Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

[Paul Vixie <paul@redbarn.org>]

Vernon Schryver wrote:
> A network that routes requests to 8.8.8.8 to inject DNS lies will also
> arrange to ignore or pervert any DNS-in-band tell-the-truth signaling.
> Without access to a trustworthy resolver, tell-the-truth signaling is
> useless because you can't trust it.

i would like to be able to know that i can't trust it, rather than 
merely assuming that i can't trust it, as happens today. if neither the 
truth nor the lie is signed, i can make a red light blink, or even go 
offline, refusing the local edition of the social compact ("if you want 
to use the internet you have to accept dns answers w/o provenance.")

> No jurisdiction will allow foreign visitors to bypass local filters
> forever, because foreign visitors blab both the banned data and the
> banned tools.

as a frequent visitor to china, my verizon wireless roaming service is 
tunnelled back to the USA. i can read facebook, search google, and so 
on. verizon isn't a pirate -- they have a license to operate in china 
and they honor the terms of that license. but they don't sell this 
service inside china.

i expect more, not less, arrangements of this kind going forward, now 
that other nation-states are making decisions about internet content 
filtering for their citizens. note that i blogged on this specific 
point, and mentioned rpz, recently:

http://www.circleid.com/posts/20170718_nation_scale_internet_filtering_dos_and_donts/

> ... Isn't there
> talk about China blocking all tunnels including those of foreigners?

not that i've heard. china has a delicate balancing act, and they do not 
seem to want to completely discourage tourism, even if that means there 
are leaks in the great firewall as a result. on wifi or wired, they 
don't know who isn't a citizen. on LTE or GSM, they do. but the tunnel i 
use is slow, and expensive for both verizon and i. i'd like to offer 
china the opportunity to carry both dns truth and dns lies, in the same 
packet, with one of them a little harder to get at using older software, 
and with newer software having a switch, "do you trust policy having 
this key?" i expect that for android and iOS devices sold in china, this 
switch would be hardwired "on".

this reflects my broader belief that neither the open source community, 
or the internet technology community, will ever be taken seriously by 
the chinese gov't if we tell them how they should run their country's 
internet or its connections to the rest of the world. if they want to be 
able to express policy data more reliably using DNS than will be 
possible in a ubiquitous-DNSSEC scenario, then we ought to provide that, 
and encourage engineers from within china to help define, model, test, 
develop, and deploy it. this would ease the complexity burden for 
companies selling internet devices and services inside china. it will 
not make anybody in the world less autonomous than they already aren't.

> Even with the acquiescence of regimes, there are insurmountable practical
> technical and non-technical issues in providing both RPZ filtered and
> raw DNS answers, configuring applications, and ensuring that citizens
> don't get foreign, uncensored versions of applications.  It's one thing
> for a regime to allow foreigners to use foreign services (which I claim
> never lasts), and quite another thing for in-country operators to
> expect government censors to understand and believe that citizens can't
> use the truthful results in DNS responses.  If you were a DNS operator
> in China, would you ever allow your resolver to give truthful answers
> about some domains in any form or in response to any signaling?--of course
> not!

as a provider i would, whether in china or elsewhere, follow the law.

-- 
P Vixie