie from making his opinion known, both to legislators and the public at large.

In May of this year he co-authored a whitepaper outlining the technical problems with PROTECT IP. Then, in July, along with the other whitepaper authors, he met with members of Congress from both parties to explain their concerns in person.

Supporters of PROTECT IP are hailing it as a magic bullet for preventing online intellectual property infringement. The reality is it would do more harm than good, and wouldn't even work.

Bypassing DNS filtering is trivially easy. All you need to do is configure your computer to use DNS servers outside the US which won't be affected by the law.

And ultimately that's the biggest technical problem with PROTECT IP. It can only work to the extent the public allows.

Obviously whatever segment of the population is downloading illegally doesn't want it to work at all, and they will be able to bypass it.

Written by: Rich Fiscus @ 25 Aug 2011 23:46
Tags
Internet Systems Consortium PROTECT IP Paul Vixie DNS DNSSEC
Advertisement - News comments available below the ad
  • 8 comments
  • KillerBug

    Protect IP is such a terrible, ill-conceived idea that it is sure to pass. That way, there will be a spike in cyber crime and the citizenry will demand that more of their online freedoms are taken away. Why else would a bunch of know-nothing politicians keep pushing it after it is abundantly clear that it will only cause crime?


    26.8.2011 03:24 #1

  • LordRuss

    If this garbage goes through there will be a such a shitstorm of hacking & thrashing of government servers the likes they've never known.

    Sure they want to stop piracy, but to the extent of invoking unconstitutional law? Despite my intentions, I'll be damned if I'll allow someone to censor what I can/cannot say, see or do.

    http://onlyinrussellsworld.blogspot.com

    26.8.2011 12:24 #2

  • ThePastor

    More trying to put the Genie back in the bottle.
    It doesn't matter what they try, the net will adapt and they will accomplish nothing.
    Much better to reduce controls so everyone is on an even playing field. This is the net's strength.

    Unfortunately for them, all Blu-ray protections have been broken and BD rips can be found around the Internet, usually before the retail even hits shelves.

    26.8.2011 19:04 #3

  • KillerBug

    Originally posted by LordRuss: If this garbage goes through there will be a such a shitstorm of hacking & thrashing of government servers the likes they've never known.

    Sure they want to stop piracy, but to the extent of invoking unconstitutional law? Despite my intentions, I'll be damned if I'll allow someone to censor what I can/cannot say, see or do.
    According to the constitution, the president may not wage war for more than 3 months without congressional approval. When the war with Libya went longer than 3 months without congressional approval, this was an act of treason on the part of the president...or it would have been if the constitution was not already null and void. Neither the judiciary nor congress have done anything about this matter, so clearly none of the three branches of the government consider the constitution to be in effect.


    27.8.2011 01:54 #4

  • bam431

    Originally posted by KillerBug: Originally posted by LordRuss: If this garbage goes through there will be a such a shitstorm of hacking & thrashing of government servers the likes they've never known.

    Sure they want to stop piracy, but to the extent of invoking unconstitutional law? Despite my intentions, I'll be damned if I'll allow someone to censor what I can/cannot say, see or do.
    According to the constitution, the president may not wage war for more than 3 months without congressional approval. When the war with Libya went longer than 3 months without congressional approval, this was an act of treason on the part of the president...or it would have been if the constitution was not already null and void. Neither the judiciary nor congress have done anything about this matter, so clearly none of the three branches of the government consider the constitution to be in effect.
    Not like they've bothered to do it since WW2 anyways. Why start for just an "Military Action"?

    www.inebriare.com
    Xbox Live: Rogue Jello - PSN: bam431 - IGN: bam431
    Youtube: electrowaffle - Twitter: bam431
    i5 760, P7P55D-E, Vapor-X HD5770, 8GB DDR3, 1TB HDD,

    27.8.2011 10:20 #5

  • LordRuss

    Originally posted by KillerBug: Neither the judiciary nor congress have done anything about this matter, so clearly none of the three branches of the government consider the constitution to be in effect. The only time it becomes an issue is when someone's wallet is attacked. Unless the public calls them (idiots basically self appointed in charge) on their stupidity & tar & feather them for their behavior, nothing will ever change.

    http://onlyinrussellsworld.blogspot.com

    27.8.2011 14:13 #6

  • ThiagoCMC (unverified)

    Politics make laws to try to fix what they dont know how to fix it in first place!! Politics and govs will go down, soon. They do nothing for the goodness on mankind. BTW, there is already a DNS alternative, called NAMECOIN, based on the brand new Bitcoin, it is called "CryptoCurrency" that is about to change our world, for ever! Bitcoin: Currency of Resistance! ;-)

    17.9.2011 04:06 #7

  • gallagher

    Originally posted by KillerBug: Originally posted by LordRuss: If this garbage goes through there will be a such a shitstorm of hacking & thrashing of government servers the likes they've never known.

    Sure they want to stop piracy, but to the extent of invoking unconstitutional law? Despite my intentions, I'll be damned if I'll allow someone to censor what I can/cannot say, see or do.
    According to the constitution, the president may not wage war for more than 3 months without congressional approval. When the war with Libya went longer than 3 months without congressional approval, this was an act of treason on the part of the president...or it would have been if the constitution was not already null and void. Neither the judiciary nor congress have done anything about this matter, so clearly none of the three branches of the government consider the constitution to be in effect.
    No KillerBug, the US Constitution says no such thing. The Constitution says that the president is the commander in chief of the military, and that the Congress has the power to declare war. There is a federal law called the War Powers Resolution that limits how long the president can deploy soldiers without a declaration of war or without Congressional consent. That law has NEVER been tested in the courts because neither side has ever challenged it--fearing whose side the Supreme Court would take.

    17.9.2011 23:22 #8

© 2024 AfterDawn Oy

Hosted by
Powered by UpCloud