Contrary to the lede of this article, it's not impossible to merely question Vixie's credibility here†.
First, this is the same Paul Vixie who proposed and advocated for RPZ. RPZ is a distributed blacklisting scheme for the DNS. Unlike the the email spam RBL, RPZ works at the level of DNS, allowing "policy" to determine which lookups fail. So it seems that DNS filtering doesn't break the Internet when it's used to combat malware, but does break the Internet when it's used suppress piracy.
Second, however urgent the authors of this document want to make DNSSEC sound, the entire Internet functions without DNSSEC today. I can go on and on about how broken I think DNSSEC is, but I don't think I need to bother, because there's an even stronger argument as to how unnecessary it is. Put simply, the "secure Internet" was designed to assume that the DNS was untrustworthy. We built an entire parallel directory alongside the DNS to resolve that. To a large extent, that secure directory (the X509 SSL/TLS PKI) works whether or not the DNS is unsafe. To the extent that the DNS threatens TLS, those are fixable flaws in the TLS infrastructure (and many of those flaws are policy issues in TLS, and the majority of the balance of those flaws are UX issues stemming from the fact that we haven't refined the UI for TLS since it was introduced by Netscape).
Breaking DNSSEC does not break the Internet. Proof: go do a Google search for your bank, click through it, log in, and check your balance. Let me know if any DNSSEC happens along the way.
Tying this back to Paul Vixie: Vixie is the Internet's foremost advocate for DNSSEC. It's unfair but not totally unreasonable to suggest that Vixie resisted the randomization fixes to BIND that Djbdns adopted because he preferred DNSSEC as the solution to that problem; as a result, BIND's DNS cache was vulnerable for almost a decade while Djbdns wasn't.††
Next, as smart as Danny McPhereson may be, I think it's far from proven that DNSSEC can't coexist with fiat third-party filtering. In the DNSSEC implementation originally envisaged by the working group's current iteration of the protocol, end systems don't even run DNSSEC; they run stub resolvers that talk to cache servers that run the whole protocol. Those cache servers could have lookaside rules for a policy zone without breaking the security model for DNSSEC.
Finally, because the reality is that virtually nobody speaks DNSSEC today, it may suffice for PROTECT IP's goals to filter only insecure DNS. The sponsors of PROTECT IP could just easily say, "uh, of course we don't mean DNSSEC is illegal; we'll deal with DNSSEC another day, but for now, we're suppressing websites, not trying to destroy them, and we're content to have our intervention only impact DNS users".
I'm not a believer in PROTECT IP, I just think this argument is fragile.
For whatever it's worth, I think all 5 of the authors of this report are advocating in good faith what they think is best for the Internet. And I do buy the argument that fiat third-party filtering is bad for the Internet. I just don't think "it breaks DNSSEC" is the most compelling or intellectually honest argument. I think the honest argument is, "because we don't think any one authority will be an adequate steward of the Internet".
† I'm choosing my words carefully; the answer to the question might still be "he's totally credible".
†† Again this is a drastically unfair summary of an issue that could possibly reworded in a way that would refute my point, which is that Vixie's going to tend to err on the side of whatever makes DNSSEC easier to deploy.
First, this is the same Paul Vixie who proposed and advocated for RPZ. RPZ is a distributed blacklisting scheme for the DNS. Unlike the the email spam RBL, RPZ works at the level of DNS, allowing "policy" to determine which lookups fail. So it seems that DNS filtering doesn't break the Internet when it's used to combat malware, but does break the Internet when it's used suppress piracy.
Second, however urgent the authors of this document want to make DNSSEC sound, the entire Internet functions without DNSSEC today. I can go on and on about how broken I think DNSSEC is, but I don't think I need to bother, because there's an even stronger argument as to how unnecessary it is. Put simply, the "secure Internet" was designed to assume that the DNS was untrustworthy. We built an entire parallel directory alongside the DNS to resolve that. To a large extent, that secure directory (the X509 SSL/TLS PKI) works whether or not the DNS is unsafe. To the extent that the DNS threatens TLS, those are fixable flaws in the TLS infrastructure (and many of those flaws are policy issues in TLS, and the majority of the balance of those flaws are UX issues stemming from the fact that we haven't refined the UI for TLS since it was introduced by Netscape).
Breaking DNSSEC does not break the Internet. Proof: go do a Google search for your bank, click through it, log in, and check your balance. Let me know if any DNSSEC happens along the way.
Tying this back to Paul Vixie: Vixie is the Internet's foremost advocate for DNSSEC. It's unfair but not totally unreasonable to suggest that Vixie resisted the randomization fixes to BIND that Djbdns adopted because he preferred DNSSEC as the solution to that problem; as a result, BIND's DNS cache was vulnerable for almost a decade while Djbdns wasn't.††
Next, as smart as Danny McPhereson may be, I think it's far from proven that DNSSEC can't coexist with fiat third-party filtering. In the DNSSEC implementation originally envisaged by the working group's current iteration of the protocol, end systems don't even run DNSSEC; they run stub resolvers that talk to cache servers that run the whole protocol. Those cache servers could have lookaside rules for a policy zone without breaking the security model for DNSSEC.
Finally, because the reality is that virtually nobody speaks DNSSEC today, it may suffice for PROTECT IP's goals to filter only insecure DNS. The sponsors of PROTECT IP could just easily say, "uh, of course we don't mean DNSSEC is illegal; we'll deal with DNSSEC another day, but for now, we're suppressing websites, not trying to destroy them, and we're content to have our intervention only impact DNS users".
I'm not a believer in PROTECT IP, I just think this argument is fragile.
For whatever it's worth, I think all 5 of the authors of this report are advocating in good faith what they think is best for the Internet. And I do buy the argument that fiat third-party filtering is bad for the Internet. I just don't think "it breaks DNSSEC" is the most compelling or intellectually honest argument. I think the honest argument is, "because we don't think any one authority will be an adequate steward of the Internet".
† I'm choosing my words carefully; the answer to the question might still be "he's totally credible".
†† Again this is a drastically unfair summary of an issue that could possibly reworded in a way that would refute my point, which is that Vixie's going to tend to err on the side of whatever makes DNSSEC easier to deploy.