Discuss mailing list

[Peter McCann <mccap AT freeovernetfoundation.org>]

On Sun, Mar 6, 2011 at 1:39 AM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
> There has been some periodic talk, initially regarding domains such as
> wikileaks, but more recently about entire zones in conflict areas such as
> Libya and Egypt... Is there a way that OpenNic can help against hostile
> government take-overs of the internet traffic to these areas?
>
> The short answer: maybe
>
> Regarding an entire TLD, we are very limited in what can be done without
> direct correspondence from the person(s) controlling that zone.  While
> anyone has direct access to the list of primary nameservers serving that
> zone, there is generally little or no detailed info available that would
> allow us more fine-grained access to information such as the list of domains
> under that TLD.
>
> Now with specific domains, we have a little more information available
> because we can query that domain directly.  We can probably even get a list
> of all the subdomains and MX servers.  And of course there is a better
> chance that we may be able to correspond directly with the domain holder,
> and request that OpenNic be added as a slave zone for their domain.
>
> Since I am regenerating a full root zone every hour, I could use that same
> window to run comparative tests against the TLDs or domains we are
> monitoring.  I can look for large changes between the information we have on
> file and the information being reported by ICANN.  And since we maintain our
> own root, we can essentially 'hijack' the information presented by ICANN and
> substitute our own zone which mirrors what the true owners of the TLD or
> domain originally had (and thus continuing to provide access to the original
> sites).
>
> Of course something like this  also provides the means for abuse, so we
> would want to try and take measures to prevent this, however in the end it
> would come down to a very limited number of people having access to changes,
> and trusting those people to be honest with your connectivity.  Also it
> would be imperative to be aware when a 'protected' site has been changed, so
> I think perhaps the easiest method would be to redirect traffic to a
> notification page which states that the ICANN data may be questionable, and
> allows the user to choose if they want to continue to the ICANN-presented
> page, or use OpenNic's cached data to connect to the site.
>
> And lastly, we would need an web page which allows admins to approve or
> reject the changes to DNS (any pending or rejected changes would spawn the
> notification page to users).  This page also would provide a form for anyone
> to request a TLD or domain be added to the protection list, which would then
> be considered and voted upon by OpenNic members.
>
> I think that just about covers what I can think of.  This would essentially
> try to cover internet access in case of government sensitivity, and also be
> inline with the issues that brought the P2P community to our doorstep a few
> months ago.  I'd love to see some discussion towards this, and I believe a
> basic framework could be set up fairly quickly, which can be fine-tuned over
> time.

You are essentially proposing that OpenNIC get into the domain ownership
dispute resolution business.  Personally I think that's a fine idea
and had assumed
this sort of thing was one of the reasons OpenNIC was created.  You will be
going up against court ordered domain confiscations and transfers, and
publishing
contradictory information to what ICANN is forced to publish by the
legal system.
Do you really want to hold a vote on every instance where a domain is
confiscated?
It might be better to elect some sort of judiciary with an appeals
structure so that
disputes could be resolved quickly.  I would think you would want to create an
acceptable usage policy (do you really want to be protecting all the child
pornographers?).

I don't think you actually need to mirror the whole protected zone,
just return a
delegation point that points at the IP address(es) of their preferred
nameserver.
I think most of the domain confiscations have redirected the DNS queries to
government-controlled nameservers and you just need to prevent that.
You would need a secure way for the real domain owner to update this
information,
so as you outline I think you would need a positive affirmation that the owner
wants this protection service before you would start providing it.  If
the owner ever
needed to make a change and forgot to update OpenNIC it might create a 
problem.
Some mechanism to agree on authentication information for these updates would
be needed.

What is OpenNICs strategy with respect to DNSSEC?  I assume that eventually
the OpenNIC root will need to be signed with some key and some group of people
will need to be responsible for that.

-- 
Pete McCann <mccap AT freeovernetfoundation.org>
pgp 0x9FAF5668