<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Whether it be BIND or any other DNS software the short answer is -
yes. Any DNS software can be programmed to return any result under
any sort of conditions. It's just software that accepts a query and
returns a response. The response can be anything. Currently it is
programmed to obey bind rules - but it doesn't have to. You can put
in any kind of rules you want to get any result or no response you
want. <br>
<br>
Technically there is nothing that can't be done. It's all about
policy and agreement. DNS can do anything.<br>
<br>
On 11/20/2011 9:10 AM, Milton L Mueller wrote:
<blockquote
cite="mid:855077AC3D7A7147A7570370CA01ECD2058D5C@SUEX10-mbx-10.ad.syr.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Courier New";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Courier
New";color:#1F497D">Does anyone on this list know more
about the way BIND is being amended to allow the “rewriting”
of DNS answers? Jorge? Timothe?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Courier
New";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
NCSG-Discuss [<a class="moz-txt-link-freetext" href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU</a>]
<b>On Behalf Of </b>William Drake<br>
<b>Sent:</b> Sunday, November 20, 2011 10:22 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:NCSG-DISCUSS@LISTSERV.SYR.EDU">NCSG-DISCUSS@LISTSERV.SYR.EDU</a><br>
<b>Subject:</b> [NCSG-Discuss] beyond take down<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<h2><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Hi</span></span><o:p></o:p></h2>
<h2><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">As discussed
on our call the other night, some of the key
developments from a global public interest standpoint go
beyond GNSO & ICANN policies but we might still
consider whether there's grounds for useful NC
engagement…</span></span><o:p></o:p></h2>
<div>
<p class="MsoNormal">& BTW Monika quotes Wendy in the
below...<o:p></o:p></p>
</div>
<h2><span style="font-size:12.0pt"><br>
<a moz-do-not-send="true"
href="http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/"><span
style="font-weight:normal">http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/print/</span></a><br>
<br>
Filtering and Blocking Closer To The Core Of The Internet?<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">By Monika
Ermert for Intellectual Property Watch on 20/11/2011 @
1:00 pm</span></span><o:p></o:p></h2>
<h2 style="margin-bottom:.25in"><span style="font-size:12.0pt"><br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">With
protests against draft US legislation like the Stop
Online Piracy Act (SOPA) and the Protect IP Act ongoing
and the European Parliament voting on 17 November for a
resolution to request that the United States should be
“refraining from unilateral measures to revoke IP
addresses or domain names,” politicians are talking a
lot about technology for the internet domain name
system. But at the same time, engineers are getting more
political and are intensively discussing technology
providing the tools for blocking – by governments and
private parties.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">For the
community that cares for the functioning of the domain
name system (DNS), it came as a shock when Paul Vixie,
founder of the Internet Software Consortium (ISC), said
that the BIND software would allow the filtering out
of sites with a bad “reputation” – like listed malware
sites – and also the “rewriting” of DNS answers –
manipulating what people get to see when asking for
domain names.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Vixie is a
guru of the DNS and one of the authors of the letter by
well-known experts against DNS blocking in the Protect
IP Act. But he is perhaps best-known for being the
father of BIND, which has for a decade been the
open source tool that makes the DNS work.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">More
Filter-Friendly DNS Software</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Jim Reid,
one of the chairs of the DNS working group at the
Réseaux IP Europeéns, said during a recent debate
about principles that he was “rather saddened” by ISC’s
decision to allow the rewriting. “We’re giving the bad
guys tools,” Reid warned.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">The
rewriting – which sends back a “lie” upon a request to
the DNS from someone looking for a website – “also
sends a rather nasty message saying it’s okay to do this
kind of thing.“ What is worse from the engineers’
standpoint with the rewriting is that it breaks new
measures to secure the DNS, because the “lies” are
detected and dropped without users knowing what
happened.</span></span><span style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">The “lying”
is currently happening for domains seized by the US
government agency ICE (US Immigration and Customs
Enforcement), some of them legal in their country of
origin, like the Spanish <a moz-do-not-send="true"
href="http://RojaDirecta.com">RojaDirecta.com</a>, (a
case discussed intensively by the experts). When typing
<a moz-do-not-send="true" href="http://RojaDirecta.com">RojaDirecta.com</a>,
users do not get to that site, but to a warning/blocking
site by the ICE.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">It is this
kind of case that has stirred up debate in the European
Parliament, pushed by the European Digital
Right initiative (EDRi). “By this you render a site and
the data inaccessible without having any court order in
the site owner’s country,” said Joe McNamee, who fought
for the declaration now officially included in the
Parliament’s resolution on the upcoming European
Union-US Summit of 28 November 2011.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">The text of
the Parliament resolution is here [1].</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Under the
topic “Freedom and Security,” the declaration stresses
the need “to protect the integrity of the
global internet and freedom of communication by
refraining from unilateral measures to revoke IP
addresses or domain names.”</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">SOPA,
McNamee warned, would be so broad that “it could be
interpreted in a way that would mean that no
online resource in the global internet would be outside
US jurisdiction.”</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Of those who
provide users with domain names – with the so-called DNS
registrars closer to the user and the
user’s jurisdictions – it is the registry companies who
manage the central database for zones like .com (for
example) who are an easy target when it comes to
take-downs. They keep the record of who every .com
domain name is delegated to and inform those looking for
a site where to go. So they can from a top spot in the
DNS hierarchy point to a “wrong” location.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">What makes
things difficult is that many large registries, like
VeriSign (registry for .com and .net) which changed the <a
moz-do-not-send="true" href="http://rojadirecta.com">rojadirecta.com</a>
record, are located in the United States and while
offering services globally in name, they in fact
are bound by US law.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Registries –
Target for Take-Downs</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">VeriSign
recently tried to get a new registry policy acknowledged
by the Internet Corporation for Assigned Names
and Numbers (ICANN), the DNS technical oversight body,
which would have allowed the dot com and .dot net
registry (VeriSign) “to comply with any applicable court
orders, laws, government rules or requirements, requests
of law enforcement or other governmental or
quasi-governmental agency, or any dispute resolution
process.” After a first wave of protests, the company
backed off and withdrew the test for the time being.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Matt
Pounsett from Afilias, the registry for .info and some
other TLDs, explained the dilemma. While the
registries certainly like people to see the correct
DNS-answers that they send, “there are cases where even
we participate in things like that, particularly domain
take-down.“ Many take-downs were made when it was found
out “that a particular domain is being used in a way
that violates acceptable use.”</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Registry
operators and a software providers like ISC underline
that the fight against malware mainly drives
their interventions. BIND’s filtering function will help
the manager of a local domain to protect his network.
Customers are pushing, for example, for options like
rewriting, said Joao Damas, a developer at ISC.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">The
rewriting not only allows ICE to lead people to their
website instead of Rojadirecta’s, it also allows
commercial companies to attract traffic to their search
engine with recommendations and paid ads. Some big
telecommunications providers, for example, lure users to
their search site every time they mistype a domain name
or simply look for something that does not exist.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">“If we do
not do offer functionalities like the rewriting in our
BIND software, we will drive them away from BIND,”
said Damas. BIND’s new “reputation policy zone” function
allows people to have names checked against lists of
alleged bad actors, known spammers or
malware-distributers, and in case of a match do not
display the respective sites.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">More Private
Filtering</span></span><span style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">But what
about the governance of increased private manipulation
and also filtering that is enabled by better
tools, asked Peter Koch, a DNS expert at Denic, the
registry for the .de. country code TLD of Germany. “When
we talk about a near real-time facility that would
enable certain groups to influence resolvers to block or
rewrite resolution data,” Koch warned, collateral damage
and even liability issues could arise. The more
sceptical engineers also warn that such interventions
could make the deployment of secure DNS on the last mile
to the user very difficult. As they, including Vixie,
have worked for a decade to implement this kind of
security, they oppose it from an architectural
standpoint.</span></span><span style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Civil
liberty advocates like McNamee or Wendy Seltzer,
co-founder of the project Chilling Effects, point to the
difficulties for victims of the varieties of filtering
possibilities to push back. Why can a DMCA (US Digital
Millennium Copyright Act [2]) request from a private
party lead to Google even filtering a part of the
rojadirecta website included in the Spanish version and
housed under .es, the country code TLD of Spain – as
actually happened?</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">“Today the
biggest problem is there’s too many things happening not
based on legislation,” said Patrik Fältström, chair of
the Security and Stability Advisory Committee of the
ICANN. Fältström belongs to the engineers hoping that
fixing the political code might be the first necessary
step to solve the problems. Only then would the next
step be addressed, Fältström said, in addressing
conflicting national legislations. A mega-size example
is coming with regard to this problem: the introduction
of new TLDs as approved by ICANN.</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Could ICANN
approve a domain name that is illegal in one
jurisdiction? asked Fältström. Several jurisdictions
have announced they would otherwise block complete TLDs,
with new top level domains like .gay being only one
example not being welcome everywhere in the world. Or
should controversial new address zones be blocked at the
outset by ICANN?</span></span><span
style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">If the
registries are close to the core, the root zone that
lists existing TLDs (like .com, .net, .ch) and future
ones could be seen as one core spot of the global
internet.</span></span><span style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">With the new
contract for the managing of this root function, the
Internet Assigned Numbers Authority (IANA) contract, the
US administration seems to have put itself in a
difficult spot. The contract has been performed by
the ICANN so far, and the US National Telecommunications
and Information Administration oversees the work.
The difficult spot for NTIA is that they will for every
new TLD check if ICANN’s procedure for approving a new
TLD has been supportive of the “global public interest”.
What will the US do about potential knocks at their door
from those who do not like to have a .gay or a .sex? It
will be a difficult filtering function, close to the
core.</span></span><span style="font-size:12.0pt"><br>
<br>
</span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Related
Articles:</span></span><o:p></o:p></h2>
<div>
<h2><span class="apple-tab-span"><span
style="font-size:12.0pt;font-weight:normal">
</span></span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">• IP
Enforcement Permeates ICANN, US Internet Policy [3]</span></span><o:p></o:p></h2>
</div>
<div>
<h2><span class="apple-tab-span"><span
style="font-size:12.0pt;font-weight:normal">
</span></span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">• US Gets
Threatening Over ICANN’s New Internet Domain Plan [4]</span></span><o:p></o:p></h2>
</div>
<div>
<h2><span class="apple-tab-span"><span
style="font-size:12.0pt;font-weight:normal">
</span></span><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">• ICANN
Board Approval Opens Internet To Many New Domains [5]</span></span><o:p></o:p></h2>
</div>
<h2 style="margin-bottom:.25in"><span class="apple-style-span"><span
style="font-size:12.0pt;font-weight:normal">Categories:
Access to Knowledge,Enforcement,English,Features,Human
Rights,Information and Communications Technology/
Broadcasting,IP
Policies,Language,Themes,Trademarks/Geographical
Indications/Domains,United Nations,US Policy,Venues</span></span><span
style="font-size:12.0pt;font-weight:normal"><br>
<span class="apple-style-span">Article printed from
Intellectual Property Watch: <a moz-do-not-send="true"
href="http://www.ip-watch.org/weblog">http://www.ip-watch.org/weblog</a></span><br>
<br>
<span class="apple-style-span">URL to article: <a
moz-do-not-send="true"
href="http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/">http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-the-core-of-the-internet/</a></span><br>
<br>
<span class="apple-style-span">URLs in this post:</span><br>
<br>
<span class="apple-style-span">[1] resolution is here: <a
moz-do-not-send="true"
href="http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577">http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2011-0510&language=EN&ring=P7-RC-2011-0577</a></span><br>
<span class="apple-style-span">[2] Digital Millennium
Copyright Act: <a moz-do-not-send="true"
href="http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act">http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act</a></span><br>
<span class="apple-style-span">[3] IP Enforcement
Permeates ICANN, US Internet Policy: <a
moz-do-not-send="true"
href="http://www.ip-watch.org/weblog/2011/03/13/ip-enforcement-permeates-icann-us-internet-policy/">http://www.ip-watch.org/weblog/2011/03/13/ip-enforcement-permeates-icann-us-internet-policy/</a></span><br>
<span class="apple-style-span">[4] US Gets Threatening
Over ICANN’s New Internet Domain Plan: <a
moz-do-not-send="true"
href="http://www.ip-watch.org/weblog/2011/05/06/us-gets-threatening-over-icann%e2%80%99s-new-internet-domain-plan/">http://www.ip-watch.org/weblog/2011/05/06/us-gets-threatening-over-icann%e2%80%99s-new-internet-domain-plan/</a></span><br>
<span class="apple-style-span">[5] ICANN Board Approval
Opens Internet To Many New Domains: <a
moz-do-not-send="true"
href="http://www.ip-watch.org/weblog/2011/06/20/icann-board-approves-long-awaited-plan-for-new-internet-domains/">http://www.ip-watch.org/weblog/2011/06/20/icann-board-approves-long-awaited-plan-for-new-internet-domains/</a></span></span><o:p></o:p></h2>
</div>
</div>
</blockquote>
</body>
</html>