Discuss mailing list

[Dustin Minnich <dustin.minnich AT gmail.com>]

I'm glad people are talking about this.  This is a great idea and something
that we or somebody else will need to do to ensure that the internet stays
free and open.

I do have some concerns about this original implementation plan though:

1) As Brian stated, incorporation would be nice and a statement from EFF or
a legal precedence citation would go a long way to make the T2 operators
more willing to participate.

2) The fact that Jeff maintains the list and will be the root server
hosting the file is concerning.  I'm sure he is a great guy, but a group
is more resilient and less corruptible than a single person.  If Jeff gets
hit by a bus or his server gets hacked or seized the whole thing goes down
in flames.  In my mind, several T1 servers should host the list and then T2
servers could source from any of them.  Checksums and other things could be
used to better ensure consistency.

3) I worry about us finding and adding records manually.  What are our
sources of information and how will we know if the site owners still want
their site accessible?  How will we know when things change or when to
remove records?  If a site owner learns that their sites are illegal and
their domain name gets seized they may think "problem solved".  If we
silently make their site resolvable again for people that use our name
servers we could be giving the original site owners things they don't want
and may create more problems for them.

4) Allowing people to register records for things before their domains get
seized may open the system to widespread abuse.

My solution to 3 and 4 would be to have another TLD and for someone to have
a record in it, they would have to approach us on the mailing list or IRC
and prove that they own a controversial site with a common TLD.  They would
prove they own it by making a change to the page.  We would then add them
to the new TLD for currently censored or potential future censored sites
with records pointing at whatever they specify.  This way site owners would
opt-in and we could ensure the system wouldn't be gamed.  Maybe down the
road we could have some sort of interface that the site owners could use to
change their records if they ever needed to.

Finally, if their is an easy way to do it, IMHO it would be better if we
also did basic vhosts for site owners that set up these redirects, instead
of just forwarding to the uncensored page.  A page saying something similar
to: "this site has been seized by the US government.  Click here to see
their message.  Or, click here to continue to the uncensored version of the
page."  would be annoying but nice.  People who just learned that a page is
"illegal" could bail if they wanted to and others would constantly be
reminded of just how many sites have been censored and perhaps get pissed
off enough to start a rally or something big enough that the US government
would notice and think about.  This does of course add extra complexity to
it all as then we would have to answer who hosts the new TLD and who hosts
the webservers and how do we make it all fault tolerant.

Dustin

On Thu, Dec 15, 2011 at 11:07 PM, subhuman <discipline AT gmx.net> wrote:

> Just a shot in the dark:
> I've been studying the RFC's concerning DNS for some weeks now, and
> what I'm always stumbling upon is this ominous Z flag in the message
> header. RFC 1035 declares it (p. 27) and states: "Reserved for future
> use. Must be zero in all queries and responses." The funny thing is
> that, as far as I can oversee the matter by now, no updating or
> obsoleting RFC ever mentions that flag again. It seems to be simply
> there, poor thing.
>
> What if OpenNIC hijacks this flag - of course for internal purposes
> only? Let's say, any record that points to or belongs to a domain we
> don't trust will OpenNIC-internally delivered with the Z flag set!
> Which means that those records/ domain names still exist (and thus
> can't be re-assigned, hopefully), but we don't deliver them, neither to
> the outer world, nor to clients within our namespace. Any "outgoing"
> messages must of course have the flag set to zero, and the Response
> RCODE might be something like NotAuth or NotZone, or even a ServFail -
> who would care? The same would be returned to any client requesting
> such a "smelling" record, whereas in traffic between DNS servers a
> NoError and the usual response is transferred.
>
> If a domain owner complains, we demand to see of what colour his hat
> is. And if we decide it is white: Look there! Ain't that your domain?
> Lucky you are!
>
> --Martin
>
> On Thu, 15 Dec 2011 17:08:59 -0600
> Brian Koontz <brian AT pongonova.net> wrote:
> >
> > Seems to me that we need to be somewhat careful here.  If we are seen
> > as "safe harbor" for every site that gets its DNS records pulled, we
> > could put our T1/T2 operators at risk.  It might be a bit premature to
> > be talking about this without exploring ways to mitigate the risk of
> > individual admins.
> >
> > That said, we should revisit the idea of incorporating OpenNIC and
> > having T1/T2 operations operate under the OpenNIC "umbrella."   Short
> > of this discussion, I'm really not all that hot to deal with another
> > visit from the men in black...
> >
> >   --Brian
> > _______________________________________________
> > discuss mailing list
> > discuss AT lists.opennicproject.org
> > http://lists.darkdna.net/mailman/listinfo/discuss
>
>
> --
> Volk ist Opium für eine Religion.
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss
>