Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] Beginning test to reclaim confiscated domains

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] Beginning test to reclaim confiscated domains

Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] Beginning test to reclaim confiscated domains
  • Date: Tue, 20 Dec 2011 17:02:51 -0700
  • List-archive: <>
  • List-id: <>

#2 - Yep, I'm a great guy :-) Also not corruptible, but I can't really prove that.

#2 and #3 - I had another option brought to my attention regarding maintenance of this list. Emails have been sent, just waiting to see if there is interest in a collaborative effort. I won't mention names until there is a positive response.

#3 - By slaving the original zone for a domain, the original owner maintains full control over how it is redirected. If the original owners have no interest in trying to regain control of their domain, they can remove the zone at any time, and we would no longer have the pointers to redirect queries.

#4 - Some of the previous also applies here. If a request is made to pre-emptively hold a pointer for a domain name, it would again require access to slave their zone file - and because we are only slaving the original zone, this would hopefully prevent any fraudulent attempts to redirect a legitimate domain as they still would not have access of the original domain's nameservers.

I do agree that it would be nice to have a front page for the redirects, alerting visitors that the domain is in dispute. Perhaps I can work up something tonight that performs this alert. It would likely have to rely on cookies to flag when the user has seen the warning, but otherwise should be fairly easy?

On 12/20/2011 03:27 PM, Dustin Minnich wrote:
I'm glad people are talking about this. This is a great idea and something
that we or somebody else will need to do to ensure that the internet stays
free and open.

I do have some concerns about this original implementation plan though:

1) As Brian stated, incorporation would be nice and a statement from EFF or
a legal precedence citation would go a long way to make the T2 operators
more willing to participate.

2) The fact that Jeff maintains the list and will be the root server
hosting the file is concerning. I'm sure he is a great guy, but a group
is more resilient and less corruptible than a single person. If Jeff gets
hit by a bus or his server gets hacked or seized the whole thing goes down
in flames. In my mind, several T1 servers should host the list and then T2
servers could source from any of them. Checksums and other things could be
used to better ensure consistency.

3) I worry about us finding and adding records manually. What are our
sources of information and how will we know if the site owners still want
their site accessible? How will we know when things change or when to
remove records? If a site owner learns that their sites are illegal and
their domain name gets seized they may think "problem solved". If we
silently make their site resolvable again for people that use our name
servers we could be giving the original site owners things they don't want
and may create more problems for them.

4) Allowing people to register records for things before their domains get
seized may open the system to widespread abuse.

My solution to 3 and 4 would be to have another TLD and for someone to have
a record in it, they would have to approach us on the mailing list or IRC
and prove that they own a controversial site with a common TLD. They would
prove they own it by making a change to the page. We would then add them
to the new TLD for currently censored or potential future censored sites
with records pointing at whatever they specify. This way site owners would
opt-in and we could ensure the system wouldn't be gamed. Maybe down the
road we could have some sort of interface that the site owners could use to
change their records if they ever needed to.

Finally, if their is an easy way to do it, IMHO it would be better if we
also did basic vhosts for site owners that set up these redirects, instead
of just forwarding to the uncensored page. A page saying something similar
to: "this site has been seized by the US government. Click here to see
their message. Or, click here to continue to the uncensored version of the
page." would be annoying but nice. People who just learned that a page is
"illegal" could bail if they wanted to and others would constantly be
reminded of just how many sites have been censored and perhaps get pissed
off enough to start a rally or something big enough that the US government
would notice and think about. This does of course add extra complexity to
it all as then we would have to answer who hosts the new TLD and who hosts
the webservers and how do we make it all fault tolerant.


On Thu, Dec 15, 2011 at 11:07 PM, subhuman<discipline AT> wrote:

Just a shot in the dark:
I've been studying the RFC's concerning DNS for some weeks now, and
what I'm always stumbling upon is this ominous Z flag in the message
header. RFC 1035 declares it (p. 27) and states: "Reserved for future
use. Must be zero in all queries and responses." The funny thing is
that, as far as I can oversee the matter by now, no updating or
obsoleting RFC ever mentions that flag again. It seems to be simply
there, poor thing.

What if OpenNIC hijacks this flag - of course for internal purposes
only? Let's say, any record that points to or belongs to a domain we
don't trust will OpenNIC-internally delivered with the Z flag set!
Which means that those records/ domain names still exist (and thus
can't be re-assigned, hopefully), but we don't deliver them, neither to
the outer world, nor to clients within our namespace. Any "outgoing"
messages must of course have the flag set to zero, and the Response
RCODE might be something like NotAuth or NotZone, or even a ServFail -
who would care? The same would be returned to any client requesting
such a "smelling" record, whereas in traffic between DNS servers a
NoError and the usual response is transferred.

If a domain owner complains, we demand to see of what colour his hat
is. And if we decide it is white: Look there! Ain't that your domain?
Lucky you are!


On Thu, 15 Dec 2011 17:08:59 -0600
Brian Koontz<brian AT> wrote:
Seems to me that we need to be somewhat careful here. If we are seen
as "safe harbor" for every site that gets its DNS records pulled, we
could put our T1/T2 operators at risk. It might be a bit premature to
be talking about this without exploring ways to mitigate the risk of
individual admins.

That said, we should revisit the idea of incorporating OpenNIC and
having T1/T2 operations operate under the OpenNIC "umbrella." Short
of this discussion, I'm really not all that hot to deal with another
visit from the men in black...

discuss mailing list
discuss AT

Volk ist Opium für eine Religion.
discuss mailing list
discuss AT

discuss mailing list
discuss AT

Archive powered by MHonArc 2.6.19.

Top of Page