I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
This expedited DNS cutoff is only available for copyright violations, not for other illegalities.
Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely.
So I suppose operation of a recursor requires one to check with the
government to see what names its okay to resolve.. They can have my dns
recursor when they pry it from my cold dead hands. Otherwise no.
/me waits for the knock at the door and the yell of "Search warrant, we
hear you're running an uncensored BIND"
I wonder what would happen if the Comcasts and Verizons of the world threatened a $10 rate hike to cover the added administration and headaches of this silliness? Would joe six pack care?
I claim operational content for this as, on the basis of court orders, i..e. a
"temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities"
it requires that, for foreign domain names,
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
This expedited DNS cutoff is only available for copyright violations, not for other illegalities.
Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely.
Regards
Marshall
I wonder what would happen if the Comcasts and Verizons of the world threatened a $10 rate hike to cover the added administration and headaches of this silliness? Would joe six pack care?
I wonder if simply adding a second, off-shore resolver to Joe six pack's DHCP settings wouldn't circumvent this silliness anyway. It would be Joe's son or daughter who wants to resolve limewire.com (et. al.), but wouldn't be that hard.
Indeed, offshore resolvers, offshore DNS infrastructure and the
progressive's futile attempts at interference with free markets is
once again thwarted. We all know that U.S. law helps keep the internet
safe </sarcasm>
When I ran a bunch of quake servers last century, I was endlessly frustrated
by everyone using the IP addresses and never DNS. I have no idea why.
Obviously it wasnt too much of a pain to do that, cuz eveyrone did it for
a long time.
So people will just use other resolvers, or direct IP addresses. (but then so
much for http/1.0 virtual hosting, I suppose... not a big deal.)
Dont know what the next law will be - mandatory blackholing of IPs? So then
the sites move randomly around /24s or /22s or whole /16s at ISPs. So then
blackhole the whole /16 by law? That'll be an interesting internet.
"(i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address;"
could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above?
Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of "reasonable steps".
I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers.
"(i) a service provider, as that term is defined in section 512(k)(1) of =
title 17, United States Code, or other operator of a domain name system =
server shall take reasonable steps that will prevent a domain name from =
resolving to that domain name=92s Internet protocol address;"
could be taken as a requirement for providers to intercept attempts to =
use off-network DNS resolvers and manage such requests to meet the end =
goal above?
Given that many providers already do this (for whatever reason), it's =
not much of a stretch to see someone declaring that such behaviour falls =
under the umbrella of "reasonable steps".
I'm not suggesting that I think any of this is reasonable or sensible, =
but it does seem to imply an operational burden on service providers.
It's funny, isn't it, didn't we just finish convincing the government
of the need for DNSSEC, making the DNS system more resistant to some
forms of tampering?
I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. This would in effect be a selective denial of service attack to DNS clients.
DNSSEC provides no integrity protection over that type of interference -- you need to get an answer for the answer to have a signature, and without a signature there's nothing to check.
If it does, then, you'll find open tunnel servers providing tunnels to off-shore DNS services.
Sigh.
I really wish congress had better things to do than getting into a technology arms race with the people of the united states.
Oh, wait, they do have better things to do, they just aren't doing them.
Quantifying the negative performance impact of SERVFAIL on various stub resolvers might provide some useful data points in any 'official' discussions which arise on this topic.
The more I think about this COICA deal the more I can't even fathom
how it could be implemented.
If an upstream server won't resolve, what's to stop a network admin
from using an offshored DNS server, or even the root servers?
The way I read it its specifically aimed at whoever is running the
resolver, ISP or otherwise. Querying recursively starting at the root
would be a violation then. (hence my comment earlier about taking my
recursor from my cold dead hands.) So, short of actually searching out
and confiscating or destroying uncensored resolvers (like the ones, 5th
amendment notwithstanding, that will continue to run each of my
notebooks, even if just for spite if the law passes.), or raiding ICANN
guns drawn and ordering removal of "non compliant" ccTLDs from the root,
IMHO enforcement would be pretty much impossible.
Unless we're talking about keeping DNS traffic confined to the ISP's
network.
tunneled connections. unless all IP traffic is kept to a specific ISP,
in which case the "I" would become a misnomer, and would be easier said
done.
Then what's to stop a global HOSTS.TXT from circulating via
torrent?
Hey as long is its not a DNS server.
It's shortsighted and problematic, which is usually what happens when
technical discussions are dictated by politics.
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee
with a unanimous (!) vote :
COICA appears to be dead for this year.
Ron Wyden (D Oregon) has put a hold on COICA, basically a threat of a Filibuster. This will probably kill it for now, as time is running out in this lame duck session. If this holds, the bill would have to start from scratch next year.
Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries. The list is maintained by the police (rikskriminalen), they have also published statistics on how many evil access attempts to child porn that they have blocked, i.e. legitimating their existence. They do however fail to mention that browsers usually resolve all links on the webpage it loads so it only takes a look at a page that links to an illegal site for the filter to score a hit... and pr0n pages tend to have a lot of links..
And once you get these things in place you never know where it will end...
This isnt new - there have been proposals elsewhere for a resolver
based blacklist of child porn sites.
Swedish ISPs are required to enforce a DNS blacklist for childporn,
perhaps also other European countries.
Yes, this has alrady spread to a number of European countries: http://circamp.eu/
And once you get these things in place you never know where it will end...
Unfortunately, yes. We already have a pretty ugly example of that:
Telenor (Norwegian ISP) was sued by the music and film industry with a
demand that Telenor should block all access to The Pirate Bay. The
suggested method was abusing this DNS filter to block access to a number
of Pirate Bay domains.
