Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

#2 - Yep, I'm a great guy :-)  Also not corruptible, but I can't really 
prove that.

#2 and #3 - I had another option brought to my attention regarding 
maintenance of this list.  Emails have been sent, just waiting to see if 
there is interest in a collaborative effort.  I won't mention names 
until there is a positive response.

#3 - By slaving the original zone for a domain, the original owner 
maintains full control over how it is redirected.  If the original 
owners have no interest in trying to regain control of their domain, 
they can remove the zone at any time, and we would no longer have the 
pointers to redirect queries.

#4 - Some of the previous also applies here.  If a request is made to 
pre-emptively hold a pointer for a domain name, it would again require 
access to slave their zone file - and because we are only slaving the 
original zone, this would hopefully prevent any fraudulent attempts to 
redirect a legitimate domain as they still would not have access of the 
original domain's nameservers.

I do agree that it would be nice to have a front page for the redirects, 
alerting visitors that the domain is in dispute.  Perhaps I can work up 
something tonight that performs this alert.  It would likely have to 
rely on cookies to flag when the user has seen the warning, but 
otherwise should be fairly easy?


On 12/20/2011 03:27 PM, Dustin Minnich wrote:
> I'm glad people are talking about this.  This is a great idea and something
> that we or somebody else will need to do to ensure that the internet stays
> free and open.
>
> I do have some concerns about this original implementation plan though:
>
> 1) As Brian stated, incorporation would be nice and a statement from EFF or
> a legal precedence citation would go a long way to make the T2 operators
> more willing to participate.
>
> 2) The fact that Jeff maintains the list and will be the root server
> hosting the file is concerning.  I'm sure he is a great guy, but a group
> is more resilient and less corruptible than a single person.  If Jeff gets
> hit by a bus or his server gets hacked or seized the whole thing goes down
> in flames.  In my mind, several T1 servers should host the list and then T2
> servers could source from any of them.  Checksums and other things could be
> used to better ensure consistency.
>
> 3) I worry about us finding and adding records manually.  What are our
> sources of information and how will we know if the site owners still want
> their site accessible?  How will we know when things change or when to
> remove records?  If a site owner learns that their sites are illegal and
> their domain name gets seized they may think "problem solved".  If we
> silently make their site resolvable again for people that use our name
> servers we could be giving the original site owners things they don't want
> and may create more problems for them.
>
> 4) Allowing people to register records for things before their domains get
> seized may open the system to widespread abuse.
>
> My solution to 3 and 4 would be to have another TLD and for someone to have
> a record in it, they would have to approach us on the mailing list or IRC
> and prove that they own a controversial site with a common TLD.  They would
> prove they own it by making a change to the page.  We would then add them
> to the new TLD for currently censored or potential future censored sites
> with records pointing at whatever they specify.  This way site owners would
> opt-in and we could ensure the system wouldn't be gamed.  Maybe down the
> road we could have some sort of interface that the site owners could use to
> change their records if they ever needed to.
>
> Finally, if their is an easy way to do it, IMHO it would be better if we
> also did basic vhosts for site owners that set up these redirects, instead
> of just forwarding to the uncensored page.  A page saying something similar
> to: "this site has been seized by the US government.  Click here to see
> their message.  Or, click here to continue to the uncensored version of the
> page."  would be annoying but nice.  People who just learned that a page is
> "illegal" could bail if they wanted to and others would constantly be
> reminded of just how many sites have been censored and perhaps get pissed
> off enough to start a rally or something big enough that the US government
> would notice and think about.  This does of course add extra complexity to
> it all as then we would have to answer who hosts the new TLD and who hosts
> the webservers and how do we make it all fault tolerant.
>
> Dustin
>
> On Thu, Dec 15, 2011 at 11:07 PM, subhuman<discipline AT gmx.net>  wrote:
>
> > Just a shot in the dark:
> > I've been studying the RFC's concerning DNS for some weeks now, and
> > what I'm always stumbling upon is this ominous Z flag in the message
> > header. RFC 1035 declares it (p. 27) and states: "Reserved for future
> > use. Must be zero in all queries and responses." The funny thing is
> > that, as far as I can oversee the matter by now, no updating or
> > obsoleting RFC ever mentions that flag again. It seems to be simply
> > there, poor thing.
> >
> > What if OpenNIC hijacks this flag - of course for internal purposes
> > only? Let's say, any record that points to or belongs to a domain we
> > don't trust will OpenNIC-internally delivered with the Z flag set!
> > Which means that those records/ domain names still exist (and thus
> > can't be re-assigned, hopefully), but we don't deliver them, neither to
> > the outer world, nor to clients within our namespace. Any "outgoing"
> > messages must of course have the flag set to zero, and the Response
> > RCODE might be something like NotAuth or NotZone, or even a ServFail -
> > who would care? The same would be returned to any client requesting
> > such a "smelling" record, whereas in traffic between DNS servers a
> > NoError and the usual response is transferred.
> >
> > If a domain owner complains, we demand to see of what colour his hat
> > is. And if we decide it is white: Look there! Ain't that your domain?
> > Lucky you are!
> >
> > --Martin
> >
> > On Thu, 15 Dec 2011 17:08:59 -0600
> > Brian Koontz<brian AT pongonova.net>  wrote:
> > > Seems to me that we need to be somewhat careful here.  If we are seen
> > > as "safe harbor" for every site that gets its DNS records pulled, we
> > > could put our T1/T2 operators at risk.  It might be a bit premature to
> > > be talking about this without exploring ways to mitigate the risk of
> > > individual admins.
> > >
> > > That said, we should revisit the idea of incorporating OpenNIC and
> > > having T1/T2 operations operate under the OpenNIC "umbrella."   Short
> > > of this discussion, I'm really not all that hot to deal with another
> > > visit from the men in black...
> > >
> > >    --Brian
> > > _______________________________________________
> > > discuss mailing list
> > > discuss AT lists.opennicproject.org
> > > http://lists.darkdna.net/mailman/listinfo/discuss
> >
> > --
> > Volk ist Opium für eine Religion.
> > _______________________________________________
> > discuss mailing list
> > discuss AT lists.opennicproject.org
> > http://lists.darkdna.net/mailman/listinfo/discuss
>
>
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss