Discuss mailing list

[Dustin Minnich <dustin.minnich AT gmail.com>]

On Tue, Dec 20, 2011 at 7:02 PM, Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:

> #2 - Yep, I'm a great guy :-)  Also not corruptible, but I can't really
> prove that.
>
> #2 and #3 - I had another option brought to my attention regarding
> maintenance of this list.  Emails have been sent, just waiting to see if
> there is interest in a collaborative effort.  I won't mention names until
> there is a positive response.
>
> Glad to hear that.


> #3 - By slaving the original zone for a domain, the original owner
> maintains full control over how it is redirected.  If the original owners
> have no interest in trying to regain control of their domain, they can
> remove the zone at any time, and we would no longer have the pointers to
> redirect queries.
>
> #4 - Some of the previous also applies here.  If a request is made to
> pre-emptively hold a pointer for a domain name, it would again require
> access to slave their zone file - and because we are only slaving the
> original zone, this would hopefully prevent any fraudulent attempts to
> redirect a legitimate domain as they still would not have access of the
> original domain's nameservers.
>
>
I missed the part about doing slave AXFRs :(.   That does solve most of my
previous concerns where I was worried about the logistics of us creating
the necessary overriding records based on information we could dig up or
gathered from hopefully credible information people passed onto us.  It
also solves the problem of how site owners would update their records down
the line.  We would just need to formalize some sort of an opt-in process
for site owners to follow so that they could prove to us that they own the
site and its DNS servers.


> I do agree that it would be nice to have a front page for the redirects,
> alerting visitors that the domain is in dispute.  Perhaps I can work up
> something tonight that performs this alert.  It would likely have to rely
> on cookies to flag when the user has seen the warning, but otherwise should
> be fairly easy?
>
>
Page implementation aside, this may be harder than I originally thought.
If we slave illegal.com and www.illegal.com points at some IP that the site
owner specified, we would need to override this to point at a webserver we
manage but then when the user clicks the continue link on our banner,
www.illegal.com would need to start pointing at the IP we slaved instead.
Or at least I think thats right, if it is, I'm not sure how to pull that
off.

Dustin


>
> On 12/20/2011 03:27 PM, Dustin Minnich wrote:
>
>> I'm glad people are talking about this.  This is a great idea and
>> something
>> that we or somebody else will need to do to ensure that the internet stays
>> free and open.
>>
>> I do have some concerns about this original implementation plan though:
>>
>> 1) As Brian stated, incorporation would be nice and a statement from EFF
>> or
>> a legal precedence citation would go a long way to make the T2 operators
>> more willing to participate.
>>
>> 2) The fact that Jeff maintains the list and will be the root server
>> hosting the file is concerning.  I'm sure he is a great guy, but a group
>> is more resilient and less corruptible than a single person.  If Jeff gets
>> hit by a bus or his server gets hacked or seized the whole thing goes down
>> in flames.  In my mind, several T1 servers should host the list and then
>> T2
>> servers could source from any of them.  Checksums and other things could
>> be
>> used to better ensure consistency.
>>
>> 3) I worry about us finding and adding records manually.  What are our
>> sources of information and how will we know if the site owners still want
>> their site accessible?  How will we know when things change or when to
>> remove records?  If a site owner learns that their sites are illegal and
>> their domain name gets seized they may think "problem solved".  If we
>> silently make their site resolvable again for people that use our name
>> servers we could be giving the original site owners things they don't want
>> and may create more problems for them.
>>
>> 4) Allowing people to register records for things before their domains get
>> seized may open the system to widespread abuse.
>>
>> My solution to 3 and 4 would be to have another TLD and for someone to
>> have
>> a record in it, they would have to approach us on the mailing list or IRC
>> and prove that they own a controversial site with a common TLD.  They
>> would
>> prove they own it by making a change to the page.  We would then add them
>> to the new TLD for currently censored or potential future censored sites
>> with records pointing at whatever they specify.  This way site owners
>> would
>> opt-in and we could ensure the system wouldn't be gamed.  Maybe down the
>> road we could have some sort of interface that the site owners could use
>> to
>> change their records if they ever needed to.
>>
>> Finally, if their is an easy way to do it, IMHO it would be better if we
>> also did basic vhosts for site owners that set up these redirects, instead
>> of just forwarding to the uncensored page.  A page saying something
>> similar
>> to: "this site has been seized by the US government.  Click here to see
>> their message.  Or, click here to continue to the uncensored version of
>> the
>> page."  would be annoying but nice.  People who just learned that a page
>> is
>> "illegal" could bail if they wanted to and others would constantly be
>> reminded of just how many sites have been censored and perhaps get pissed
>> off enough to start a rally or something big enough that the US government
>> would notice and think about.  This does of course add extra complexity to
>> it all as then we would have to answer who hosts the new TLD and who hosts
>> the webservers and how do we make it all fault tolerant.
>>
>> Dustin
>>
>> On Thu, Dec 15, 2011 at 11:07 PM, subhuman<discipline AT gmx.net>  wrote:
>>
>>  Just a shot in the dark:
>>> I've been studying the RFC's concerning DNS for some weeks now, and
>>> what I'm always stumbling upon is this ominous Z flag in the message
>>> header. RFC 1035 declares it (p. 27) and states: "Reserved for future
>>> use. Must be zero in all queries and responses." The funny thing is
>>> that, as far as I can oversee the matter by now, no updating or
>>> obsoleting RFC ever mentions that flag again. It seems to be simply
>>> there, poor thing.
>>>
>>> What if OpenNIC hijacks this flag - of course for internal purposes
>>> only? Let's say, any record that points to or belongs to a domain we
>>> don't trust will OpenNIC-internally delivered with the Z flag set!
>>> Which means that those records/ domain names still exist (and thus
>>> can't be re-assigned, hopefully), but we don't deliver them, neither to
>>> the outer world, nor to clients within our namespace. Any "outgoing"
>>> messages must of course have the flag set to zero, and the Response
>>> RCODE might be something like NotAuth or NotZone, or even a ServFail -
>>> who would care? The same would be returned to any client requesting
>>> such a "smelling" record, whereas in traffic between DNS servers a
>>> NoError and the usual response is transferred.
>>>
>>> If a domain owner complains, we demand to see of what colour his hat
>>> is. And if we decide it is white: Look there! Ain't that your domain?
>>> Lucky you are!
>>>
>>> --Martin
>>>
>>> On Thu, 15 Dec 2011 17:08:59 -0600
>>> Brian Koontz<brian AT pongonova.net>  wrote:
>>>
>>>> Seems to me that we need to be somewhat careful here.  If we are seen
>>>> as "safe harbor" for every site that gets its DNS records pulled, we
>>>> could put our T1/T2 operators at risk.  It might be a bit premature to
>>>> be talking about this without exploring ways to mitigate the risk of
>>>> individual admins.
>>>>
>>>> That said, we should revisit the idea of incorporating OpenNIC and
>>>> having T1/T2 operations operate under the OpenNIC "umbrella."   Short
>>>> of this discussion, I'm really not all that hot to deal with another
>>>> visit from the men in black...
>>>>
>>>>   --Brian
>>>> ______________________________**_________________
>>>> discuss mailing list
>>>> discuss AT lists.opennicproject.**org <discuss AT lists.opennicproject.org>
>>>> http://lists.darkdna.net/**mailman/listinfo/discuss<http://lists.darkdna.net/mailman/listinfo/discuss>
>>>>
>>>
>>> --
>>> Volk ist Opium für eine Religion.
>>> ______________________________**_________________
>>> discuss mailing list
>>> discuss AT lists.opennicproject.**org <discuss AT lists.opennicproject.org>
>>> http://lists.darkdna.net/**mailman/listinfo/discuss<http://lists.darkdna.net/mailman/listinfo/discuss>
>>>
>>>
>>
>> ______________________________**_________________
>> discuss mailing list
>> discuss AT lists.opennicproject.**org <discuss AT lists.opennicproject.org>
>> http://lists.darkdna.net/**mailman/listinfo/discuss<http://lists.darkdna.net/mailman/listinfo/discuss>
>>
>
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss
>
>