Comments on: DNSChanger and PROTECT IP: FBI hit and legislative miss News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 By: Mark Mon, 14 Nov 2011 23:46:04 +0000 Stephen,
Thank you for posting my comment and for the response.  I respectfully disagree that SOPA and PIPA, if passed, would have any effect on the speed of DNSSEC implementation.   DNSSEC would likley have had no effect on this cybercrime incident as these were determined criminals, but you took the opportunity on this credible public forum to make a correlation between the FBI case, DNSSEC and the proposed legislation and conclude that the legislation is bad.
Your article says both bills "require DNS server operators in the US to replace the correct IP address for a website with an alternate address provided by the Attorney General's office," but the fact is that neither bill is prescriptive about replacing an IP address.  These bills simply require that DNS doesn't resolve an address for a site. This, frankly, doesn't violate the DNSSEC standard.  Quoting from SOPA, the service provider is to “prevent the domain name of the foreign infringing site from resolving to that domain name’s Internet Protocol address.”  Quoting from PIPA, the service provide is to “prevent the domain name described in the order from resolving to that domain name’s Internet protocol address.” 
What is interesting about the current technology rhetoric surrounding this bill, whether it's coming from Vixie,  Ulevitch or others, is that the tech community understands that DNS redirection is an extremely useful security tool but yet continues to focus on how these bills will impede DNSSEC.  The only thing stopping DNSSEC is the failures of DNSSEC.  I am all for having a real debate on how this bill might impact the Internet, but the current discourse is nothing but scare tactics and misinformation.
As for the bill stopping determined pirates from pirating, I agree that it may not.   Just as no lock will prevent  a determined thief from stealing my car or breaking into my house, a DNS block will be a deterrent for many individuals and will ultimately lower the page views making those sites financially less viable and "not worth it" for the criminals which run them.

By: Brian Mon, 14 Nov 2011 14:52:04 +0000 > …DNSSEC would be an improvement.
If there is an attack that would have been prevented with DNSSEC, I am interested in hearing about it.

DNS has lots of security problems that are being exploited regularly, but they do not seem to be problems protocols can solve. Many are attacks on the servers, lack of countability in registration processes, and lack of accountability for involvement in criminal activities.

We need standards for the quality of infrastructure and operations that are used to implement DNS. Similar solutions are needed for CAs that issue SSL certificates. If we can raise the bar here, then we can start to consider the benefits of improvements to the protocols.

By: Stephen Cobb Sun, 13 Nov 2011 19:56:53 +0000 Mark — I agree that this is not a technology problem, it is one of standards. Security of the Internet would be improved if the Internet standards were updated to enable more, better authentication of entities operating on the Internet (sending email, managing DNS entries, and so on). DNSSEC would NOT end malware or cybercrime, but it would make some cybercrime easier to prevent and some cyber-criminals easier to catch. The risk/reward ratio would be mudged in the direction of deterrence. Well-known theories of risk displacement tell us that bad actors will continue to act badly, but the current state of Internet standards makes life too easy for the bad guys.
In my opinion, DNSSEC would be an improvement. The SOPA and PIPAs legislation needlessly impedes that improvement. And with all due respect, as someone who has been using online communications professionally since before BIND was written, I think I do understand how DNSSEC works and how malware might circumvent any DNSSEC stub resolver action. I also understand how those intent on infringing copyright can defeat DNS filtering. As someone who has lost a lot of money, both personally and professionally, to copyright infringers, I am committed to reducing piracy. I just don't think DNS filtering is the way to go.

By: mark Thu, 10 Nov 2011 16:00:18 +0000 Clearly you do not understand that how DNSSEC works or how malware might circumvent any DNSSEC stub resolver action.  The bottom line is that DNSChanger could happen in a DNSSEC world.  
Prior to Paul Vixie using ISC to express his political views on rogue site legislation and masking them as technical concerns, he wrote an extension allowing the "DNSChanger" software functionality directly in BIND. 
Furthermore, making DNSSEC compatible with Paul's RPZs is not a huge software challenge.  It is a question of will.
This has never really been a technology problem.  Certainly not one that cannot be solved.