[dnssec-deployment] FYI: DNSSEC in a political hot situation

[Peter Koch]

Lutz,

On Fri, Apr 17, 2009 at 03:45:01PM +0000, Lutz Donnerhacke wrote:
> As you may noticed or not two major events happend in the last weeks in
> the German Internet:
> 
>  - The German government enforces contractual relationships with the major
>    ISPs to apply DNS manipulation to hide content. The first five contracts
>    were signed this morning.

[...]

Ed has already elaborated well, so just a few additional details:
You either run your own resolver/validator and bypass the ISP's DNS
infrastructure - then DNSSEC is no different from running your own
vanilla resolver (and that, by the way, is basis of much of the criticism
against this "voluntary" agreement).
The other option is to completely rely upon the ISP infrastructure,
but then there's no difference between "enhanced" responses and "enhanced"
responses with AD bit set.  Only in the case where you run your own
validator behind the ISP's DNS infrastructure, you'll see a change:
you'd still be blocked from access since the validator will suppress
the "enhanced" response, but any "helpful guidance" will not work.
IOW: Blocking remains, redirection doesn't.
  
> I brought the domain wikileaks.de back (with a great help by DENIC and the
> involved DENIC member) and used the chance to add DNSSEC to the domain. Of
> course the well known DLVs know about the signing key.

Now you lost me completely.  While there is a relation between the information
provided under www.$domain and the "enhanced user experience" our beloved govt
is aiming at, there is no link to the DNS, ISP side blocking, or even DNSSEC.
It's on public record that the change of state of said domain was a deliberate
action by the registrar and neither a signed second level domain nor a
signed TLD would have made any difference here.

{Contact me offline for information on TRANSIT status.}

I'd really wish we could keep DNSSEC out of this debate, since obscure "use
cases" don't really help its deployment.

-Peter