From avangaev at gmail.com Thu Jan 2 01:22:39 2014 From: avangaev at gmail.com (Alain Van Gaever) Date: Thu, 2 Jan 2014 00:22:39 +0000 Subject: [cooperation-wg] RIPE NCC Roundtable Meetings - Some Background In-Reply-To: <65C485D1-99F6-4693-BC26-6B5E6E5B99BF@ripe.net> References: <52B306A6.1080900@ripe.net> <65C485D1-99F6-4693-BC26-6B5E6E5B99BF@ripe.net> Message-ID: Thanks Chris for those clarifications ! >From having attended the Roundtable meetings in the past, I have found the RIPE NCC meetings very useful and hope they will continue to be so. From both personal experience and discussions with people inside government organisations, it does seem useful to *supplement these Roundtable meetings with other types of engagement*. *In fact we should be determining our modes of engagement such that they have the broadest possible impact. *That could be a workshop or a white paper, or sending an expert to a specific meeting... Whatever it is our aim should be to (1) reach as broad an audience as possible, and (2) create "institutional memory" that will allow RIPE and others to disseminate good information beyond one meeting, workshop, etc. Our aim as RIPE NCC and the Coop WG should be to become a lasting resource -- the go to community for clear, unbiased information on the technical components impacting specific policy areas. That is why with the email Maria send out on 30 November on the 'Proposed Workplan Coop-WG' we suggested a couple of policy areas to start engaging on. We should do this in a way that complements the RIPE NCC roundtable meetings and reaches those that develop policy and legislation but do normally not attend the Roundtable or other RIPE meetings. Alain PS And since this seems to be the very first email on this mailing list this year: I wish you all a very Happy 2014 !!! On Fri, Dec 20, 2013 at 4:18 AM, Chris Buckridge wrote: > Dear colleagues, > > Based on recent discussions, it would perhaps be useful to provide some > background information on the RIPE NCC Roundtable Meetings for Governments > and Regulators (to use their full title). > > The RIPE NCC has been holding these events since 2005, generally on a > twice-yearly basis, as an opportunity for representatives of governments > and public sector authorities to engage directly with RIPE NCC staff and > key members of the RIPE community. Over the years, agenda items have > included issues such as IPv6 adoption, Internet governance developments, > network security, and Internet measurements and analysis. Presentations are > generally delivered by RIPE NCC staff, though there have been occasions > when representatives from other organisations have presented on issues > relevant to the RIPE NCC or RIPE community (e.g. Olaf Kolkman delivered a > presentation at the last Roundtable Meeting on the IETF and its role in > Internet security). > > The Roundtable Meetings are held as invitation-only events. This is to > allow government representatives, who are often constrained in what they > can say in open forums, to speak and exchange information freely. This is > vital to ensuring that all participants get the most out of the meetings. > The trade-off is that Roundtable Meetings are purely informational - no > formal policy discussion or decision-making occurs. > > As noted on this list, recent Roundtable Meetings have been held > alternately in Amsterdam and Brussels - this has been a conscious move to > engage more effectively with European Commission and Parliament staff, as > well as EU member state representatives who may otherwise be in Brussels at > the time. We have coordinated with contacts in the European Commission to > organise our Brussels Roundtable Meetings adjacent to relevant meetings or > events held by the Commission. Our plan is to continue this pattern, but we > are always open to adjusting our Roundtable Meeting organisation to more > effectively reach new participants. > > The Roundtable Meetings have a great success in helping the RIPE NCC to > build relationships with the public sector and inform public sector > representatives on issues relating to the RIPE community. While the > Roundtable Meetings are invitation-only, the RIPE NCC is very happy to hear > input or suggestions from the community (particularly this working group) > on issues that might usefully be included on the agenda (we are currently > developing the agenda for our next Roundtable Meeting in February, and have > noted the discussion that has taken place here regarding IP > interconnection). > > We also strongly you to connect us with public sector representatives from > your country who may be interested in attending. > > I hope this is helpful for discussions going forward, and I am happy to > answer questions either on or off the mailing list. > > Chris Buckridge > External Relations Officer, RIPE NCC > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland at internetpolicyagency.com Thu Jan 2 12:51:00 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Thu, 2 Jan 2014 11:51:00 +0000 Subject: [cooperation-wg] RIPE NCC Roundtable Meetings - Some Background In-Reply-To: References: <52B306A6.1080900@ripe.net> <65C485D1-99F6-4693-BC26-6B5E6E5B99BF@ripe.net> Message-ID: In message , at 00:22:39 on Thu, 2 Jan 2014, Alain Van Gaever writes >our aim should be to (1) reach as broad an audience as possible, and >(2) create "institutional memory" that will allow RIPE and others to >disseminate good information beyond one meeting, workshop, etc. Our aim >as RIPE NCC and the Coop WG should be to become a lasting resource -- >the go to community for clear, unbiased information on the technical >components impacting specific policy areas. There is a precedent for this in RIPE-206 which discussed best practice in the area of UBE (since replaced by RIPE-409). As secretariat for LINX's regulatory activities it was my task to support the [LINX] WG meetings from which this (and similar) documents emerged. LINX then went on to author a best practice/institutional memory for privacy and law enforcement liaison[1] issues. https://www.linx.net/good/bcp/privacy-bcp-v1_0.html Both were invaluable for discussions with governments and regulators in subsequent years. With a slightly different hat of mine on (not just secretariat this time, but also main editor and contributor) another briefing document was very helpful in discussions with the authorities about data retention, and was widely accepted as technically unbiassed: http://www.internetcrimeforum.org.uk/principal_current_data_types.pdf As was this multi-stakeholder document about the child-protection risks of Chatlines: http://www.internetcrimeforum.org.uk/chatwise_streetwise.pdf But don't underestimate the amount of work involved, or the number of issues to which this approach could be applied. [1]RIPE NCC's CCWP was working on similar issues, but I'm not aware of whether they have a public deliverable which could be used by the CoOp WG. -- Roland Perry From pc.chiodi at gmail.com Tue Jan 7 19:23:14 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Tue, 07 Jan 2014 19:23:14 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> Message-ID: <52CC4612.2040002@gmail.com> Dear Cooperation working group members, Il 07/11/2013 21:53, Meredith Whittaker ha scritto: > With that, I would be happy to help whoever leads pull together a draft, > but I don't have the expertise to lead drafting. as I have already anticipated in another thread, I finally completed a document about web blocking measures for law enforcement purposes. I tried to put together suggestions and hints taken from this mailing list and from documents herein reported. If you believe it's appropriate, it could be reviewed and maybe used as a starting point to eventually produce a RIPE NCC guide, in order to support legislators and stakeholders decisions; otherwise, it will be just another document about the topic! :) I share the document on Google Drive (replace FILE_ID with 0B2tYFe9mK9YfcGFUWkxEaldMdDg): https://drive.google.com/file/d/FILE_ID/edit?usp=sharing In case, just let me know how we can proceed with revisions. My two cents. Best regards, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From avangaev at gmail.com Wed Jan 22 19:04:39 2014 From: avangaev at gmail.com (Alain Van Gaever) Date: Wed, 22 Jan 2014 18:04:39 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <52CC4612.2040002@gmail.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <52CC4612.2040002@gmail.com> Message-ID: Hi Pier, First of all a very happy 2014 ! And thank you very much for that contribution ! (and sorry for the late reply) Papers setting out to a non-technical audience how basic elements of the Internet work are very welcome indeed. They help bridge the gap between those developing policy and those understanding the technical ins and outs of the Internet! I hope you will get some useful feedback! Let me start by referring to a document Ofcom produced a while back: http://stakeholders.ofcom.org.uk/binaries/internet/site-blocking.pdf Kind regards, Alain On Tue, Jan 7, 2014 at 6:23 PM, Pier Carlo Chiodi wrote: > Dear Cooperation working group members, > > Il 07/11/2013 21:53, Meredith Whittaker ha scritto: > > With that, I would be happy to help whoever leads pull together a draft, >> but I don't have the expertise to lead drafting. >> > > as I have already anticipated in another thread, I finally completed a > document about web blocking measures for law enforcement purposes. > > I tried to put together suggestions and hints taken from this mailing list > and from documents herein reported. If you believe it's appropriate, it > could be reviewed and maybe used as a starting point to eventually produce > a RIPE NCC guide, in order to support legislators and stakeholders > decisions; otherwise, it will be just another document about the topic! :) > > I share the document on Google Drive (replace FILE_ID with > 0B2tYFe9mK9YfcGFUWkxEaldMdDg): > > https://drive.google.com/file/d/FILE_ID/edit?usp=sharing > > In case, just let me know how we can proceed with revisions. > > My two cents. > > Best regards, > > -- > Pier Carlo Chiodi > http://pierky.com/aboutme > > The opinions expressed here represent my own and not those of any > organization, entity or committee to which I may hold a position. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pc.chiodi at gmail.com Wed Jan 22 19:34:46 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Wed, 22 Jan 2014 19:34:46 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <52CC4612.2040002@gmail.com> Message-ID: <52E00F46.7070605@gmail.com> Hi Alain, > First of all a very happy 2014 ! best wishes for a great new year to you and all the coop-wg members :) > I hope you will get some useful feedback! Goals of my draft are definitely ambitious; I hope it will be helpful to whoever wants to contribute writing a RIPE official document to support policy makers in content filtering decisions. > Let me start by referring to a > document Ofcom produced a while back: > http://stakeholders.ofcom.org.uk/binaries/internet/site-blocking.pdf Thanks for the link, I already considered that document and drew inspiration from it for some considerations; I also reported it in the "Further Reading" section of my work. Best regards, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From roland at internetpolicyagency.com Wed Jan 22 21:49:53 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Wed, 22 Jan 2014 20:49:53 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <52CC4612.2040002@gmail.com> Message-ID: In message , at 18:04:39 on Wed, 22 Jan 2014, Alain Van Gaever writes > Let me start by referring to a document Ofcom produced a while back: >http://stakeholders.ofcom.org.uk/binaries/internet/site-blocking.pdf In case list subscribers are unaware, it is now the case that UK ISPs block access to Pirate Bay. http://www.bbc.co.uk/news/technology-17894176 -- Roland Perry From meredithrachel at google.com Fri Jan 24 16:46:52 2014 From: meredithrachel at google.com (Meredith Whittaker) Date: Fri, 24 Jan 2014 10:46:52 -0500 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <52CC4612.2040002@gmail.com> Message-ID: Alain, Pier, all, Apologies for my late reply to Alain's question -- this thread got buried over vacation. I wasn't able to access Pier's document (I get a message claiming it doesn't exist). But I am really happy to see progress on this topic, and I am eager to read the draft. I think it's right to start with maybe a more technical (specific and accurate) draft, then refine and distill to reach something legible to policymakers and others. There may also be value in producing a more technical guide to this topic that can inform those who are interested, who have the background, but who may not know the domain-specific details that could be gathered from the RIPE brain trust. Thoughts? Cheers, Meredith On Wed, Jan 22, 2014 at 3:49 PM, Roland Perry < roland at internetpolicyagency.com> wrote: > In message mail.gmail.com>, at 18:04:39 on Wed, 22 Jan 2014, Alain Van Gaever < > avangaev at gmail.com> writes > > Let me start by referring to a document Ofcom produced a while back: >> http://stakeholders.ofcom.org.uk/binaries/internet/site-blocking.pdf >> > > In case list subscribers are unaware, it is now the case that UK ISPs > block access to Pirate Bay. > > http://www.bbc.co.uk/news/technology-17894176 > -- > Roland Perry > > -- Meredith Whittaker Program Manager, Google Research Google NYC -------------- next part -------------- An HTML attachment was scrubbed... URL: From bastiaan.goslings at ams-ix.net Fri Jan 24 17:10:32 2014 From: bastiaan.goslings at ams-ix.net (Bastiaan Goslings) Date: Fri, 24 Jan 2014 17:10:32 +0100 Subject: [cooperation-wg] 'Net neutrality just got a boost in Europe, thanks to a consumer rights committee' Message-ID: <285E8C65-A9EC-4059-BB1C-7E155341A471@ams-ix.net> Hi all, FYI, maybe interesting: the Internal Market and Consumer Protection (IMCO) committee of the European Parliament released its amendments to the EC's proposed 'Connected continent' regulation. I have not read them myself yet, but according to http://gigaom.com/2014/01/23/net-neutrality-just-got-a-boost-in-europe-thanks-to-a-consumer-rights-committee/ , which includes a link to the amendments: 'As the text now stands (...), it looks very much like ISPs and content providers have lost the explicit right ? included in the original proposals ? to strike deals between one another for ?specialized services?. This doesn?t mean they can?t strike deals, but it does mean that ability is not entrenched in Europe-wide law. The amendments also place stricter conditions on the deals that can be struck.' Sounds like good news? Obviously: 'Another parliamentary committee, that for Industry, Research and Energy (ITRE), will still need to vote on Kroes?s proposals on 24 February, and its members will no doubt have their own amendments. After that, it?s over to the full Parliament for a plenary vote, probably in April.' -Bastiaan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From pc.chiodi at gmail.com Fri Jan 24 18:16:17 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Fri, 24 Jan 2014 18:16:17 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <52CC4612.2040002@gmail.com> Message-ID: <52E29FE1.4010604@gmail.com> Hello Meredith, hello all, Il 24/01/2014 16:46, Meredith Whittaker ha scritto: > (I get a message claiming it > doesn't exist). But I am really happy to see progress on this topic, and > I am eager to read the draft. I'm sorry for that, I pasted an URL split in two parts to prevent web crawlers from indexing the document since it's only a draft. Here it is; please add 0B2tYFe9mK9YfcGFUWkxEaldMdDg after the "&id=" parameter: https://docs.google.com/uc?export=download&id= > I think it's right to start with maybe a more technical (specific and > accurate) draft, then refine and distill to reach something legible to > policymakers and others. My draft is quite long, it covers a lot of topics, even if I tried to keep them as simple as possible; I think it should definitely be summarized by someone used to speak to policymakers. Regards, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From michele at blacknight.com Sat Jan 25 03:10:47 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Sat, 25 Jan 2014 02:10:47 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <20140107182358.DE00A33C359@merlin.blacknight.ie> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> Message-ID: Pier Carlo I'm a bit confused by your assertions with respect to authoritative DNS. Can you please provide examples of domains where the situation you described could exist? Eg: "target domain name. In fact, for the sake of redundancy, a domain name may have many authoritative servers, spread around the world and also operated by different companies." I can't see how that could work technically, but maybe I'm missing something - an example would be helpful Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 -----Original Message----- From: cooperation-wg-bounces at ripe.net [mailto:cooperation-wg-bounces at ripe.net] On Behalf Of Pier Carlo Chiodi Sent: Tuesday, January 7, 2014 6:23 PM To: cooperation-wg at ripe.net Subject: Re: [cooperation-wg] DNS-based filtering Dear Cooperation working group members, Il 07/11/2013 21:53, Meredith Whittaker ha scritto: > With that, I would be happy to help whoever leads pull together a > draft, but I don't have the expertise to lead drafting. as I have already anticipated in another thread, I finally completed a document about web blocking measures for law enforcement purposes. I tried to put together suggestions and hints taken from this mailing list and from documents herein reported. If you believe it's appropriate, it could be reviewed and maybe used as a starting point to eventually produce a RIPE NCC guide, in order to support legislators and stakeholders decisions; otherwise, it will be just another document about the topic! :) I share the document on Google Drive (replace FILE_ID with 0B2tYFe9mK9YfcGFUWkxEaldMdDg): https://drive.google.com/file/d/FILE_ID/edit?usp=sharing In case, just let me know how we can proceed with revisions. My two cents. Best regards, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From pc.chiodi at gmail.com Sat Jan 25 09:36:26 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Sat, 25 Jan 2014 09:36:26 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> Message-ID: > > Eg: > "target domain name. In fact, for the sake of redundancy, a domain name > may have many > > authoritative servers, spread around the world and also operated by > different companies." > > I can't see how that could work technically, but maybe I'm missing > something - an example would be helpful > It could be a borderline case but I can think to a company which runs authoritative servers for its domain on its own and which buys a backup NS service from another company with servers out of borders. Maybe I'm missing something too? Thanks, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland at internetpolicyagency.com Sat Jan 25 10:30:06 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Sat, 25 Jan 2014 09:30:06 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> Message-ID: In message , at 02:10:47 on Sat, 25 Jan 2014, Michele Neylon - Blacknight writes >I'm a bit confused by your assertions with respect to authoritative DNS. > >Can you please provide examples of domains where the situation you described could exist? > >Eg: >"target domain name. In fact, for the sake of redundancy, a domain name may have many > >authoritative servers, spread around the world and also operated by different companies." {You know all this, so there's clearly some kind of terminology issue} Each domain is supposed to have two Name Servers (maybe we could also discuss whether that's a better, or more familiar, term to use in the text). There's no reason why they have to be adjacent either physically or on the same network (ie same AS). Best practice is supposed to be that they should be separated, although many commercial hosting companies appear not to. An over-complicated alternative example is the domain ripe.net, which has six such servers, only one of which is on ripe-ncc's network; the others are at nic.fr, apnic.net, isc.org and arin.net. http://mydnscheck.com/?domain=ripe.net In the diagram on page 6 of the document (and onwards), it would assist the reader a great deal if the 'example' website in question was not something associated with IANA, because currently it gives the very strong impression that IANA is hosting everyone's authoritative servers. I would suggest finding a suitable candidate, that isn't confusingly associated with any of the major I* organisations, with perhaps three diverse name servers. While not recommending it as the example for this paper, I note that intgovforum.org appears to have one hosting provider, with name servers on networks in Virginia, Georgia and Arizona. -- Roland Perry From jim at rfc1035.com Sat Jan 25 10:42:18 2014 From: jim at rfc1035.com (Jim Reid) Date: Sat, 25 Jan 2014 09:42:18 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> Message-ID: <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> On 25 Jan 2014, at 02:10, Michele Neylon - Blacknight wrote: > Can you please provide examples of domains where the situation you described could exist? > > Eg: > "target domain name. In fact, for the sake of redundancy, a domain name may have many > authoritative servers, spread around the world and also operated by different companies." > > I can't see how that could work technically, but maybe I'm missing something - an example would be helpful Ever heard of zone transfer Michele? :-) Many organisations spread DNS service for their domains across multiple providers: avoiding single points of failure and all that. For instance many TLDs rely on a mixture of name servers they operate themselves, some provided by other TLD registries -- I'll slave your zone if you slave mine -- and others from commercial anycast providers. It might be true that the majority of registrants just stick with whatever DNS is offered by their registrar but not all of them do that. Clueful ones certainly don't. From roland at internetpolicyagency.com Sat Jan 25 14:04:21 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Sat, 25 Jan 2014 13:04:21 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> Message-ID: <4lmnr8dVZ74SFAWz@internetpolicyagency.com> In message <1C69BAB0-37FC-48EF-A093-ED925C5D66F7 at rfc1035.com>, at 09:42:18 on Sat, 25 Jan 2014, Jim Reid writes >It might be true that the majority of registrants just stick with >whatever DNS is offered by their registrar but not all of them do that. >Clueful ones certainly don't. For some value of "clueful". I expect the majority of registrants don't worry very much about continuity of service, nor would they even notice if their website was offline as a result (and the number who use something where an interruption might be more noticeable, like domain-based email rather than various cloud and connectivity-ISP-based email, must be an even smaller minority). Their "clue" is more of a financial sort, where they are happy to pay a few tens of dollars a year for the less resilient service, compared to something much more expensive for the greater resilience. That's partly why I said, earlier, that "Best practice is supposed to be that they should be separated, although many commercial hosting companies appear not to." Then there's the issue of hosting organisations who apparently put two Name Servers in the same /24 [for our non-technical readers that's two servers on the same branch-of-a-network-with-254-usable-IP-addresses, previously called a Class C; something that typically has no connectivity redundancy, even if such a design could cope with one of the two servers failing]. This is all a subset of a general theory which states that "when Internet users became so numerous that someone gave up trying to publish an annual list of them all in a paperback book, lots of stuff changed". {Was it 1994 - I have that book, bought in 1995... http://www.amazon.co.uk/The-Internet-White-Pages-1994/dp/1568843003 } The best thing we as a WG can do is try to acknowledge that such changes *have* happened, that we have 2 Billion users, and when we are giving advice to Governments and Regulators it should be appropriate for a World with 2 billion users, not the 100 thousand trusted users that many clearly wish it still was. That boat sailed in 1995. -- Roland Perry From jim at rfc1035.com Sat Jan 25 16:54:35 2014 From: jim at rfc1035.com (Jim Reid) Date: Sat, 25 Jan 2014 15:54:35 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <4lmnr8dVZ74SFAWz@internetpolicyagency.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> <4lmnr8dVZ74SFAWz@internetpolicyagency.com> Message-ID: Roland, you seem to be going off at a tangent. If you want to continue a discussion of what a "clueful" DNS user or robust DNS service means please take it to the DNS Working Group. Any definitions that emerge there can be fed into this WG. Assuming both WGs survive the heat death of the universe. :-) In the context of the document we're discussing here -- DNS blocking for government and regulatory people -- the point that should be made is that DNS service for some domain does not necessarily rest with a single entity. ie all the authoritative name servers for a domain might not be under the same administrative and operational control: SLAs, reporting and incident response procedures, legal jurisdictions, contracts, T&Cs, etc. Sent from a wee shiny thing with no keyboard that creates typos From roland at internetpolicyagency.com Sun Jan 26 11:23:25 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Sun, 26 Jan 2014 10:23:25 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> <4lmnr8dVZ74SFAWz@internetpolicyagency.com> Message-ID: <9Z1mUs4dIO5SFAt8@internetpolicyagency.com> In message , at 15:54:35 on Sat, 25 Jan 2014, Jim Reid writes >Roland, you seem to be going off at a tangent. If you want to continue >a discussion of what a "clueful" DNS user or robust DNS service means >please take it to the DNS Working Group. There's no need, the extra resilience that redundant NS brings to the table is well understood. The question remains, however, as to whether individual website owners are expected to understand the hosting products to that degree of technical detail, or should they expect the services they are buying (from people who ought to be familiar with Best Practice) to be delivered to a reasonable standard. In other words, isn't it the industry who should be clueful, on the users' behalf? Although not immediately applicable to this document, it is however a question for governments and regulators with their "consumer protection" hats on. >In the context of the document we're discussing here -- DNS blocking >for government and regulatory people -- the point that should be made >is that DNS service for some domain does not necessarily rest with a >single entity. A simple tool for extracting this information from the DNS would be quite helpful for non-technical readers. -- Roland Perry From michele at blacknight.com Sun Jan 26 16:08:24 2014 From: michele at blacknight.com (Michele Neylon - Blacknight) Date: Sun, 26 Jan 2014 15:08:24 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <20140125094236.D5B9059C001@merlin.blacknight.ie> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: Jim Yes, but from what I've seen most people who want geographically diverse DNS these days use a service which offers it eg. Dyn or one of the other big DNS providers. I know you're doing it for your personal domain, but that's hardly surprising :) Registry operators - particularly ccTLDs - do this all the time, but I don't see many registrants of domains doing it anymore. And I thought this paper was about domains more than domain registries? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 -----Original Message----- From: Jim Reid [mailto:jim at rfc1035.com] Sent: Saturday, January 25, 2014 9:42 AM To: Michele Neylon - Blacknight Cc: cooperation-wg at ripe.net Subject: Re: [cooperation-wg] DNS-based filtering On 25 Jan 2014, at 02:10, Michele Neylon - Blacknight wrote: > Can you please provide examples of domains where the situation you described could exist? > > Eg: > "target domain name. In fact, for the sake of redundancy, a domain > name may have many authoritative servers, spread around the world and also operated by different companies." > > I can't see how that could work technically, but maybe I'm missing > something - an example would be helpful Ever heard of zone transfer Michele? :-) Many organisations spread DNS service for their domains across multiple providers: avoiding single points of failure and all that. For instance many TLDs rely on a mixture of name servers they operate themselves, some provided by other TLD registries -- I'll slave your zone if you slave mine -- and others from commercial anycast providers. It might be true that the majority of registrants just stick with whatever DNS is offered by their registrar but not all of them do that. Clueful ones certainly don't. From roland at internetpolicyagency.com Sun Jan 26 17:27:11 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Sun, 26 Jan 2014 16:27:11 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: In message , at 15:08:24 on Sun, 26 Jan 2014, Michele Neylon - Blacknight writes >Registry operators - particularly ccTLDs - do this all the time, but >I don't see many registrants of domains doing it anymore. What we have to decide for the purposes of this paper is how often/likely the scenario occurs when the authorities want to block such a domain. If it is no longer happening, raising the possibility only confuses the paper. Perhaps they are using other techniques as well, such as fast flux. Of course, it's possible that there are numerous small/medium/large enterprises (be they of criminal intent or otherwise) with multiply- redundant NS; even if members of the public almost never have the benefit for their personal websites. >And I thought this paper was about domains more than domain registries? Yes, which is why the paper should positively avoid the inclusion of confusing examples such as domains operated by I* entities. -- Roland Perry From paf at frobbit.se Sun Jan 26 18:07:20 2014 From: paf at frobbit.se (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Sun, 26 Jan 2014 18:07:20 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <52CC4612.2040002@gmail.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <52CC4612.2040002@gmail.com> Message-ID: <103860A9-6D8B-4A0E-898A-A96AB8C3B62E@frobbit.se> On 7 jan 2014, at 19:23, Pier Carlo Chiodi wrote: > Dear Cooperation working group members, > > Il 07/11/2013 21:53, Meredith Whittaker ha scritto: >> With that, I would be happy to help whoever leads pull together a draft, >> but I don't have the expertise to lead drafting. > > as I have already anticipated in another thread, I finally completed a document about web blocking measures for law enforcement purposes. > > I tried to put together suggestions and hints taken from this mailing list and from documents herein reported. If you believe it's appropriate, it could be reviewed and maybe used as a starting point to eventually produce a RIPE NCC guide, in order to support legislators and stakeholders decisions; otherwise, it will be just another document about the topic! :) > > I share the document on Google Drive (replace FILE_ID with 0B2tYFe9mK9YfcGFUWkxEaldMdDg): > > https://drive.google.com/file/d/FILE_ID/edit?usp=sharing > > In case, just let me know how we can proceed with revisions. This has taken some time, but I have now read the document. I like this. Patrik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: Message signed with OpenPGP using GPGMail URL: From pc.chiodi at gmail.com Sun Jan 26 18:12:34 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Sun, 26 Jan 2014 18:12:34 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: <52E54202.6030002@gmail.com> Il 26/01/2014 17:27, Roland Perry ha scritto: > In message > , at > 15:08:24 on Sun, 26 Jan 2014, Michele Neylon - Blacknight > writes > >> And I thought this paper was about domains more than domain registries? Well, actually both of them are covered in my draft. > > Yes, which is why the paper should positively avoid the inclusion of > confusing examples such as domains operated by I* entities. Within the document I used the example.com domain just to give readers a name which was "neutral" and easy to remember; my intention was not to use the example.com "technical background" such as the real NSs operated by IANA. Anyway if you believe that it could confuse more expert readers it can be replaced with another, as suggested by Roland. In this case maybe it could be useful to find as many sample domains as the cases covered by the document, each domain reflecting the specific technical configuration each time described. My only fear is that this may lead to a more difficult reading for non-expert people (who are the real audience). -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From paf at frobbit.se Sun Jan 26 18:12:48 2014 From: paf at frobbit.se (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Sun, 26 Jan 2014 18:12:48 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> Message-ID: On 25 jan 2014, at 03:10, Michele Neylon - Blacknight wrote: > I'm a bit confused by your assertions with respect to authoritative DNS. > > Can you please provide examples of domains where the situation you described could exist? > > Eg: > "target domain name. In fact, for the sake of redundancy, a domain name may have many > > authoritative servers, spread around the world and also operated by different companies." > > I can't see how that could work technically, but maybe I'm missing something - an example would be helpful Let me take a step back here, because I think the confusion is a terminology issue. Using DNS-speak, an authoritative server is a name server that have the zone file. Either by having it "edited locally" (primary) or fetched using zone transfer (secondary). Both of these classes of name servers are authoritative. The alternative are caching servers, that do not store the resource record sets given back longer than the TTL on the RR-Set that is received when a query is sent either to an authoritative server or to a caching server (recursive resolver). A special set of authoritative servers are the ones NS records (in the parent zone) refer to. So, Michele, it is in fact quite normal to have more than one authoritative server. All domain names that have more than one NS record referring to it has more than one. Because of this, I do not think we disagree on functionality. We just disagree on words(*). Patrik (*) Frank Zappa on Crossfire about "words" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: Message signed with OpenPGP using GPGMail URL: From paf at frobbit.se Sun Jan 26 18:17:53 2014 From: paf at frobbit.se (=?iso-8859-1?Q?Patrik_F=E4ltstr=F6m?=) Date: Sun, 26 Jan 2014 18:17:53 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: On 26 jan 2014, at 17:27, Roland Perry wrote: >> And I thought this paper was about domains more than domain registries? > > Yes, which is why the paper should positively avoid the inclusion of confusing examples such as domains operated by I* entities. My view is that a paper should include example domain names that are defined to be example domain names. See RFC2606 / RFC6761 (i.e. BCP32). I.e. I think the author of this document has done the right thing. Patrik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: Message signed with OpenPGP using GPGMail URL: From roland at internetpolicyagency.com Sun Jan 26 18:30:30 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Sun, 26 Jan 2014 17:30:30 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <52E54202.6030002@gmail.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> Message-ID: In message <52E54202.6030002 at gmail.com>, at 18:12:34 on Sun, 26 Jan 2014, Pier Carlo Chiodi writes >>the paper should positively avoid the inclusion of >> confusing examples such as domains operated by I* entities. > >Within the document I used the example.com domain just to give readers >a name which was "neutral" and easy to remember; I understand both of those criteria, but it's not a suitable one to use for the reasons I've given. >my intention was not to use the example.com "technical background" such >as the real NSs operated by IANA. Except your diagrams quote "a.iana-servers.net" as the NS, which is where the potential for great confusion kicks in. >Anyway if you believe that it could confuse more expert readers No, it confuses the inexpert readers (who ought to be our primary audience - the experts know most of what's in the paper already). >it can be replaced with another, as suggested by Roland. In this case >maybe it could be useful to find as many sample domains as the cases >covered by the document, each domain reflecting the specific technical >configuration each time described. My only fear is that this may lead >to a more difficult reading for non-expert people (who are the real >audience). I think a suitably-chosen example would be much less difficult for the non-experts (they won't go away with the impression that IANA runs everyone's NS). Choosing an example isn't easy (if it was, I'd have suggested one already). In a perfect world we'd have Ripe-NCC set up a dedicated one with the desired characteristics for us. (Something like target-domain.org, with three NS in different parts of the world, none of them on I* networks.) -- Roland Perry From roland at internetpolicyagency.com Sun Jan 26 18:32:07 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Sun, 26 Jan 2014 17:32:07 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: In message , at 18:17:53 on Sun, 26 Jan 2014, Patrik F?ltstr?m writes >> Yes, which is why the paper should positively avoid the inclusion of confusing examples such as domains operated by I* entities. > >My view is that a paper should include example domain names that are defined to be example domain names. As someone who is a specialist in writing documentation for non-technical audiences, I disagree strongly. This is not an rfc, it's something that's trying to explain how the world works. -- Roland Perry From pc.chiodi at gmail.com Mon Jan 27 18:38:59 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Mon, 27 Jan 2014 18:38:59 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> Message-ID: <52E699B3.9050807@gmail.com> Il 26/01/2014 18:30, Roland Perry ha scritto: >> my intention was not to use the example.com "technical background" >> such as the real NSs operated by IANA. > > Except your diagrams quote "a.iana-servers.net" as the NS, which is > where the potential for great confusion kicks in. That's right, the diagram on page 6 uses the real authoritative nameservers for example.com, because there I show how really example.com works. In the rest of the document I used the example.com in other scenarios too, many of them fictitious (blog.example.com, criminal.example.com), just for the purpose of describing the specific situation. > I think a suitably-chosen example would be much less difficult for the > non-experts (they won't go away with the impression that IANA runs > everyone's NS). Would not this just move the problem toward the new domain's registry and NSs? If the impression that the document gives is this, maybe something else should be changed too. > Choosing an example isn't easy (if it was, I'd have suggested one > already). In a perfect world we'd have Ripe-NCC set up a dedicated one > with the desired characteristics for us. (Something like > target-domain.org, with three NS in different parts of the world, none > of them on I* networks.) A RIPE-NCC members feedback would be greatly appreciated on that! :) P.S.: in the meanwhile I fixed two typos on diagrams of page 13 and 15: blog.example.com instead of blog.www.example.com. -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From roland at internetpolicyagency.com Tue Jan 28 13:25:58 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Tue, 28 Jan 2014 12:25:58 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <52E699B3.9050807@gmail.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> Message-ID: <9b3G0QgWH65SFAN9@internetpolicyagency.com> In message <52E699B3.9050807 at gmail.com>, at 18:38:59 on Mon, 27 Jan 2014, Pier Carlo Chiodi writes >>> my intention was not to use the example.com "technical background" >>> such as the real NSs operated by IANA. >> >> Except your diagrams quote "a.iana-servers.net" as the NS, which is >> where the potential for great confusion kicks in. > >That's right, the diagram on page 6 uses the real authoritative >nameservers for example.com, because there I show how really >example.com >works. I'm reminded of the confusion between "root servers" and "route servers" which has beleaguered many a debate about Internet governance (and has reared its ugly head on '1net' in only the last few days). The issue of USA control over IANA, and the potential implication of a single point of failure, means I am extremely concerned about giving even the slightest [mistaken] impression that anyone's NS are located at IANA [other than a handful of I* community sites of course]. >In the rest of the document I used the example.com in other scenarios >too, many of them fictitious (blog.example.com, criminal.example.com), >just for the purpose of describing the specific situation. > >> I think a suitably-chosen example would be much less difficult for the >> non-experts (they won't go away with the impression that IANA runs >> everyone's NS). > >Would not this just move the problem toward the new domain's registry >and NSs? If the impression that the document gives is this, maybe >something else should be changed too. One solution would be using an obviously fictional set of domains for the name servers. I'm not sure how many readers will be reaching for their DNS-tools to see if they got "real" results. Perhaps we could use something like example-network-A.com, example-network-B.com, example-network-C.com as the Name Server host networks. ps And on another topic, might it be useful to include some indication of how practical some of the circumvention methods you describe might be on a tablet/smartphone (rather than a desktop PC)? I realise that if users of *some* legacy systems can employ circumvention it's still a problem, but the migration to mobile platforms is rapid and significant, and they are much less susceptible to user customisation. On my Android phone, for example, I can't even see a way to change it from DHCP (which I assume it's using) to a fixed DNS server of *my* choice. I imagine an iPhone or iPad is the same. -- Roland Perry From jim at rfc1035.com Tue Jan 28 13:51:14 2014 From: jim at rfc1035.com (Jim Reid) Date: Tue, 28 Jan 2014 12:51:14 +0000 Subject: [cooperation-wg] Clueful DNS from a public policy perspective In-Reply-To: <9Z1mUs4dIO5SFAt8@internetpolicyagency.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> <4lmnr8dVZ74SFAWz@internetpolicyagency.com> <9Z1mUs4dIO5SFAt8@internetpolicyagency.com> Message-ID: <64D1E31C-E56C-4ECE-8198-EE607AC216E9@rfc1035.com> On 26 Jan 2014, at 10:23, Roland Perry wrote: > In other words, isn't it the industry who should be clueful, on the users' behalf? Although not immediately applicable to this document, it is however a question for governments and regulators with their "consumer protection" hats on. I'm not sure it is Roland. In a regulatory/government context, DNS concerns will mainly be about "core infrastructure": ie are the root and TLD name servers operated robustly and responsibly; how do I know that; what contingency measures are needed if there's a catastrophic failure; and who do I call when there's a problem. For the general public, I'd expect most governments and regulators would look to market forces to solve the issues around DNS robustness, just like they tend to rely on market forces to deal with the good and bad ISPs/hosting companies/registrars/etc. Some punters will pay a premium to get a better, more robust service. Others won't. Some domains must have bulletproof DNS service, other's don't. That's how it should be. There might be some second-order effects that do raise consumer protection issues and possibly others such as data protection, national sovereignty, etc. [For instance, ISPs who do NXDOMAIN rewriting => present barriers to DNSSEC roll-out. Or the use of overseas resolving services.] However these are not about the provision of clueful or clueless DNS service per se. From jim at rfc1035.com Tue Jan 28 14:02:34 2014 From: jim at rfc1035.com (Jim Reid) Date: Tue, 28 Jan 2014 13:02:34 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: On 26 Jan 2014, at 15:08, Michele Neylon - Blacknight wrote: > And I thought this paper was about domains more than domain registries? Indeed it is. However the point I made remains. So I repeat it: DNS service for some domain does not necessarily rest with a single entity. ie all the authoritative name servers for a domain might not be under the same administrative and operational control: SLAs, reporting and incident response procedures, legal jurisdictions, contracts, T&Cs, etc. Even if all the names you manage for your customers are on Blacknight's DNS servers Michele, it doesn't follow that every domain name registration with every other registrar follows that model. A government or regulator who is thinking about deploying DNS filtering/blocking or whatever needs to bear that in mind. From roland at internetpolicyagency.com Tue Jan 28 15:09:22 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Tue, 28 Jan 2014 14:09:22 +0000 Subject: [cooperation-wg] Clueful DNS from a public policy perspective In-Reply-To: <64D1E31C-E56C-4ECE-8198-EE607AC216E9@rfc1035.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com> <4lmnr8dVZ74SFAWz@internetpolicyagency.com> <9Z1mUs4dIO5SFAt8@internetpolicyagency.com> <64D1E31C-E56C-4ECE-8198-EE607AC216E9@rfc1035.com> Message-ID: In message <64D1E31C-E56C-4ECE-8198-EE607AC216E9 at rfc1035.com>, at 12:51:14 on Tue, 28 Jan 2014, Jim Reid writes >For the general public, I'd expect most governments and regulators would >look to market forces to solve the issues around DNS robustness, just >like they tend to rely on market forces to deal with the good and bad >ISPs/hosting companies/registrars/etc. Some punters will pay a premium >to get a better, more robust service. Others won't. I agree that many governments and regulators don't currently address the issue of deficient service from telecoms providers. The first step is for there to be an acknowledgement that such a thing as deficient service exists (for example is a provision of one non-redundant NS in any sense "fit for purpose", let alone "complying with industry best practice"). If we can agree (here on this list) that there are many telecoms providers who either lack clue because they've cut costs by employing clueless staff, or have taken a commercial decision to deliver a clueless service, then that's one small step on our long journey. I imagine that such deficiencies are as frustrating to conscientious service providers as they are to the public, as it tends to create a "race to the bottom". -- Roland Perry From meredithrachel at google.com Tue Jan 28 23:42:17 2014 From: meredithrachel at google.com (Meredith Whittaker) Date: Tue, 28 Jan 2014 17:42:17 -0500 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: Echoing Patrik, I too just got a chance to read Pier's document carefully, and I, too, like it :) In fact, a moment of congratulations and thanks to Pier for striking out and pulling together something comprehensive! The structure is really good, and the lively debate on this thread indicates that the work here is on the right path. With that, I have one high-level, two-paragraph comment that I hope adds to the discussion. I would suggest removing the target audience -- here started as law enforcement and governments -- and dedicating this work more broadly to anyone who's interested in this topic and would like a basic understanding of mechanisms and approaches used by *whoever* to block or prevent access to content. This expands the document a bit, but I think presents a clearer conceptual framework: how to actors that want to block content go about doing it, from asking ISPs to block specific IP addresses, to DDOS attacks, to whatever in between. What are the technical means, good or bad? In that spirit, while I think you've done an admirable job staying away from ascribing a value to specific acts of content blocking/filtering, I would suggest pruning even further. Page 8 and 9 suggest means of using these techniques for "preventing access to illicit content." I would suggest removing this section -- these same technical means are used both to prevent access to child pornography (the canonical example), and to silence political speech and quiet debate that threatens those in power, &c. Insofar as this is a document focused on the means, not the ends, speculating on "good" vs. "bad" modes of filtering/blocking, even implicitly, leads quickly to our having to justify one or another ethical viewpoints, and I think confuses the clarity of the document. At this stage, I would suggest thinking of others we might want to bring into the discussion. Are there folks who have experience here and could add more detail? Do we want to expand on specific modes of blocking (DPI/filtering boxes, and their similarities and differences, for example)? In my view its always good to add as much as possible in the beginning, ensuring that everything is covered, then remove and distill during the editing process. (And, as before, I'm more than happy to help with editing.) Cheers, and thanks again, Meredith On Tue, Jan 28, 2014 at 8:02 AM, Jim Reid wrote: > On 26 Jan 2014, at 15:08, Michele Neylon - Blacknight < > michele at blacknight.com> wrote: > > > And I thought this paper was about domains more than domain registries? > > Indeed it is. However the point I made remains. So I repeat it: > > DNS service for some domain does not necessarily rest with a single > entity. ie all the authoritative name servers for a domain might not be > under the same administrative and operational control: SLAs, reporting and > incident response procedures, legal jurisdictions, contracts, T&Cs, etc. > > Even if all the names you manage for your customers are on Blacknight's > DNS servers Michele, it doesn't follow that every domain name registration > with every other registrar follows that model. > > A government or regulator who is thinking about deploying DNS > filtering/blocking or whatever needs to bear that in mind. > > > -- Meredith Whittaker Program Manager, Google Research Google NYC -------------- next part -------------- An HTML attachment was scrubbed... URL: From pc.chiodi at gmail.com Wed Jan 29 22:17:45 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Wed, 29 Jan 2014 22:17:45 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <9b3G0QgWH65SFAN9@internetpolicyagency.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> <9b3G0QgWH65SFAN9@internetpolicyagency.com> Message-ID: <52E96FF9.4050200@gmail.com> > I am extremely concerned about giving even the > slightest [mistaken] impression that anyone's NS are located at IANA > [other than a handful of I* community sites of course]. I understand your concerns; if we want to replace example.com IMHO we must find a couple of suitable, short and easy names, maybe also fictional, and use them to label the target domain and its authoritative servers. Can we use something on the ripe.net zone? > Perhaps we could use something like example-network-A.com, > example-network-B.com, example-network-C.com as the Name Server host > networks. They could be valid but I'm afraid that they are too long and too similar. > I realise that if users of *some* legacy systems can employ > circumvention it's still a problem, but the migration to mobile > platforms is rapid and significant, and they are much less susceptible > to user customisation. While providing a mobile-focused overview may be a good idea, I think that we should not suggest governors and lawmakers to positively judge a blocking measure just because it's not easy to circumvent on some devices (and that's not totally true too - please see below). I think we should pursue a globally valid criterion and we must avoid recommendations based only on difficulties that users may encounter to bypass blocking systems. Moreover, most of the issues I can see are not related to the efficacy of blocking measures, but to damage and side effects that they imply. > On my Android phone, for example, I can't even see a way to change it > from DHCP (which I assume it's using) to a fixed DNS server of *my* > choice. I imagine an iPhone or iPad is the same. On your wifi network you can change your DHCP server configuration and send them your preferred DNS servers. An app to change DNS on Android and an iPhone guide follow; I can't tell you if they work, but from a quick search on Google it seems that's not so hard to change configurations on mobile devices. Also VPNs are easy to setup on both systems. https://play.google.com/store/apps/details?id=uk.co.mytechie.setDNS http://www.macinstruct.com/node/558 -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From pc.chiodi at gmail.com Wed Jan 29 22:19:34 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Wed, 29 Jan 2014 22:19:34 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: <52E97066.9010906@gmail.com> > The structure is really > good, and the lively debate on this thread indicates that the work here > is on the right path. Thanks for your feedback Meredith, greatly appreciated. My hope is that, thanks to our work, RIPE can soon have its own document to support governments in outlining pros and cons of various content filtering methods and, above all, to help them in understanding limits [1] and collateral damage that most of the currently deployed measures have. > > With that, I have one high-level, two-paragraph comment that I hope adds > to the discussion. > > I would suggest removing the target audience -- That's right, also the title ("An analysis on web filtering methods for law enforcement purposes") should be changed ;-) > Page 8 and > 9 suggest means of using these techniques for "preventing access to > illicit content." I would suggest removing this section [...] > Insofar as this > is a document focused on the means, not the ends, speculating on > "good" vs. "bad" modes of filtering/blocking, even implicitly, leads > quickly to our having to justify one or another ethical viewpoints Perhaps changing it rather than removing it may have the same effect. "Illicit content" could be changed in "unwanted"/"undesired" and something like the introduction of [2] may be used to depict the scope of application. Since I wrote the whole text considering only the law enforcement perspective, as soon as I can I will review the whole document to have a more clear idea of changes to bring in in order to make it detached from any ethical viewpoint. > At this stage, I would suggest thinking of others we might want to bring > into the discussion. It may be useful to bring in both technical and non-technical people. Innocenzo Genna [3] might get involved in: I don't know him well, I just follow his blog [4], but, as far as I can see, he recently participated in the November coop-wg meeting with EU Parliament and he's active in the tlc and internet regulation & policies areas. He might offer a non stricly technical point of view about our work. Do you think he could be of help for the cause? [1] It looks like someone is already realizing them - https://publicaffairs.linx.net/news/?p=10264&utm_source=rss&utm_medium=rss&utm_campaign=dutch-appeal-court-removes-pirate-bay-block [2] "Technical Considerations for Internet Service Blocking and Filtering" - http://tools.ietf.org/html/draft-iab-filtering-considerations-05 [3] "Innocenzo is an expert of European regulation and policy in the areas of Internet and telecommunications" - http://www.innocenzogenna.com/en/bio.php [4] http://radiobruxelleslibera.wordpress.com/ -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position. From roland at internetpolicyagency.com Thu Jan 30 11:10:47 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Thu, 30 Jan 2014 10:10:47 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <52E96FF9.4050200@gmail.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> <9b3G0QgWH65SFAN9@internetpolicyagency.com> <52E96FF9.4050200@gmail.com> Message-ID: In message <52E96FF9.4050200 at gmail.com>, at 22:17:45 on Wed, 29 Jan 2014, Pier Carlo Chiodi writes >> I am extremely concerned about giving even the >> slightest [mistaken] impression that anyone's NS are located at IANA >> [other than a handful of I* community sites of course]. > >I understand your concerns; if we want to replace example.com IMHO we >must find a couple of suitable, short and easy names, maybe also >fictional, and use them to label the target domain and its >authoritative >servers. > >Can we use something on the ripe.net zone? It seems unlikely that such a domain would have nameservers outside the I* community, and many (I have looked) have six or more NS, which is also a bit unusual and potentially giving the wrong impression. (And if you mean literally within the ripe.net zone, I already noted that it has six NS, located at RIPE-NCC and at I* colleagues: nic.fr, apnic.net, isc.org and arin.net) -- Roland Perry From roland at internetpolicyagency.com Thu Jan 30 13:59:29 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Thu, 30 Jan 2014 12:59:29 +0000 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <52E96FF9.4050200@gmail.com> References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> <9b3G0QgWH65SFAN9@internetpolicyagency.com> <52E96FF9.4050200@gmail.com> Message-ID: In message <52E96FF9.4050200 at gmail.com>, at 22:17:45 on Wed, 29 Jan 2014, Pier Carlo Chiodi writes >While providing a mobile-focused overview may be a good idea... I just think the paper should be as platform-independent as possible. Currently it's very desktop-centric. And don't forget there are now SmartTVs with browsers in. >> On my Android phone, for example, I can't even see a way to change it >> from DHCP (which I assume it's using) to a fixed DNS server of *my* >> choice. I imagine an iPhone or iPad is the same. > >On your wifi network you can change your DHCP server configuration and >send them your preferred DNS servers. That's true, although if it's a family home installation not all the users may have the password to tinker with the router. In the UK (at least) 1GB a month data bundled with a phone is commonplace, and with public/guest wifi everywhere, a mobile user may not be hooked into their home wifi very much at all. >An app to change DNS on Android and an iPhone guide follow; I can't >tell you if they work, I have an Android phone that I use exclusively for such experiments :) >but from a quick search on Google it >seems that's not so hard to change configurations on mobile devices. >Also VPNs are easy to setup on both systems. > >https://play.google.com/store/apps/details?id=uk.co.mytechie.setDNS That's an App for changing DNS, and requires a rooted phone (are "we" in general in favour of requiring rooted phones for things... and installing Apps like this which demand SuperUser status?) for anything except wifi connections. Having installed it, and unless I'm being especially dense, it only seems to allow replacing your current DNS with Google's (8.8.8.8 & 8.8.4.4) but in principle a different [or perhaps their paid-for?] app could be more accommodating. >http://www.macinstruct.com/node/558 "these instructions only work for Wi-Fi connections - iOS does not allow you to change the DNS servers when connected to cellular networks." But it works on iPads too (I tried it). -- Roland Perry From pk at ISOC.DE Thu Jan 30 16:34:55 2014 From: pk at ISOC.DE (Peter Koch) Date: Thu, 30 Jan 2014 16:34:55 +0100 Subject: [cooperation-wg] benefits of walled gardens [DNS-based filtering] In-Reply-To: <9b3G0QgWH65SFAN9@internetpolicyagency.com> References: <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> <9b3G0QgWH65SFAN9@internetpolicyagency.com> Message-ID: <20140130153455.GV22148@x28.adm.denic.de> On Tue, Jan 28, 2014 at 12:25:58PM +0000, Roland Perry wrote: > I realise that if users of *some* legacy systems can employ > circumvention it's still a problem, but the migration to mobile > platforms is rapid and significant, and they are much less susceptible > to user customisation. that's probably true, but I'm not sure what follows in the context of this group. The return of walled gardens and gated access to Internet infrastructure - incumbents' dark desires - appear part of the problem rather than of the solution to me - even if that happens by customer "demand". -Peter From pk at ISOC.DE Thu Jan 30 17:04:06 2014 From: pk at ISOC.DE (Peter Koch) Date: Thu, 30 Jan 2014 17:04:06 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> Message-ID: <20140130160406.GW22148@x28.adm.denic.de> I've read the document and think it's a very good start, but needs a small amount of work. On Tue, Jan 28, 2014 at 05:42:17PM -0500, Meredith Whittaker wrote: > I would suggest removing the target audience -- here started as law > enforcement and governments -- and dedicating this work more broadly to > anyone who's interested in this topic and would like a basic understanding so, this paragraph in the draft was one that I like very much because it is forgotten too often and helps focus the document. It also frames expectations on the side of the raeder. > to content. This expands the document a bit, but I think presents a clearer Speaking of that: 27 pages is _huge_, I'd hope the final result had no more than, say, 10. > to prevent access to child pornography (the canonical example), and to > silence political speech and quiet debate that threatens those in power, > &c. Insofar as this is a document focused on the means, not the ends, > speculating on "good" vs. "bad" modes of filtering/blocking, even > implicitly, leads quickly to our having to justify one or another ethical > viewpoints, and I think confuses the clarity of the document. seconded. Also, the actors (LEA in this case) could better be left away. It's not important for the method who's asking/ordering/threatening/volunteering. > more detail? Do we want to expand on specific modes of blocking > (DPI/filtering boxes, and their similarities and differences, for example)? The draft could benefit from a terminology pass sooner than later. We've already has some debate about "authoritative servers", where that was meant to be registrations at the second (or third, for that matter) level. I'd also suggest to skip the part about domain name "takedowns". It has similar side effects but is really different from filtering. Speaking of side effects, the language chosen in that section sounds tentative and defensive to me ("may", "could be"). While applicable in an academic debate, the other party is absolutely undoubtful about their doing the Right Thing. While at it, I'd not support the myth that DNSSEC and suppressing DNS responses are incompatible. While the changes applied are either detected and suppressed by the validating resolver or injected at that very place (again, the ISP), the result usually is either you receive the government enhanced response with the seal of the validator or you get an error response, in which case the end user still can't access the site. Careful with the risk assessments: DNS blocking techniques may be used to defeat cybercrime too, by blocking those domain names which are dedicated to frauds, phishing or malware distribution (viruses, trojans, #). If users decide to change their device configuration and use public open resolvers to access (over-) blocked content any local anti-cybercrime activity is vanished. Sounds either like an encouragement to restrict/regulate access to alternative resolution mechanisms or like a "then don't do that". Finally, again on wording, apologies, we should not call the mechanisms "content filtering" because all they do is fiddling with levels of indirection that mediate access to the content rather than the content itself. To that extent, referring to the DNS as the "phone book" has helped quite a couple of times. People understand that de-listing does not make the number inaccessible. YMMV. I thought CENTR had something, but all I can dig out is . -Peter PS: my contribution to the bikeshed part of the debate: for diversity, but especially in a European context, we could use somthing other than the COM gTLD in the examples. That's even more important for those parts that I suggested to skip, since it will emphasize that ICANN is not in the game in many cases. PPS: thanks, Pier Carlo, for taking the initiative! From leo.vegoda at icann.org Thu Jan 30 17:20:04 2014 From: leo.vegoda at icann.org (Leo Vegoda) Date: Thu, 30 Jan 2014 08:20:04 -0800 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: References: <80951A6D-89DE-4C4B-A6DB-B4516EDFA9D9@ucd.ie> <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> <9b3G0QgWH65SFAN9@internetpolicyagency.com> <52E96FF9.4050200@gmail.com> Message-ID: <5648A8908CCB564EBF46E2BC904A75B19684A12136@EXVPMBX100-1.exc.icann.org> Roland Perry wrote: [...] > >Can we use something on the ripe.net zone? > > It seems unlikely that such a domain would have nameservers outside the > I* community, and many (I have looked) have six or more NS, which is > also a bit unusual and potentially giving the wrong impression. > > (And if you mean literally within the ripe.net zone, I already noted > that it has six NS, located at RIPE-NCC and at I* colleagues: nic.fr, > apnic.net, isc.org and arin.net) In a former job we wanted an example domain for use in marketing material, so we registered one but never used it. I checked just now the domain is still registered to the successor business. If a commercial organisation can keep a domain registered for 17 years following an aborted marketing campaign I am confident that people in this community could register and maintain a domain for use in educational material for as long as the material remains relevant. Regards, Leo Vegoda -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5475 bytes Desc: not available URL: From roland at internetpolicyagency.com Thu Jan 30 20:40:03 2014 From: roland at internetpolicyagency.com (Roland Perry) Date: Thu, 30 Jan 2014 19:40:03 +0000 Subject: [cooperation-wg] benefits of walled gardens [DNS-based filtering] In-Reply-To: <20140130153455.GV22148@x28.adm.denic.de> References: <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <52E54202.6030002@gmail.com> <52E699B3.9050807@gmail.com> <9b3G0QgWH65SFAN9@internetpolicyagency.com> <20140130153455.GV22148@x28.adm.denic.de> Message-ID: In message <20140130153455.GV22148 at x28.adm.denic.de>, at 16:34:55 on Thu, 30 Jan 2014, Peter Koch writes >> I realise that if users of *some* legacy systems can employ >> circumvention it's still a problem, but the migration to mobile >> platforms is rapid and significant, and they are much less susceptible >> to user customisation. > >that's probably true, but I'm not sure what follows in the context of this >group. The return of walled gardens and gated access to Internet >infrastructure - incumbents' dark desires - appear part of the problem >rather than of the solution to me - even if that happens by customer "demand". It's not so much "walled gardens" of content, but "locked down" clients accessing whatever content their suppliers (of hardware and tied-in connectivity) permit the user to see. -- Roland Perry From pc.chiodi at gmail.com Fri Jan 31 20:50:09 2014 From: pc.chiodi at gmail.com (Pier Carlo Chiodi) Date: Fri, 31 Jan 2014 20:50:09 +0100 Subject: [cooperation-wg] DNS-based filtering In-Reply-To: <20140130160406.GW22148@x28.adm.denic.de> References: <527BAB0E.5020305@schiefner.de> <5C08C362-0AD6-426A-A2B5-51E277B2A05A@gmail.com> <6FAFA412-FB21-4738-8B82-9472593D0D3C@frobbit.se> <20140107182358.DE00A33C359@merlin.blacknight.ie> <20140125094236.D5B9059C001@merlin.blacknight.ie> <20140130160406.GW22148@x28.adm.denic.de> Message-ID: <52EBFE71.6080000@gmail.com> Il 30/01/2014 17:04, Peter Koch ha scritto: > On Tue, Jan 28, 2014 at 05:42:17PM -0500, Meredith Whittaker wrote: > >> I would suggest removing the target audience -- here started as law >> enforcement and governments -- and dedicating this work more broadly to >> anyone who's interested in this topic and would like a basic understanding > > so, this paragraph in the draft was one that I like very much because it > is forgotten too often and helps focus the document. It also frames > expectations on the side of the raeder. Accepting Meredith's remark, but also keeping focus on my original aim, I changed the paragraph of page 4: This document is _particularly_ addressed to legislators, agencies, stakeholders, courts and to whoever may be involved in Internet governance and engaged in law enforcements on the network, and also to who is interested in this topic and would like a basic understanding of mechanisms and approaches used by whoever to block or prevent access to contents. In my opinion this paper should stay focused on RIPE coop-wg target audience, which is especially governments and regulators. > seconded. Also, the actors (LEA in this case) could better be left away. > It's not important for the method who's asking/ordering/threatening/volunteering. I changed paragraphs on page 8 too and also any occurrence of "illicit" / "LEAs" with "unwanted/undesired/forbidden" and a generic "requestors" or "requesting governments". Web blocking and filtering are measures usually requested by governments [...] addressed to prevent access to illicit contents such as pedo-pornography [...] or even to constrain access to opposing political or religious contents or to quiet debates that threaten the parties in power. These measures are particularly used when the _undesired_ content is hosted on servers that are out of the jurisdiction of the _requesting party_, so when it?s not possible or very difficult to order the website operator to remove the _unwanted_ material from its servers. In such cases ISPs operating under the jurisdiction of the requestor are imposed to prevent their customers to access the identified resources. Optionally, they may be asked to redirect customers who try to access the _forbidden_ content to a web page reporting additional information, such as the legal notice about the blocking measure (?stop-page?). > > The draft could benefit from a terminology pass sooner than later. Yes, I'm the first to admit it, it needs a review on both technical terminology and grammar (as you can see my English is not very good); now the document is hosted on Google Drive, if someone wants to take care about that I can give him/her write permissions. > We've > already has some debate about "authoritative servers", where that was > meant to be registrations at the second (or third, for that matter) level. I missed that debate so, for clarity, this is what I meant in the document (please refer to diagram on page 8): - root servers: servers that hold TLD-registries mappings; - registries: servers that hold TLD-domain mappings; - authoritative servers: servers that hold the domain zone. I know that "authoritative" is something else, every server is authoritative for zones it directly serves, but I preferred to use a not strictly proper terminology for the sake of reading easiness. Any suggestions/corrections would be appreciated. > I'd also suggest to skip the part about domain name "takedowns". It has > similar side effects but is really different from filtering. Because domain name takedowns are actually used to prevent users from accessing contents I think it's correct to include them in this document and to show their pros and cons there. Am I the only one to think that? > Speaking of side effects, the language chosen in that section sounds tentative > and defensive to me ("may", "could be"). While applicable in an academic debate, > the other party is absolutely undoubtful about their doing the Right Thing. Sorry, my fault; here a native English speaker can render the idea better than me. > While at it, I'd not support the myth that DNSSEC and suppressing DNS responses > are incompatible. While the changes applied are either detected and suppressed by the > validating resolver or injected at that very place (again, the ISP), > the result usually is either you receive the government enhanced response > with the seal of the validator or you get an error response, in which case > the end user still can't access the site. DNSSEC and response suppression are not incompatible, even if DNSSEC is implemented in the resolver the final result is anyway achieved and the user is anyway prevented from accessing the website (maybe he/she will not get the stop-page but of course he/she will not open the website too). I'm more concerned about the fact that such blocking measures can have impact on the background philosophy that is behind DNSSEC, impair trust on it and slow down its deployment rather than about technical issues. Please refer to this Paul Vixie's post [1]; he explains far better what I mean. Do you think that's only a vague and unfounded fear? > > Careful with the risk assessments: > > DNS blocking techniques may be used to defeat cybercrime too, by blocking those > domain names which are dedicated to frauds, phishing or malware distribution (viruses, > trojans, #). If users decide to change their device configuration and use public > open resolvers to access (over-) blocked content any local anti-cybercrime activity is vanished. > > Sounds either like an encouragement to restrict/regulate access to alternative > resolution mechanisms or like a "then don't do that". I think it's a side effect of measures that don't solve the problem but just hide it. Maybe the paragraph can be arranged in another way if you think it leads to wrong impressions. > > Finally, again on wording, apologies, These topics are complex and we need to find the better way to explain them. > we should not call the mechanisms "content > filtering" because all they do is fiddling with levels of indirection that > mediate access to the content rather than the content itself. Correct, in the overblocking paragraph a distinction is already made between domain seizure and content filtering, anyway I changed some occurrences of "content filtering" in the rest of the document. > To that extent, referring to the DNS as the "phone book" has helped quite a couple > of times. People understand that de-listing does not make the number inaccessible. YMMV. It's a very good example, easy to understand, I'll see how to merge it in the document: any suggestions? > > PS: my contribution to the bikeshed part of the debate: for diversity, but especially in a > European context, we could use somthing other than the COM gTLD in the examples. > That's even more important for those parts that I suggested to skip, since it will > emphasize that ICANN is not in the game in many cases. Roland Perry speculated about the chance for a dedicated domain set up by RIPE for our purposes... this would be the perfect solution. Thanks for your feedback Peter, they have given the chance to take stock of the situation! [1] "Defense in Depth for DNSSEC Applications" - http://www.circleid.com/posts/defense_in_depth_for_dnssec_applications/ -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position.