[Pearg] Responding to "Concerns over DNS Blocking" technical error(s)
Marwan Fayed <marwan@cloudflare.com> Mon, 31 July 2023 11:37 UTC
Return-Path: <marwan@cloudflare.com>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA3DC15107C for <pearg@ietfa.amsl.com>; Mon, 31 Jul 2023 04:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2FZ96fl6-TLj for <pearg@ietfa.amsl.com>; Mon, 31 Jul 2023 04:37:27 -0700 (PDT)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FB26C14CE53 for <pearg@irtf.org>; Mon, 31 Jul 2023 04:37:27 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-2682e33509bso3221277a91.1 for <pearg@irtf.org>; Mon, 31 Jul 2023 04:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1690803446; x=1691408246; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ATj9szzdxIp57cpPIUKLVg5+EVHxchk8Veo16fA6dZU=; b=NFPpF1DOUj/Q67CV1Vc7DYRetHz7I4wllo98V3FObHBL4PQxfTw2NecHF/GONlOVmb JfN0qC6mEY9N/5jtxLzj59ztzuTQeA3X4SwNI+ZQki657k2Zj39anB/5SJzi4q6e1LqM uCQP+aOTYd+mEHFM1udQyXhXBS0TwNZ/RCuJs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690803446; x=1691408246; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ATj9szzdxIp57cpPIUKLVg5+EVHxchk8Veo16fA6dZU=; b=KOcwJRB2iSFpdFmRsOmGCy3FnJyr2CAn2pzvQt0ph5Z3oCfIhNbQm8KsWCSdDfEp/r NQluczMfXWvU8PKxGT2toq6qTV4lipNh7Y/oFHKQ/XBKBiON1LolOQ60c9qTAYDDlxIy NSe7EMTQ1k1/DWZgLpHZBDe+Sly6XaIzY/7gNtDrD3lFsy7YVMgNPo5iIcUANPeTwLUP l+DZiHuXEiBHk/chgE/mjS2M4zmyAqhSxkRqmEgReb2iRF9Rt2/Ci1BpT/2/mJKVboAw 0yBDzsjOcl4ZJMQD1F63C6M/aeqCpcGPRFGfpcY0zz+mVr/3YBvWKzyt+CF75XCQKyVf ncRQ==
X-Gm-Message-State: ABy/qLbxv3cj8HqhOyln5yj0Yf3Kxpib4MihBpfkWBX8C7sy4xME8vL2 l9bd+Ax1z3W68Pgadl9dYFAKNpwoHmcfS+vxFdT0MqNXQRvXyUu901Q=
X-Google-Smtp-Source: APBJJlHddAqNIQL8mISChw9K3h7NaABkWoZEAzgbLKlH64p2gQogTqg2AC6sYR45jpV7HJ3f+HhvtugQ+4aecgXFXwk=
X-Received: by 2002:a17:90b:4b92:b0:260:d40f:6ade with SMTP id lr18-20020a17090b4b9200b00260d40f6ademr8970944pjb.15.1690803446058; Mon, 31 Jul 2023 04:37:26 -0700 (PDT)
MIME-Version: 1.0
From: Marwan Fayed <marwan@cloudflare.com>
Date: Mon, 31 Jul 2023 12:36:50 +0100
Message-ID: <CAMgphBBYNMqiwg=SkZmh6s8gCfVoFp8zmwHNCiVYzqnBwyzKNA@mail.gmail.com>
To: pearg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000ca5d540601c6dad5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/dznlAfQPNGZ6TipwGhxhofFBWm8>
Subject: [Pearg] Responding to "Concerns over DNS Blocking" technical error(s)
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2023 11:37:31 -0000
Dear wg, and more-- There is a just-published open letter [1], also summarized at 117's pearg [2] in response to a proposed initiative that (as is summarized) can require ISPs to block domains via DNS without a court order. This is no doubt a concern for all, but the open letter has two significant problems, one of which is a factual and technical error that would be great to correct, and another that merits wider conversation: 1. [Technical Error] The open letter suggests that IP blocking is a viable and less harmful alternative to blocking content via DNS. This is patently false because the consequence of blocking via DNS is all content at a domain name; an IP address block, by the very design of the Internet Protocol itself, could affect (and has affected) many more domains than intended [3]. For example, a block of 11 addresses in Austria last year affected thousands of domains and websites [4]. (As an aside, the lack of transparency about the practice is a particular concern, at least as much as the practice itself.) How best to address the error in the open letter? Ideally we can find a fix as a community, and one that involves the signatories (and their organizations, despite having signed in a personal capacity). The text of concern that needs redress reads, "Several alternatives exist which would avoid the concerning implications mentioned above. Domestic Internet Service Providers (ISPs) have a number of tools at their disposal to block infrastructure deemed malicious by French authorities. This includes blocking HTTP/HTTPS connections to the offending site, and blocking the IP addresses." [1] 2. [Wider conversation] The idea that the use of the DNS deserves more attention than simply being "blanket bad." There are no doubt challenges, not least that the DNS is composed of many role-types, namely recursive resolvers and authoritative servers, also local-network private resolvers and open-public resolvers. Each of these entities in the DNS are different and warrant separate consideration. However, when thinking about 'in-network' controls, the DNS has one very large and important advantage that is unavailable when blocking by name or address: The DNS offers **transparency**, which is not available when blocking via name or address. From RFC 8914 [5], recently introduced codes in sections 4.16 to 4.19 are useful, to start. At a minimum, support from resolvers and clients means that users could get insight into service interruptions, and the reasons for them. If blocking in the network has to happen, the transparency offered by DNS in RFC 8914 should be considered when engaging in the wider discussions. Hopefully these comments help contribute to a positive and productive discussion. Many thanks, --marwan [1] https://medium.com/@vgcerf/concerns-over-dns-blocking-988ef546a100 [2] https://datatracker.ietf.org/meeting/117/materials/slides-117-pearg-proposed-laws-on-dns-blocking-00 [3] https://blog.cloudflare.com/consequences-of-ip-blocking/ [4] https://www.derstandard.de/story/2000138619757/ueberzogene-netzsperre-sorgt-fuer-probleme-im-oesterreichischen-internet [5] https://www.rfc-editor.org/rfc/rfc8914.html
- [Pearg] Responding to "Concerns over DNS Blocking… Marwan Fayed
- Re: [Pearg] Responding to "Concerns over DNS Bloc… Vittorio Bertola
- Re: [Pearg] Responding to "Concerns over DNS Bloc… Lanlan Pan
- Re: [Pearg] Responding to "Concerns over DNS Bloc… Mirja Kuehlewind
- Re: [Pearg] Responding to "Concerns over DNS Bloc… Vittorio Bertola
- Re: [Pearg] Responding to "Concerns over DNS Bloc… Marwan Fayed