beyond take down

Sun Nov 20 19:15:11 CET 2011

No need to speculate.  I replied with details, but forgot to copy the list
(and didn't keep a copy).  Once Milton gets around to forwarding it, you'll
have all the details.

Timothe Litt
ACM Distinguished Engineer
---------------------------------------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

  _____  

From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of Kerry
Brown
Sent: Sunday, November 20, 2011 13:10
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] beyond take down

I could be wrong but I got the impression that ISC was including a feature
similar to spam DNSBL lists such that a BIND server could subscribe to a
DNSBL list in order to block malicious web sites much like email servers
subscribe to DNSBL lists to block spam. This could be abused by a government
forcing ISPs in their jurisdiction to subscribe to a DNSBL list that they
publish. They can easily do this now with DNS redirects so I dont think the
ISC system is necessarily a bad thing.

Kerry Brown

From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
Milton L Mueller
Sent: November-20-11 9:10 AM
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: Re: [NCSG-Discuss] beyond take down

Does anyone on this list know more about the way BIND is being amended to
allow the rewriting of DNS answers? Jorge? Timothe?

From: NCSG-Discuss [mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU] On Behalf Of
William Drake
Sent: Sunday, November 20, 2011 10:22 AM
To: NCSG-DISCUSS at LISTSERV.SYR.EDU
Subject: [NCSG-Discuss] beyond take down

Hi

As discussed on our call the other night, some of the key developments from
a global public interest standpoint go beyond GNSO & ICANN policies but we
might still consider whether there's grounds for useful NC engagement

& BTW Monika quotes Wendy in the below...

<http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-
the-core-of-the-internet/print/>
http://www.ip-watch.org/weblog/2011/11/20/filtering-and-blocking-closer-to-t
he-core-of-the-internet/print/

Filtering and Blocking Closer To The Core Of The Internet?
By Monika Ermert for Intellectual Property Watch on 20/11/2011 @ 1:00 pm

With protests against draft US legislation like the Stop Online Piracy Act
(SOPA) and the Protect IP Act ongoing and the European Parliament voting on
17 November for a resolution to request that the United States should be
refraining from unilateral measures to revoke IP addresses or domain
names, politicians are talking a lot about technology for the internet
domain name system. But at the same time, engineers are getting more
political and are intensively discussing technology providing the tools for
blocking  by governments and private parties.

For the community that cares for the functioning of the domain name system
(DNS), it came as a shock when Paul Vixie, founder of the Internet Software
Consortium (ISC), said that the BIND software would allow the filtering out
of sites with a bad reputation  like listed malware sites  and also the
rewriting of DNS answers  manipulating what people get to see when asking
for domain names.

Vixie is a guru of the DNS and one of the authors of the letter by
well-known experts against DNS blocking in the Protect IP Act. But he is
perhaps best-known for being the father of BIND, which has for a decade been
the open source tool that makes the DNS work.

More Filter-Friendly DNS Software

Jim Reid, one of the chairs of the DNS working group at the Réseaux IP
Europeéns, said during a recent debate about principles that he was rather
saddened by ISCs decision to allow the rewriting. Were giving the bad
guys tools, Reid warned.

The rewriting  which sends back a lie upon a request to the DNS from
someone looking for a website  also sends a rather nasty message saying
its okay to do this kind of thing. What is worse from the engineers
standpoint with the rewriting is that it breaks new measures to secure the
DNS, because the lies are detected and dropped without users knowing what
happened.

The lying is currently happening for domains seized by the US government
agency ICE (US Immigration and Customs Enforcement), some of them legal in
their country of origin, like the Spanish RojaDirecta.com, (a case discussed
intensively by the experts). When typing RojaDirecta.com, users do not get
to that site, but to a warning/blocking site by the ICE.

It is this kind of case that has stirred up debate in the European
Parliament, pushed by the European Digital Right initiative (EDRi). By this
you render a site and the data inaccessible without having any court order
in the site owners country, said Joe McNamee, who fought for the
declaration now officially included in the Parliaments resolution on the
upcoming European Union-US Summit of 28 November 2011.

The text of the Parliament resolution is here [1].

Under the topic Freedom and Security, the declaration stresses the need
to protect the integrity of the global internet and freedom of
communication by refraining from unilateral measures to revoke IP addresses
or domain names.

SOPA, McNamee warned, would be so broad that it could be interpreted in a
way that would mean that no online resource in the global internet would be
outside US jurisdiction.

Of those who provide users with domain names  with the so-called DNS
registrars closer to the user and the users jurisdictions  it is the
registry companies who manage the central database for zones like .com (for
example) who are an easy target when it comes to take-downs. They keep the
record of who every .com domain name is delegated to and inform those
looking for a site where to go. So they can from a top spot in the DNS
hierarchy point to a wrong location.

What makes things difficult is that many large registries, like VeriSign
(registry for .com and .net) which changed the rojadirecta.com record, are
located in the United States and while offering services globally in name,
they in fact are bound by US law.

Registries  Target for Take-Downs

VeriSign recently tried to get a new registry policy acknowledged by the
Internet Corporation for Assigned Names and Numbers (ICANN), the DNS
technical oversight body, which would have allowed the dot com and .dot net
registry (VeriSign) to comply with any applicable court orders, laws,
government rules or requirements, requests of law enforcement or other
governmental or quasi-governmental agency, or any dispute resolution
process. After a first wave of protests, the company backed off and
withdrew the test for the time being.

Matt Pounsett from Afilias, the registry for .info and some other TLDs,
explained the dilemma. While the registries certainly like people to see the
correct DNS-answers that they send, there are cases where even we
participate in things like that, particularly domain take-down. Many
take-downs were made when it was found out that a particular domain is
being used in a way that violates acceptable use.

Registry operators and a software providers like ISC underline that the
fight against malware mainly drives their interventions. BINDs filtering
function will help the manager of a local domain to protect his network.
Customers are pushing, for example, for options like rewriting, said Joao
Damas, a developer at ISC.

The rewriting not only allows ICE to lead people to their website instead of
Rojadirectas, it also allows commercial companies to attract traffic to
their search engine with recommendations and paid ads. Some big
telecommunications providers, for example, lure users to their search site
every time they mistype a domain name or simply look for something that does
not exist.

If we do not do offer functionalities like the rewriting in our BIND
software, we will drive them away from BIND, said Damas. BINDs new
reputation policy zone function allows people to have names checked
against lists of alleged bad actors, known spammers or malware-distributers,
and in case of a match do not display the respective sites.

More Private Filtering

But what about the governance of increased private manipulation and also
filtering that is enabled by better tools, asked Peter Koch, a DNS expert at
Denic, the registry for the .de. country code TLD of Germany. When we talk
about a near real-time facility that would enable certain groups to
influence resolvers to block or rewrite resolution data, Koch warned,
collateral damage and even liability issues could arise. The more sceptical
engineers also warn that such interventions could make the deployment of
secure DNS on the last mile to the user very difficult. As they, including
Vixie, have worked for a decade to implement this kind of security, they
oppose it from an architectural standpoint.

Civil liberty advocates like McNamee or Wendy Seltzer, co-founder of the
project Chilling Effects, point to the difficulties for victims of the
varieties of filtering possibilities to push back. Why can a DMCA (US
Digital Millennium Copyright Act [2]) request from a private party lead to
Google even filtering a part of the rojadirecta website included in the
Spanish version and housed under .es, the country code TLD of Spain  as
actually happened?

Today the biggest problem is theres too many things happening not based on
legislation, said Patrik Fältström, chair of the Security and Stability
Advisory Committee of the ICANN. Fältström belongs to the engineers hoping
that fixing the political code might be the first necessary step to solve
the problems. Only then would the next step be addressed, Fältström said, in
addressing conflicting national legislations. A mega-size example is coming
with regard to this problem: the introduction of new TLDs as approved by
ICANN.

Could ICANN approve a domain name that is illegal in one jurisdiction? asked
Fältström. Several jurisdictions have announced they would otherwise block
complete TLDs, with new top level domains like .gay being only one example
not being welcome everywhere in the world. Or should controversial new
address zones be blocked at the outset by ICANN?

If the registries are close to the core, the root zone that lists existing
TLDs (like .com, .net, .ch) and future ones could be seen as one core spot
of the global internet.

With the new contract for the managing of this root function, the Internet
Assigned Numbers Authority (IANA) contract, the US administration seems to
have put itself in a difficult spot. The contract has been performed by the
ICANN so far, and the US National Telecommunications and Information
Administration oversees the work. The difficult spot for NTIA is that they
will for every new TLD check if ICANNs procedure for approving a new TLD
has been supportive of the global public interest. What will the US do
about potential knocks at their door from those who do not like to have a
.gay or a .sex? It will be a difficult filtering function, close to the
core.