Paul Vixie and some of his fellow DNS experts have published a blog post in The Hill’s “Congress Blog” denouncing the DNS blacklisting feature of the rogue site bills currently working their way through Congress, PROTECT-IP and SOPA. In their view, DNS blacklisting is un-American:
[T]he debate over what we as a society ought to do about online piracy and infringement has gone into the weeds – so much so that bills now pending before both houses of the US Congress (S. 936, PIPA; and H.R. 3261, SOPA) seek to compel American Internet Service Providers to alter fundamentally the way their connected customers access the Domain Name System.
This type of mandated filtering is not an American innovation. Strong governments around the world use DNS filtering to signal their displeasure over all kinds of things they don’t like, whether it be untaxed online gambling, or pornography, or political dissent.
It’s interesting to contrast the view in this new blog post with a post Mr. Vixie published last February announcing the addition of a domain blacklisting feature to the Internet’s most popular DNS server software, BIND, a product maintained by his firm, Internet Systems Consortium.
The post, titled “Taking Back the DNS,” highlights the fact that most new domains are malicious and describes a feature newly added to BIND that enables ISPs to make such domains effectively disappear from the Internet.
Vixie’s rationale was straightforward:
Society’s bottom feeders have always found ways to use public infrastructure to their own advantage, and the Internet has done what it always does which is to accelerate such misuse and enable it to scale in ways no one could have imagined just a few years ago. Just as organized crime has always required access to the world’s money supply and banking system, so it is that organized e-crime now requires access to the Internet’s resource allocation systems. They are using our own tools against us, while we’re all competing to see which one of us can make our tools most useful.
This all seems quite sensible, so Congress has followed Vixie’s lead in including domain blacklisting in PROTECT-IP and in SOPA.
Despite the objections raised by the DNS experts to these bills, domain blacklisting remains a supported feature in BIND, and was recently upgraded from Version 1 to Version 2; the feature’s formal name is “Response Policy Zones” or RPZ.
One likely effect of the passage of PIPA or SOPA would be for vendors of competing DNS systems to adopt the RPZ feature and make it a de facto standard. As Vixie says, it addresses a fundamental lack of accountability in the Internet:
- The split registry/registrar/registrant model insulates all parties from responsibility, so the global DNS lacks accountability – complaints are ineffective, even with provable crime/losses.
- This resiliency and unaccountability is of greater benefit to bad actors than their victims
RPZ as presently implemented is not fully compatible with DNSSEC, the “new” 15-year-old DNS security upgrade described in the column. That shortcoming will need to be addressed whether PIPA/SOPA becomes law or not, and it didn’t prevent its creator from releasing it in the interests of the good it can do.
DNS filtering is not only an American innovation, it’s Paul Vixie’s innovation.
In fairness, I have to point out that Vixie sees a major difference between DNS blacklisting that’s voluntary on the user’s part and the government-mandated filtering proposed by PIPA and SOPA. In his view, it’s a question of the alignment of interests, but he ignores the consumers who simply want to buy from legitimate sources (among other things.) Vixie is a dyed-in-the-wool Ayn Rand libertarian who has maintained an Objectivism repository on his web site for as long as I can remember. It’s safe to say that his objection to government mandating the use of his RPZ mechanism has more to do with his politics than with his technical knowledge.
UPDATE: Rep. Goodlatte read portions of this post in the SOPA markup hearing.