[Freedombox-discuss] Establishing Communicationbetween Freedomboxes
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Jul 7 20:04:42 UTC 2011
On 07/07/2011 02:43 PM, Bjarni Rúnar Einarsson wrote:
> However, if 100 dissidents use 10000 different TLDs from 1000 different DNS
> providers,
FWIW, there are nowhere near 10000 TLDs; you're probably not actually
interested in TLDs directly, but rather in the labels variously
described as "effective TLDs" or the "public suffix list", which
currently has just over 4000 members, of which only about 260 are actual
TLDs:
http://publicsuffix.org/
> shared with millions of legitimate users who would complain if
> things broke - then things become quite different. All those high-profile
> choke-points you pointed out are recognized and well understood, and well
> defended as well. They can be compromised, but it requires a powerful
> adversary and would be global, politically charged news the moment it
> happened. I suspect a great many countries would react quite badly if the
> root started directly interfering with country TLDs. DNS is distributed in
> more ways than just the protocol.
You seem to be suggesting that powerful forces can't meddle directly in
DNS without it being a big deal. Unfortunately, this is already
happening, and it turns out to be Business As Usual. Please see the
latest news about domain name seizures by the US government, and various
legal actions against the DNS via registrars and registries, using tools
like the DMCA.
> By contrast, I am guessing (just guessing!) that the keyserver network could
> probably be DDOS'ed off the map by a moderately sized botnet. And it would
> be gossip-section news, not the front page of the New York Times. Boosting
> it to support the load of millions of FreedomBoxes' traffic, in addition to
> hardening it against malicious attacks is certainly possible, but I doubt
> it's trivial.
Yes, DDoS (or even non-distributed DoS) represents a legitimate concern
for the keyserver network. Work directed toward shoring that up would
be very useful.
> But anyway, you just circled back on yourself and pointed out that the
> keyserver network itself relies on DNS anyway. :-)
Many people currently look up their keyserver's IP address through DNS.
They don't need to do so, though; it's not difficult to come up with
other access strategies. There is no explicit dependency on DNS for the
current keyserver network.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110707/ae644b46/attachment.pgp>
More information about the Freedombox-discuss
mailing list