<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:18.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Courier New";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I could be wrong but I got the impression that ISC was including a feature similar to spam DNSBL lists such that a BIND server could subscribe to a DNSBL list
in order to block malicious web sites much like email servers subscribe to DNSBL lists to block spam. This could be abused by a government forcing ISPs in their jurisdiction to subscribe to a DNSBL list that they publish. They can easily do this now with DNS
redirects so I don’t think the ISC system is necessarily a bad thing.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Kerry Brown<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> NCSG-Discuss [mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU]
<b>On Behalf Of </b>Milton L Mueller<br>
<b>Sent:</b> November-20-11 9:10 AM<br>
<b>To:</b> NCSG-DISCUSS@LISTSERV.SYR.EDU<br>
<b>Subject:</b> Re: [NCSG-Discuss] beyond take down<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Courier New";color:#1F497D">Does anyone on this list know more about the way BIND is being amended to allow the “rewriting” of DNS answers? Jorge? Timothe?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Courier New";color:#1F497D"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> NCSG-Discuss
<a href="mailto:[mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU]">[mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU]</a>
<b>On Behalf Of </b>William Drake<br>
<b>Sent:</b> Sunday, November 20, 2011 10:22 AM<br>
<b>To:</b> <a href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">NCSG-DISCUSS@LISTSERV.SYR.EDU</a><br>
<b>Subject:</b> [NCSG-Discuss] beyond take down</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<h2><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Hi</span></span><span lang="EN-US"><o:p></o:p></span></h2>
<h2><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">As discussed on our call the other night, some of the key developments from a global public interest standpoint go beyond GNSO & ICANN policies but we might still
consider whether there's grounds for useful NC engagement…</span></span><span lang="EN-US"><o:p></o:p></span></h2>
<div>
<p class="MsoNormal"><span lang="EN-US">& BTW Monika quotes Wendy in the below...<o:p></o:p></span></p>
</div>
<h2><span lang="EN-US" style="font-size:12.0pt"><br>
<a href="http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/"><span style="font-weight:normal">http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/</span></a><br>
<br>
Filtering and Blocking Closer To The Core Of The Internet?<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">By Monika Ermert for Intellectual Property Watch on 20/11/2011 @ 1:00 pm</span></span><span lang="EN-US"><o:p></o:p></span></h2>
<h2 style="margin-bottom:18.0pt"><span lang="EN-US" style="font-size:12.0pt"><br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">With protests against draft US legislation like the Stop Online Piracy Act (SOPA) and the Protect IP Act ongoing and the European Parliament voting on 17 November
for a resolution to request that the United States should be “refraining from unilateral measures to revoke IP addresses or domain names,” politicians are talking a lot about technology for the internet domain name system. But at the same time, engineers are
getting more political and are intensively discussing technology providing the tools for blocking – by governments and private parties.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">For the community that cares for the functioning of the domain name system (DNS), it came as a shock when Paul Vixie, founder of the Internet Software Consortium
(ISC), said that the BIND software would allow the filtering out of sites with a bad “reputation” – like listed malware sites – and also the “rewriting” of DNS answers – manipulating what people get to see when asking for domain names.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Vixie is a guru of the DNS and one of the authors of the letter by well-known experts against DNS blocking in the Protect IP Act. But he is perhaps best-known
for being the father of BIND, which has for a decade been the open source tool that makes the DNS work.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">More Filter-Friendly DNS Software</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Jim Reid, one of the chairs of the DNS working group at the Réseaux IP Europeéns, said during a recent debate about principles that he was “rather saddened”
by ISC’s decision to allow the rewriting. “We’re giving the bad guys tools,” Reid warned.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">The rewriting – which sends back a “lie” upon a request to the DNS from someone looking for a website – “also sends a rather nasty message saying it’s okay
to do this kind of thing.“ What is worse from the engineers’ standpoint with the rewriting is that it breaks new measures to secure the DNS, because the “lies” are detected and dropped without users knowing what happened.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">The “lying” is currently happening for domains seized by the US government agency ICE (US Immigration and Customs Enforcement), some of them legal in their
country of origin, like the Spanish <a href="http://RojaDirecta.com">RojaDirecta.com</a>, (a case discussed intensively by the experts). When typing
<a href="http://RojaDirecta.com">RojaDirecta.com</a>, users do not get to that site, but to a warning/blocking site by the ICE.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">It is this kind of case that has stirred up debate in the European Parliament, pushed by the European Digital Right initiative (EDRi). “By this you render a
site and the data inaccessible without having any court order in the site owner’s country,” said Joe McNamee, who fought for the declaration now officially included in the Parliament’s resolution on the upcoming European Union-US Summit of 28 November 2011.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">The text of the Parliament resolution is here [1].</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Under the topic “Freedom and Security,” the declaration stresses the need “to protect the integrity of the global internet and freedom of communication by refraining
from unilateral measures to revoke IP addresses or domain names.”</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">SOPA, McNamee warned, would be so broad that “it could be interpreted in a way that would mean that no online resource in the global internet would be outside
US jurisdiction.”</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Of those who provide users with domain names – with the so-called DNS registrars closer to the user and the user’s jurisdictions – it is the registry companies
who manage the central database for zones like .com (for example) who are an easy target when it comes to take-downs. They keep the record of who every .com domain name is delegated to and inform those looking for a site where to go. So they can from a top
spot in the DNS hierarchy point to a “wrong” location.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">What makes things difficult is that many large registries, like VeriSign (registry for .com and .net) which changed the <a href="http://rojadirecta.com">rojadirecta.com</a>
record, are located in the United States and while offering services globally in name, they in fact are bound by US law.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Registries – Target for Take-Downs</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">VeriSign recently tried to get a new registry policy acknowledged by the Internet Corporation for Assigned Names and Numbers (ICANN), the DNS technical oversight
body, which would have allowed the dot com and .dot net registry (VeriSign) “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute
resolution process.” After a first wave of protests, the company backed off and withdrew the test for the time being.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Matt Pounsett from Afilias, the registry for .info and some other TLDs, explained the dilemma. While the registries certainly like people to see the correct
DNS-answers that they send, “there are cases where even we participate in things like that, particularly domain take-down.“ Many take-downs were made when it was found out “that a particular domain is being used in a way that violates acceptable use.”</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Registry operators and a software providers like ISC underline that the fight against malware mainly drives their interventions. BIND’s filtering function will
help the manager of a local domain to protect his network. Customers are pushing, for example, for options like rewriting, said Joao Damas, a developer at ISC.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">The rewriting not only allows ICE to lead people to their website instead of Rojadirecta’s, it also allows commercial companies to attract traffic to their
search engine with recommendations and paid ads. Some big telecommunications providers, for example, lure users to their search site every time they mistype a domain name or simply look for something that does not exist.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">“If we do not do offer functionalities like the rewriting in our BIND software, we will drive them away from BIND,” said Damas. BIND’s new “reputation policy
zone” function allows people to have names checked against lists of alleged bad actors, known spammers or malware-distributers, and in case of a match do not display the respective sites.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">More Private Filtering</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">But what about the governance of increased private manipulation and also filtering that is enabled by better tools, asked Peter Koch, a DNS expert at Denic,
the registry for the .de. country code TLD of Germany. “When we talk about a near real-time facility that would enable certain groups to influence resolvers to block or rewrite resolution data,” Koch warned, collateral damage and even liability issues could
arise. The more sceptical engineers also warn that such interventions could make the deployment of secure DNS on the last mile to the user very difficult. As they, including Vixie, have worked for a decade to implement this kind of security, they oppose it
from an architectural standpoint.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Civil liberty advocates like McNamee or Wendy Seltzer, co-founder of the project Chilling Effects, point to the difficulties for victims of the varieties of
filtering possibilities to push back. Why can a DMCA (US Digital Millennium Copyright Act [2]) request from a private party lead to Google even filtering a part of the rojadirecta website included in the Spanish version and housed under .es, the country code
TLD of Spain – as actually happened?</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">“Today the biggest problem is there’s too many things happening not based on legislation,” said Patrik Fältström, chair of the Security and Stability Advisory
Committee of the ICANN. Fältström belongs to the engineers hoping that fixing the political code might be the first necessary step to solve the problems. Only then would the next step be addressed, Fältström said, in addressing conflicting national legislations.
A mega-size example is coming with regard to this problem: the introduction of new TLDs as approved by ICANN.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Could ICANN approve a domain name that is illegal in one jurisdiction? asked Fältström. Several jurisdictions have announced they would otherwise block complete
TLDs, with new top level domains like .gay being only one example not being welcome everywhere in the world. Or should controversial new address zones be blocked at the outset by ICANN?</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">If the registries are close to the core, the root zone that lists existing TLDs (like .com, .net, .ch) and future ones could be seen as one core spot of the
global internet.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">With the new contract for the managing of this root function, the Internet Assigned Numbers Authority (IANA) contract, the US administration seems to have put
itself in a difficult spot. The contract has been performed by the ICANN so far, and the US National Telecommunications and Information Administration oversees the work. The difficult spot for NTIA is that they will for every new TLD check if ICANN’s procedure
for approving a new TLD has been supportive of the “global public interest”. What will the US do about potential knocks at their door from those who do not like to have a .gay or a .sex? It will be a difficult filtering function, close to the core.</span></span><span lang="EN-US" style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Related Articles:</span></span><span lang="EN-US"><o:p></o:p></span></h2>
<div>
<h2><span class="apple-tab-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">
</span></span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">• IP Enforcement Permeates ICANN, US Internet Policy [3]</span></span><span lang="EN-US"><o:p></o:p></span></h2>
</div>
<div>
<h2><span class="apple-tab-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">
</span></span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">• US Gets Threatening Over ICANN’s New Internet Domain Plan [4]</span></span><span lang="EN-US"><o:p></o:p></span></h2>
</div>
<div>
<h2><span class="apple-tab-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">
</span></span><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">• ICANN Board Approval Opens Internet To Many New Domains [5]</span></span><span lang="EN-US"><o:p></o:p></span></h2>
</div>
<h2 style="margin-bottom:18.0pt"><span class="apple-style-span"><span lang="EN-US" style="font-size:12.0pt;font-weight:normal">Categories: Access to Knowledge,Enforcement,English,Features,Human Rights,Information and Communications Technology/ Broadcasting,IP
Policies,Language,Themes,Trademarks/Geographical Indications/Domains,United Nations,US Policy,Venues</span></span><span lang="EN-US" style="font-size:12.0pt;font-weight:normal"><br>
<span class="apple-style-span">Article printed from Intellectual Property Watch: <a href="http://www.ip-watch.org/weblog">http://www.ip-watch.org/weblog</a></span><br>
<br>
<span class="apple-style-span">URL to article: <a href="http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/">http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/</a></span><br>
<br>
<span class="apple-style-span">URLs in this post:</span><br>
<br>
<span class="apple-style-span">[1] resolution is here: <a href="http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577">http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577</a></span><br>
<span class="apple-style-span">[2] Digital Millennium Copyright Act: <a href="http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act">http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act</a></span><br>
<span class="apple-style-span">[3] IP Enforcement Permeates ICANN, US Internet Policy: <a href="http://www.ip-watch.org/weblog/2011/03/13/ip-enforcement-permeates-icann-us-internet-policy/">http://www.ip-watch.org/weblog/2011/03/13/ip-enforcement-permeates-icann-us-internet-policy/</a></span><br>
<span class="apple-style-span">[4] US Gets Threatening Over ICANN’s New Internet Domain Plan: <a href="http://www.ip-watch.org/weblog/2011/05/06/us-gets-threatening-over-icann%e2%80%99s-new-internet-domain-plan/">http://www.ip-watch.org/weblog/2011/05/06/us-gets-threatening-over-icann%e2%80%99s-new-internet-domain-plan/</a></span><br>
<span class="apple-style-span">[5] ICANN Board Approval Opens Internet To Many New Domains: <a href="http://www.ip-watch.org/weblog/2011/06/20/icann-board-approves-long-awaited-plan-for-new-internet-domains/">http://www.ip-watch.org/weblog/2011/06/20/icann-board-approves-long-awaited-plan-for-new-internet-domains/</a></span></span><span lang="EN-US"><o:p></o:p></span></h2>
</div>
</div>
</div>
</body>
</html>