Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson, and Paul Vixie have authored a white paper warning that the DNS filtering requirements of the PROTECT IP Act would be ineffective in reducing piracy, but would harm the security of the internet.  “DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins” such as MafiaaFire.  The likely circumvention techniques “will expose users to new potential security threats. These security risks will not be limited to individuals. Banks, credit card issuers, health care providers, and others who have particular interests in security protections for data also will be affected. At the same time, a migration away from U.S.-based and ISP-provided DNS will harm U.S. network operators’ ability to investigate and evaluate security threats.”

FULL PAPER:

Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill

EXECUTIVE SUMMARY

This paper describes technical problems raised by the DNS filtering requirements in S. 978, the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (“PROTECT IP Act”). Its authors come from the technical, operational, academic, and research communities. We are leading domain name system (DNS) designers, operators, and researchers, who have created numerous “RFCs” (technical design documents) for DNS, published many peer-reviewed academic studies relating to architecture and security of the DNS, and operate important DNS infrastructure on the Internet.

The authors of this paper take no issue with strong enforcement of intellectual property rights generally. The DNS filtering requirements in the PROTECT IP Act, however, raise serious technical concerns, including:

  • The U.S. Government and private industry have identified Internet security and stability as a key part of a wider cyber security strategy, and if implemented, the DNS related provisions of PROTECT IP would weaken this important commitment.
  • DNS filters would be evaded easily, and would likely prove ineffective at reducing online infringement. Further, widespread circumvention would threaten the security and stability of the global DNS.
  • The DNS provisions would undermine the universality of domain names, which has been one of the key enablers of the innovation, economic growth, and improvements in communications and information access unleashed by the global Internet.
  • Migration away from ISP-provided DNS servers would harm efforts that rely on DNS data to detect and mitigate security threats and improve network performance.
  • Dependencies within the DNS would pose significant risk of collateral damage, with filtering of one domain potentially affecting users’ ability to reach non-infringing Internet content.
  • The site redirection envisioned in Section 3(d)(II)(A)(ii) is inconsistent with security extensions to the DNS that are known as DNSSEC. The U.S. Government and private industry have identified DNSSEC as a key part of a wider cyber security strategy, and many private, military, and governmental networks have invested in DNSSEC technologies.
  • If implemented, this section of the PROTECT IP Act would weaken this important effort to improve Internet security. It would enshrine and institutionalize the very network manipulation that DNSSEC must fight in order to prevent cyberattacks and other malevolent behavior on the global Internet, thereby exposing networks and users to increased security and privacy risks.

We believe the goals of PROTECT IP are important, and can be accomplished without reducing DNS security and stability through strategies such as the non-DNS remedies contained in PROTECT IP and international cooperation.