> > No, this draft simply specifies what operators are already doing. Not > > because they are intent on destroying trust in the DNS or the Internet, > > but because they are forced to do this by governments, they need to > > protect their own network, they would like to protect their customers, > > and lots of other reasons. > > There are two things you mixed together: > > 1) industry based filtering of DNS - a commercial opt-in service offering > > 2) government mandated filtering of DNS - A misguided breakage of > protocol forced upon operators.
I "mixed them together" because we use the same mechanism in both cases. This is where RPZ (which we don't use today) would be handy. > And 1) should not need to break DNSSEC. IETF should come up with a > better solution for signaling a DNS lookup might be unhealthy for > the enduser. As others have pointed out, we don't only want to signal back to the user "don't do this DNS lookup" - we want to prevent the lookup from reaching the authoritative servers. "unhealthy for the end user" is just one of several reasons why a DNS lookup might be blocked. > For 2) if it breaks DNSSEC, that is fine. Governments will learn that > ISPs are not the right tools for censorship, and endnodes will simply > bypass the ISP DNS resolver. Government mandated DNS filtering has been in use here in Norway for more than 8 years, and there is absolutely no sign that the government will learn what you suggested. Endnodes have been able to bypass the ISP DNS resolvers all these years, the information on how to do this has been freely available - and yet a large majority of the endnodes continue to use the ISP DNS resolvers. Steinar Haug, AS2116 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
