[DNSOP] Re: DNS, censorship, attacks and centralization

Ben Schwartz <bemasc@meta.com> Mon, 19 May 2025 14:23 UTC

Return-Path: <prvs=123473182a=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 241EC2A417E1; Mon, 19 May 2025 07:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GHG_MMTjU0lc; Mon, 19 May 2025 07:23:33 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by mail2.ietf.org (Postfix) with ESMTP id 783982A417C8; Mon, 19 May 2025 07:23:33 -0700 (PDT)
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 54JDH1LY026505; Mon, 19 May 2025 07:23:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=nLldBMwZ/BaNcKsOcTZK 9OTfo7noymbPGywFJQhJUlw=; b=ZAgSQaFhQPbv0tOrN5R4whil0T5DaDexp7+R klwccvSvqUKI3LbkYG7pwfV12FHHqcw39Q/OYoDjYjn6/WVa8EinaPfk2cttfbON sdMJAJL/kDUBPu85+vtkkhmxYsXBKPNrIXphYcv52umfu8TXzsthgqNTeD1SO9sJ z7+UDEM74uTWwS2ptLBl9zsXvbl4I2jrzLSmjDmTk5uqY5VfXqb73vJ0/Bfklutx LG2kfH4kVyQBH6KN89WSh8e4AGLXITSp/AOLgPLCicLv+2kJg/LpJls2TGhTcIry sCDO9cRFDtSkDXcjFx5Tm/iSLq/pqsY71vETfEb8epaNHEWI1A==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2045.outbound.protection.outlook.com [104.47.55.45]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 46r5cx8fnb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 May 2025 07:23:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sWDw5r5cQQx3Q+3oFMIcBNaZUEKVSmdRJIQJVBMZmPLeFk4OLXVDAiJ26/x8WPHZgsl9iEC1o49T6Bh4tASDijR9XuuM0paDQ8Pephp3YcG6yBbs0nEL+Ga7ijtB1y9WebylGePl+dJHDuOggiUucXhVXgoeFEPLxIlYbxIgWr36pj6cZjjkW0YOOz4hHyjEMHA79vwzfGSTqBjdkiRijPuvQZzW+81yo7ANFSALqi8+Hf0bL177a7ps0jVJlvqKjllnT1hLUh0kL4PAicuB+0r+mJbrfbKLhA/cGMC++PSNnNAf7lyO+Zi7MEUqjTE2V7oDZJ6piPzFgbxxQvmeoQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nLldBMwZ/BaNcKsOcTZK9OTfo7noymbPGywFJQhJUlw=; b=S0EmDG6bvVnmxUgF/3s2/89L/0oQvqxU0TrjOcsDGG3gGSogn0ExXK+iVS1p0xnUiXxD6UvzG6ZGNFSqhoxR9S2TjDU++Jgil2ZgSk2PCrr4hYwVr2eI6L4luJbRnvKHWkMmOEJm+zbaeqH+O80OJhcazioP9cHNO8afLsplYmSN0dGWviu31UCcdcL03C7eXc8UzCnYedEDa7Nx5wSp9S3mUcSR9CDVGii/17F/Ahs29kx/bwXLAqcvRJz5C/vWU7CavzK9K23cSFwIiXO9ga55Ihs1AVCbERtz7+sNHd0RRaRl8/Wm6wJGY1elpo1winr4bsqiBdjBE/lXMy2Tog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by CH4PR15MB6698.namprd15.prod.outlook.com (2603:10b6:610:232::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8746.30; Mon, 19 May 2025 14:23:06 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%6]) with mapi id 15.20.8746.030; Mon, 19 May 2025 14:23:06 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org>
Thread-Topic: [DNSOP] DNS, censorship, attacks and centralization
Thread-Index: AQHbyIxgz/hHC2RPSEa+9v0l292yDLPZ+RCe
Date: Mon, 19 May 2025 14:23:06 +0000
Message-ID: <SA1PR15MB4370A1DDFC1DDB81073084FBB39CA@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <CAFpG3gcrWH3w-SgNuk9qx6HL2iZkpWJDRTBEtNToSf6J5mG7wQ@mail.gmail.com> <CB55AFC1-633F-47B8-9E50-063430A4E7AF@nohats.ca> <135700F9-CA5E-45FF-959F-803CF393191C@mnot.net>
In-Reply-To: <135700F9-CA5E-45FF-959F-803CF393191C@mnot.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|CH4PR15MB6698:EE_
x-ms-office365-filtering-correlation-id: fd2ece63-45d0-4f93-b0cf-08dd96e0ac5e
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|10070799003|38070700018|7053199007|13003099007|8096899003;
x-microsoft-antispam-message-info: Rnc4ZrB8JiT58mS4uiQ/PJIt8yvjkYbR1l8XEHKsE7TKLMUeeWhATjHoVUddE6Gj9cW0/Qd8aoRneb4S0GqRoZCReUAP+rHkiP79LjQLTD/7gBHYFjTNWX8N6sByjXYzlzSswQYXb3doEnxng/ZgFTqLIk1+MwPILZDYl73WRQACno7SKeDgIjRp3Rx6mJp+7xTr1RlGQNZD1YMz30VFAo4cLq/JpXJBiAj7EXnMB6xbZ24GlE3OnE2U7xID9jh8dRd2xMwYB9TpCHQrT1e5Ln1/RzBDSJ9iCk364ivNjbZxTafxZAuARYz5GRCYfpmDA/Wfi0+pGjeXe+KYjmSfkZ+uXHaND/0tEvX56Lht7wkfE+jg4crPQvg76y5gnyKBwhUOWWWgUYjAYqFGHXpPKTi3bVfyGKSLgjaA+nJQcU20I+Ei+4N3pYZM8+ISRzDmeeqGsTubwY4SaKD0aEfG164ni7/jcKeOR12QYQsG2E+yOllXfzVkju9kFTHl9N3ntEmnYl/MY5XLUeWE+mRyokDuH0V3nyf3/uxJkr5Vo9ZxBSfvh+6yeoY91KyKuFF0I65a896FrnOK7wT0hWmewa1VqlKiNVXMNYmscni7R2MtUmZnO1dCIWQhzeLVdwEuVPVkfg666rwcjxLf7yqZEORsfeTvJILPpjDfCP1kuGPeHFxRLxV8kh0VM32MyzJkxaJWDGW+3DI0T9NsLC4JvDguNlpHWYAP3fIcLxDPx3JGT6w2+iznrj5kHs+fFpRQ7O5h2qXebCmNjKd8YYn0AD10mgZvIvUWQq81QqZvYOuy72Eb3c/l2SVQL8BILEvTa43MsEgh9ovKCl2PHr94Od/o1n9vPcL+pcu2Yyv4eU/7NM7wzKLIx9w9zMXJ56Eoh7HROjEOrx/jF561QMH4FcKDrpArP0dwsp7uya0E08h0cM3CpGeOdSMdBmUqSvMr7tdRC59hwPEbf/Lgr0sjGDCuGPv9VuWvbLwstYyq8dRL5RtcvlhCKAA1TyKf5ffzq6+DMzxmoSwayUwUGhg7PcdkyuGK0zsS+hM409iHMtmb6JvlNS0dJA390j6moNFy33fRC1q2w+/9iYCv2CahTQ4lFFU1eABBE72A1G8x+WvO7qu4zDz8Amdgr1Nn5SZuYMYBec5/0fP8kw0f10/oZb67PaK5pCLeiROURKcch6OPX6df+O2VVmJoL1T/rsCCwiWRw93cbmOu6G4UXwPsJ3ZS+LUzlOwaryqr0JrNGXV9P7RlK0VJpoSx7tEP+PWgBSwm68RhGg+KkXqNWwkWoz9RtcykySorJczeNOstyxovvsRL0m4R9CmrpKRFIPzS7hkX6nFP2H8ssn47pWADscPQofcNECreJ8FXCFwGkPUG2qPrriPTR4aECaqGYWDPVeGxJLln+u2YEQ/nHlt1RCruMOAih4p266WdtQwlpYk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(10070799003)(38070700018)(7053199007)(13003099007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WPorAJlSXksSl/3g14Rg4VNbXHheQhcXW5W0fJNnMugyTmTVl5h8dK3FjDIp8ZWfo6wYVByikKx4OvzF/WPtLuOEOgNEViDKKvzjQQT7OYbLsp5QMJYtWG5bWveHciKo8dw76vAKLOdhGrIye1mbbCqSHOj7bXlCYOYDtxHTaTmQLqZmarDJq/HrukDxdUuFdQu9Ppuut6LK7a1B7CFS8IiEVz1EZcu1JsW03Xp4VbXs7lNErmrttuF5cOkw1hS/xrsMEIABkUAdQLFaPhZgQ0NvrnDYe3sGudrkFR1WBsPDOMJ2WBU+aL48Uhev55nyQIzgGbs6lMWkMMewKA0HVPJUUbb39ERd4PVNsFEQez/f9nzcb2TQ4H0wFcOTQQwkl47K3mqqxuAtdVo9EWY+fCa6tnEEwv8qjlSNEW7YT4p8uEIa9KCrtXzjSywU8PqT0xHXJWwTjYq4GSy+BEeOWOPh5JkzHgYF6k+MJY2hdSEr7DSLcTpzhGXRD03RnKA6Gz4oJi1R9FLL2/7XFzcDrtP7EAqVh6KGk0VEJqyOV0QVyfZdICwkZU9TwLAydSUYMSxLNofPlaxA9d8R1sMHeeX4d+nR3qm3nggdt1Uv213Pa1pw8qQHl5Kmm2EGw3jQgfDid2cF/UVjPniJe7wm1DgQ87EmL1EKlKw4uUplHYVfFLEPhNLLF3MIxxrTImIbV4iVQTUUg/zWWfzpPkRpZAgBgiS9yoDlfXeBCoDVCtfiY/rsKaXs0CZBKE8/aLYSdCPRz74o10wGBY/aimlJWM2jko0QVt4PGQ4nOSCLVETsZGqNXCT+deOsRNHAL6kbapCRseXCgDqrQx4UtCWNQJc5Niy+ObRc0GB6zwkYVBmGNwKqIzdp546YYEUQI2Z5dknRGs8J/CKviTMsdil8wK4Iq4s4BgvZ4L7J8uerSP4co0AXGBuvYffEvfpdHqkO5CFTVNRSQOuMeRnHALqd8LBR2on2uRSHHue7/7BtCjtvyhQ4iGRpzItE11hhuuzG3t6u35Z2/a2f6oP7kgyMhvg6B6p1P/W1NokIdNmIDMinZk1mbaNH1CXnG8kMSrYPBdzNHi0ZtQt6kSX4LCO8eAW0W+hKakK3dLaMYW4McfkqPYw/O7BuagvSEkXjVBoBqqvaJCDnxLgTGTsVN2in9RS3Cnsq5+kIRLMo8nCTvQFsiH6Z1IpfCOEtLpBzW8VaQ6pB+rJJBfAkml2IzlLliG/IdRKHGAdEX2Q37WXc0WCJVLSj1WqYepHAKPkuy5KxXpIIbrWLeuRPWhOOPL5SbvA7ZFiE3ku7yfLykij9TuqJnquw7YGji333cOvARbhulhZ1cZeOKR//9pZEa85QlRQoqBrfuObD1ejGxDVQzGSQMk+GH4LjCYBe6ogVkM4ubcjAmb/A+R35r7YIGcRbiGCBQiMArHERk1lmpY9+oL0YqVQiaHyltie0myFBmK8eGVo8UeOdMIPefMw76SQzZAmiUQ7NSG0ilsTe9GpFRgeHWZER/cYTXAXM6HEGbT8WdgfjXYxvw7w5plXsTQqB88zRzvB7fcMr0cnRLJDCsm1nRI9nnS6q07sfrL7+5tjcJRjJonixqzfo7NkJ+COeuWLiwUvszfUesNIhWQpNJM8=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370A1DDFC1DDB81073084FBB39CASA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fd2ece63-45d0-4f93-b0cf-08dd96e0ac5e
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2025 14:23:06.4825 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GrRdP5TKYq0nCmPjzL6ZCKG6uuOJAGsoY1T9xvgCqD34VEXhWLpZ9qRWp6mHS6he
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH4PR15MB6698
X-Proofpoint-GUID: XYaOjVfFPvORJdOyMaCaIRMc8Njc8uG5
X-Authority-Analysis: v=2.4 cv=frHcZE4f c=1 sm=1 tr=0 ts=682b3ee4 cx=c_pps a=R19XVbJ/69TrMGWtO/A4Aw==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=dt9VzEwgFbYA:10 a=8pif782wAAAA:8 a=48vgC7mUAAAA:8 a=mKvkpDbxL257ozG3AWkA:9 a=wPNLvfGTeEIA:10 a=MgRnhQjUjXCv_pBn-N8A:9 a=vbxazmjkYo0L3Wfd:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10
X-Proofpoint-ORIG-GUID: XYaOjVfFPvORJdOyMaCaIRMc8Njc8uG5
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTE5MDEzMyBTYWx0ZWRfX7kC+JcPddiNU TS+nGRrd1QXWNjNOEavolqOHywjV+mmXg/9yXrNIjVWefyXUh5cALI1yjEtPihBvrD1jcL3sig4 Rc1MnwMQw7rcDaFh7R76EFTSfKM2DWjgXQ42Gke8qe2zN5sKBA6e9SFt7Kcb7CddF3MPltQn39c pH2jIbIs8XssnshefVtrqsgtfG1GyTv+c4kqt9ndeCSF4WiQNlZsjBiBHIUXAN2dJ8FnuNinOdS vkWJc3m8wIL5E1WwwS3N+Y7Hn8XKBY5KE1AUPNz0Bgv/Rxtp8qQk1D041oESflXl/MtNlZ8Ed0E vmaclp4M9fH/yJjU5CgqQz5pSZ7tiBxm4meZtLbpDRbxYvAMgJlogEHi0ZRi218LqDCMgLzJCMm /XcpW4a+SCB8AotQLQZHl/VLU6BpTyjBjAXrO5F1QWv1+xyIHQVINTxqDNQIgTTzF9hsiDhQ
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-19_06,2025-05-16_03,2025-03-28_01
Message-ID-Hash: C5LGFWY2Q4XRWZIUYTF2LSSLMJFK3G66
X-Message-ID-Hash: C5LGFWY2Q4XRWZIUYTF2LSSLMJFK3G66
X-MailFrom: prvs=123473182a=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: DNS, censorship, attacks and centralization
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Fkwv5hJNLSKVe6nNxXEsP2qilh4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

________________________________
From: Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org>

> First, two things that I don't _think_ are being disputed:

> 1. Surfacing censorship events to end users is desirable, because it a) avoids user confusion / misattribution of the problem, and b) allows end users to be more fully informed. This is becoming a more urgent problem, thanks to current events.

I don't necessarily view this as desirable.  Specifically, I see an important distinction between informing the user and informing the user agent.

I feel that informing the user agent is potentially desirable.  It can react in various useful ways:

* Interpreting the censorship as damage and routing around it.
* Collecting anonymized telemetry on censorship events to produce a public report.
* Potentially notifying the user at an appropriate level of detail.

Surfacing censorship events to the user is often difficult, inappropriate, or counterproductive, depending on factors such as the user's technical skill and the applicable legal frameworks.  I am reminded of a string of incidents in Kazakhstan [1], which were successfully resolved without any specific user messaging in client software.  Attempting to explain the precise situation to those users might have increased the risk of panic and confusion.

--Ben

[1] https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack