Hi Dan, > but really, for the threat you discuss we already live in > that future. Agreed. But now, the US government (or another government controlling a DNS operator) must approach each DNS operator with their [secret] request. Under this scheme, the distributed, fault tolerant nature of DNS will be nullified. That is, a government only needs to poison the database of one cooperating operator, and other cooperating dns operators will dutifully incorporate the changes. To make matters worse, the poisoning will cross national/political boundaries - something governments don't fully enjoy under the current system.
I would bet the proponents of the 'Internet Kill Switch'' are salivating like Pavlov's dog - I still remember the NSAKEY incident... Jeff On Fri, Aug 6, 2010 at 2:44 PM, Dan Kaminsky <d...@doxpara.com> wrote: > Jeffrey, > > It ain't the US that's leading the way in DNS based blocklists, now is > it? > > Ultimately DNS is not the right layer to do general purpose filtering. > There's no question that national blocklists slot very nicely into this > proposal by Vixie, but really, for the threat you discuss we already live in > that future. > > On Fri, Aug 6, 2010 at 2:12 PM, Jeffrey Walton <noloa...@gmail.com> wrote: >> >> Hi Paul, >> >> What happens when the US government comes-a-knocking, desiring to >> manipulate data while claiming some sort of purview under the gestapo >> legislation known as the PATRIOT Act (or <insert legislation name >> here>)? The hooks provided by the ISC and used by the domain operator >> will facilitate the DNS subversion nicely. Put another way, the ISC >> proposal has just made it easier for US government abuses, and abuses >> which can effect not only US citizens, but citizens of other >> countries. >> >> Perhaps the ISC should also divest DNS interests from the US so that >> more dns operators, immune from US control, are available to the >> community. >> >> Jeff >> >> On Fri, Aug 6, 2010 at 1:07 AM, Paul Vixie <vi...@isc.org> wrote: >> > >> > http://domainincite.com/vixie-declares-war-on-domain-name-crooks/ >> > >> > [SNIP] _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.