DNS blacklisting as a concept is simply unacceptable. The way it is applied in SOPA requires that a certain classification of DNS caching servers must pretend like a website does not exist, which reduces trust in domestic caching servers and stifles DNSSEC.
If people move to foreign DNS (or local caching servers), which is incredibly easy, the entire thing is circumvented. But a tricky side-effect takes place: the system is now balkanized. Servers in the U.S. believe the naming system to resolve to one IP, and servers everywhere else resolve to something completely different.
This balkanizing effect can break the effectiveness of CDNs, can congest Internet traffic, and overall reduces the credibility of the naming system. Passing SOPA would mean other countries would follow in the same footsteps. Once every country believes the delegation chain can resolve to whatever they want to, what is the point in an international naming system?
These are only some of the problems with DNS blacklisting -- nevermind the security problems -- which are not worth it especially considering it is so easily circumvented.
Additional problems with the bill, such as the vague wording which may consider Tor a tool for "circumventing" DNS blacklists and, therefore, illegal, demonstrate a huge lack of forward thinking and an unsustainable approach to copyright enforcement.
The doomsday scenario is that government sticks its foot in Internet policy and communication and pretends it actually has the reasonable capability to prevent piracy. It will never have that capability without large-scale violations of privacy.
There are also a good amount of talks regarding the precedent SOPA may have for general purpose computing and a whole host of other sensitive topics. I don't think it's responsible to just point at provisions in the bill and say "well it seems to add enough oversight".
Besides, the bill encourages preemptive takedowns by providing immunity. The tech industry behaviors that will result would be devastating.
DNS blacklisting is already happening in the US and all over the world (ICE: http://en.wikipedia.org/wiki/U.S._Immigration_and_Customs_En... and DNSBL: http://en.wikipedia.org/wiki/DNSBL). I admit we are already on a slippery slope here with blacklisting, but I think most of your DNS comments could be attributed to failures in the design of DNS (and CDNs) themselves. If you want trust, security, and prevention from censorship (as I do too), DNS is not your answer. I hope namecoin better address these issues (https://en.bitcoin.it/wiki/Namecoin).
If you are scared of censorship, don't rely on infrastructure that is owned by parties you don't trust.
SOPA supporters must know this will not stop piracy (the bill is contradictorily named, I know), but surely, it would minimize the piracy and counterfeiting that effects the non-tech-savvy American masses. And I truly believe that is their intent.
Personally, I don't think we should be legislating the Internet at all, but we've already started, and although future legislation on this slippery slope could be devastating, this bill seems to be fairly neutered. Good issues are being brought up with the discussion of SOPA, but SOPA itself is not the end of the internet.
The ICE seizures are perfectly fine because they target the delegation chain directly -- they are actually seizing the domain from a registrar or TLD authority with control over it within the chain. They are not a DNS blacklist and it does not interfere with caching servers.
SOPA attempts to target names which are not within U.S. jurisdiction by asking caching servers maintained by ISPs to refuse resolution of names where the delegation chain does not cede authority to entities within U.S. jurisdiction. This is an unprecedented technique for censoring content online.
DNSBL is absolutely not what you think it is, I'd recommend reading that wikipedia article more carefully. It is a voluntary blacklist which is implemented by IRC servers and mail software, but does not force cache servers to resolve names differently or anything close to what you're suggesting. It's just a list of names "you shouldn't trust" but not a censorship/redirection system.
There are no design flaws in the way CDNs work either, I don't know where you're getting that. SOPA harms CDNs by removing the efficiency achieved through geotargetted name resolution (something provided by caching servers).
I wouldn't say perfectly fine... They're less objectionable than SOPA because they have some semblance of a claim to legality under current law, but I hardly think they're a model of how the Internet should be policed (or that the Internet as a whole even needs policing). Many, many subdomains were seized by ICE that were completely innocent, and there was still a lack of due process (see the rojadirecta.com case, where a site that is legal in its home country had its domain taken, then returned without explanation a year later).
I don't understand how DNSBL is different though for the end user. I realize DNSBL is voluntary and SOPA would mandate/force, but I don't see how the effects are different. For a DNS server that uses a DNSBL, does it regard a blacklisted domain name through DNSBL differently than one that blacklisted through SOPA?
Regarding CDNs, for a user initiating request for a non-blacklisted site, why would the CDN be now less efficient in its response?
I have no idea if there is a design flaw in DNS or CDNs. My point is that if DNS and CDNs become drastically inefficient by having to ignore certain names, then it sounds like it could have been designed better to handle such cases.
Bam, stop right there. DNS servers do not use DNSBL. There's your answer.
DNSBL is used in circumstances like this: You're connecting to an IRC server. It does some tests to make sure you're not spoofing your host, like using reverse DNS (PTR records). IRC servers will also try to prevent spammers and flooders by denying access to hosts that are in a DNSBL -- likely open proxies.
Here's some IRC software which does specifically that: http://www.blitzed.org/proxy/
I am running some mail servers which are having trouble delivering mail to gmail right now. gmail is returning back this error:
The IP you're using to send mail is not authorized to
send email directly to our servers. Please use the SMTP relay your
service provider instead.
Again, this is an action by the server software itself. It is not a mandate, and is not actually a restriction on DNS. It is nothing like blacklisting cache servers. The name has confused you.
> Regarding CDNs, for a user initiating request for a non-blacklisted site, why would the CDN be now less efficient in its response?
If you're trying to access Google, their nameservers may give your ISP's caching servers a different resolution if you're in California rather than in the UK, usually to resolve to closer servers. This is only effective because nameservers can target cache servers which are specific to geographic areas, and is a great side-effect of the current structure of the naming system and of the Internet.
By forcing people away from domestic nameservers, this targeted effect fails. A foreign cache server will return inefficient resolutions to queries compared to a domestic one operated by an ISP.
Aside from being terrible for the end user, it also begins to put stress and congest different areas of the global Internet unexpectedly. Though arrangements can be made to compensate, it's pretty annoying and will never be as efficient as before.
> My point is that if DNS and CDNs become drastically inefficient by having to ignore certain names, then it sounds like it could have been designed better to handle such cases.
The only real "design flaw" in DNS is the inflated trust in cache servers. DNSSEC tries to resolve this by attaching a chain of authentication alongside the delegation chain which can be verified. SOPA breaks DNSSEC entirely because it cannot return these authenticated messages (it is resolving incorrectly or lying about the delegation chain).
DNS was not designed to be censored in the way proposed by SOPA; it is not a design flaw in SOPA, it's a flaw in the legislation.
Final question for you: Do you believe that if SOPA passes, it would really have drastic effects to the internet functionally? So, besides censorship and liability, do you think there would be a noticeable difference for tech-savvy internet users and website operators in regards to things you mentioned above (or perhaps haven't mentioned yet)?
Yes. Things would have to shift around the compensate, but the real problem begins when SOPA justifies similar legislation in other countries, especially ones being bound by trade agreements which call for this type of stuff.
In the U.S. they claim "oh, but we're just going to target people who violate the law. You know, copyright infringement." Even if that were true, other countries have a long history of applying their laws, which usually suck and go much further to stifle speech.
SOPA legitimizes this method of blacklisting, thus leading to a balkanization of the naming system. People begin to move away from the cache servers, causing slowdowns in resolution and CDNs. Once this proves ineffective, the U.S. will want to censor any DNS server that resolves an IP to something they don't want. Then we have deep packet inspection.
It really will not end unless we force it to end. SOPA takes a drastic step that even the DMCA didn't do. DMCA targeted activities under U.S. jurisdiction. The next chapter in the global censorship game is the attack on websites outside jurisdiction, which is not feasible without immense privacy encroachments.
I don't want to see us going down that path. We need to go the complete opposite direction when it comes to copyright. SOPA also places way too much of a legal and logistical burden on companies within the U.S., which is going to lead a lot of people toward countries with progressive outlooks on copyright, like in some places in Europe.