Rich Fiscus
25 Aug 2011 23:46
PROTECT IP is the name of a bill which is working its way through the US Senate with a version also expected to be introduced in the House of Representatives next month. It would require the Attorney General's office to compile of list of domain names which DNS operators (in the US) will be required to block.
According to some critics, it threatens to undo more than a decade of Internet security development in a single stroke.
To understand exactly what that means, I talked to one of those critics - Paul Vixie of the Internet Systems Consortium (ISC). You may not be familiar with ISC, but you almost certainly make use of their software every day.
ISC is a non-profit corporation which develops BIND, the most widely used DNS server software on the planet. When you type a domain name like AfterDawn.com into your web browser, your computer relies on a worldwide network of DNS servers to translate it into an IP address.
As part of BIND development, ISC has put significant resources into making DNS more secure through the use of an extension called DNSSEC. DNSSEC adds an encrypted signature to DNS records, making it possible to ensure the IP address you get from a DNS server is authentic.
DNSSEC support isn't finished yet, and if PROTECT IP is implemented Paul Vixie says it never will be.
Under PROTECT IP, DNS server operators in the US would be required to replace the correct IP address for a blacklisted domain name with an alternate address provided by the Attorney General's office.
When I spoke with Paul, he talked about why this causes problems with DNSSEC:
Ultimately there are two ways to modify DNSSEC data. You can either strip off the signatures in which case your modified response will be ignored, or you can just drop the query and never send a response at all. The trouble with these as lawful mandates is that they're indistinguishable from what evildoers will do. There's nothing in the DNSSEC protocol to say "this is a lawful insert or modification, you should accept it."
Say your browser, when it's trying to decide whether some web site is or is not your bank's web site, sees the modifications or hears no response. It has to be able to try some other mechanism like a proxy or a VPN as a backup solution rather than just giving up (or just accepting the modification and saying "who cares?"). Using a proxy or VPN as a backup solution would, under PROTECT IP, break the law.
I have a special concern about this since we will have to implement backup plans in the BIND validator. which we will not do if PROTECT IP passes. and without this kind of backup plan, DNSSEC itself will never be commercially viable.