Vernon Schryver wrote:
A network that routes requests to 8.8.8.8 to inject DNS lies will also arrange to ignore or pervert any DNS-in-band tell-the-truth signaling. Without access to a trustworthy resolver, tell-the-truth signaling is useless because you can't trust it.
i would like to be able to know that i can't trust it, rather than merely assuming that i can't trust it, as happens today. if neither the truth nor the lie is signed, i can make a red light blink, or even go offline, refusing the local edition of the social compact ("if you want to use the internet you have to accept dns answers w/o provenance.")
No jurisdiction will allow foreign visitors to bypass local filters forever, because foreign visitors blab both the banned data and the banned tools.
as a frequent visitor to china, my verizon wireless roaming service is tunnelled back to the USA. i can read facebook, search google, and so on. verizon isn't a pirate -- they have a license to operate in china and they honor the terms of that license. but they don't sell this service inside china.
i expect more, not less, arrangements of this kind going forward, now that other nation-states are making decisions about internet content filtering for their citizens. note that i blogged on this specific point, and mentioned rpz, recently:
http://www.circleid.com/posts/20170718_nation_scale_internet_filtering_dos_and_donts/
... Isn't there talk about China blocking all tunnels including those of foreigners?
not that i've heard. china has a delicate balancing act, and they do not seem to want to completely discourage tourism, even if that means there are leaks in the great firewall as a result. on wifi or wired, they don't know who isn't a citizen. on LTE or GSM, they do. but the tunnel i use is slow, and expensive for both verizon and i. i'd like to offer china the opportunity to carry both dns truth and dns lies, in the same packet, with one of them a little harder to get at using older software, and with newer software having a switch, "do you trust policy having this key?" i expect that for android and iOS devices sold in china, this switch would be hardwired "on".
this reflects my broader belief that neither the open source community, or the internet technology community, will ever be taken seriously by the chinese gov't if we tell them how they should run their country's internet or its connections to the rest of the world. if they want to be able to express policy data more reliably using DNS than will be possible in a ubiquitous-DNSSEC scenario, then we ought to provide that, and encourage engineers from within china to help define, model, test, develop, and deploy it. this would ease the complexity burden for companies selling internet devices and services inside china. it will not make anybody in the world less autonomous than they already aren't.
Even with the acquiescence of regimes, there are insurmountable practical technical and non-technical issues in providing both RPZ filtered and raw DNS answers, configuring applications, and ensuring that citizens don't get foreign, uncensored versions of applications. It's one thing for a regime to allow foreigners to use foreign services (which I claim never lasts), and quite another thing for in-country operators to expect government censors to understand and believe that citizens can't use the truthful results in DNS responses. If you were a DNS operator in China, would you ever allow your resolver to give truthful answers about some domains in any form or in response to any signaling?--of course not!
as a provider i would, whether in china or elsewhere, follow the law. -- P Vixie _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
