Hacker News new | past | comments | ask | show | jobs | submit login

I think you have great points but I don't believe they sufficiently support the doomsday freak-out I'm witnessing.

DNS blacklisting is already happening in the US and all over the world (ICE: http://en.wikipedia.org/wiki/U.S._Immigration_and_Customs_En... and DNSBL: http://en.wikipedia.org/wiki/DNSBL). I admit we are already on a slippery slope here with blacklisting, but I think most of your DNS comments could be attributed to failures in the design of DNS (and CDNs) themselves. If you want trust, security, and prevention from censorship (as I do too), DNS is not your answer. I hope namecoin better address these issues (https://en.bitcoin.it/wiki/Namecoin).

If you are scared of censorship, don't rely on infrastructure that is owned by parties you don't trust.

SOPA supporters must know this will not stop piracy (the bill is contradictorily named, I know), but surely, it would minimize the piracy and counterfeiting that effects the non-tech-savvy American masses. And I truly believe that is their intent.

Personally, I don't think we should be legislating the Internet at all, but we've already started, and although future legislation on this slippery slope could be devastating, this bill seems to be fairly neutered. Good issues are being brought up with the discussion of SOPA, but SOPA itself is not the end of the internet.




Couldn't be more wrong, sorry.

The ICE seizures are perfectly fine because they target the delegation chain directly -- they are actually seizing the domain from a registrar or TLD authority with control over it within the chain. They are not a DNS blacklist and it does not interfere with caching servers.

SOPA attempts to target names which are not within U.S. jurisdiction by asking caching servers maintained by ISPs to refuse resolution of names where the delegation chain does not cede authority to entities within U.S. jurisdiction. This is an unprecedented technique for censoring content online.

DNSBL is absolutely not what you think it is, I'd recommend reading that wikipedia article more carefully. It is a voluntary blacklist which is implemented by IRC servers and mail software, but does not force cache servers to resolve names differently or anything close to what you're suggesting. It's just a list of names "you shouldn't trust" but not a censorship/redirection system.

There are no design flaws in the way CDNs work either, I don't know where you're getting that. SOPA harms CDNs by removing the efficiency achieved through geotargetted name resolution (something provided by caching servers).


The ICE seizures are perfectly fine...

I wouldn't say perfectly fine... They're less objectionable than SOPA because they have some semblance of a claim to legality under current law, but I hardly think they're a model of how the Internet should be policed (or that the Internet as a whole even needs policing). Many, many subdomains were seized by ICE that were completely innocent, and there was still a lack of due process (see the rojadirecta.com case, where a site that is legal in its home country had its domain taken, then returned without explanation a year later).


I didn't realize the process used by ICE was different than what SOPA suggests, but that makes sense now that you've explained it.

I don't understand how DNSBL is different though for the end user. I realize DNSBL is voluntary and SOPA would mandate/force, but I don't see how the effects are different. For a DNS server that uses a DNSBL, does it regard a blacklisted domain name through DNSBL differently than one that blacklisted through SOPA?

Regarding CDNs, for a user initiating request for a non-blacklisted site, why would the CDN be now less efficient in its response?

I have no idea if there is a design flaw in DNS or CDNs. My point is that if DNS and CDNs become drastically inefficient by having to ignore certain names, then it sounds like it could have been designed better to handle such cases.


> I realize DNSBL is voluntary and SOPA would mandate/force, but I don't see how the effects are different. For a DNS server

Bam, stop right there. DNS servers do not use DNSBL. There's your answer.

DNSBL is used in circumstances like this: You're connecting to an IRC server. It does some tests to make sure you're not spoofing your host, like using reverse DNS (PTR records). IRC servers will also try to prevent spammers and flooders by denying access to hosts that are in a DNSBL -- likely open proxies.

Here's some IRC software which does specifically that: http://www.blitzed.org/proxy/

I am running some mail servers which are having trouble delivering mail to gmail right now. gmail is returning back this error:

    The IP you're using to send mail is not authorized to
    send email directly to our servers. Please use the SMTP relay your
    service provider instead.
Turns out, it's because the IPs I've been allocated are in Spamhaus, which is an implementation of DNSBL that specifically targets spammers.

Again, this is an action by the server software itself. It is not a mandate, and is not actually a restriction on DNS. It is nothing like blacklisting cache servers. The name has confused you.

> Regarding CDNs, for a user initiating request for a non-blacklisted site, why would the CDN be now less efficient in its response?

If you're trying to access Google, their nameservers may give your ISP's caching servers a different resolution if you're in California rather than in the UK, usually to resolve to closer servers. This is only effective because nameservers can target cache servers which are specific to geographic areas, and is a great side-effect of the current structure of the naming system and of the Internet.

By forcing people away from domestic nameservers, this targeted effect fails. A foreign cache server will return inefficient resolutions to queries compared to a domestic one operated by an ISP.

Aside from being terrible for the end user, it also begins to put stress and congest different areas of the global Internet unexpectedly. Though arrangements can be made to compensate, it's pretty annoying and will never be as efficient as before.

> My point is that if DNS and CDNs become drastically inefficient by having to ignore certain names, then it sounds like it could have been designed better to handle such cases.

The only real "design flaw" in DNS is the inflated trust in cache servers. DNSSEC tries to resolve this by attaching a chain of authentication alongside the delegation chain which can be verified. SOPA breaks DNSSEC entirely because it cannot return these authenticated messages (it is resolving incorrectly or lying about the delegation chain).

DNS was not designed to be censored in the way proposed by SOPA; it is not a design flaw in SOPA, it's a flaw in the legislation.


This is a fantastic response and I'm glad you took the time to write it. I'm sorry I misinterpreted DNSBL, I guess I read "either as a zone file that can be used by DNS server software" and assumed they meant the main DNS servers really do use them.

Final question for you: Do you believe that if SOPA passes, it would really have drastic effects to the internet functionally? So, besides censorship and liability, do you think there would be a noticeable difference for tech-savvy internet users and website operators in regards to things you mentioned above (or perhaps haven't mentioned yet)?


> Do you believe that if SOPA passes, it would really have drastic effects to the internet functionally?

Yes. Things would have to shift around the compensate, but the real problem begins when SOPA justifies similar legislation in other countries, especially ones being bound by trade agreements which call for this type of stuff.

In the U.S. they claim "oh, but we're just going to target people who violate the law. You know, copyright infringement." Even if that were true, other countries have a long history of applying their laws, which usually suck and go much further to stifle speech.

SOPA legitimizes this method of blacklisting, thus leading to a balkanization of the naming system. People begin to move away from the cache servers, causing slowdowns in resolution and CDNs. Once this proves ineffective, the U.S. will want to censor any DNS server that resolves an IP to something they don't want. Then we have deep packet inspection.

It really will not end unless we force it to end. SOPA takes a drastic step that even the DMCA didn't do. DMCA targeted activities under U.S. jurisdiction. The next chapter in the global censorship game is the attack on websites outside jurisdiction, which is not feasible without immense privacy encroachments.

I don't want to see us going down that path. We need to go the complete opposite direction when it comes to copyright. SOPA also places way too much of a legal and logistical burden on companies within the U.S., which is going to lead a lot of people toward countries with progressive outlooks on copyright, like in some places in Europe.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: