Refusing to answer to policy reasons

A number of passionate opinion pieces have been written recently charging proponents of copyright enforcement measures with changing the way the Internet works without bothering to understand it.  It’s easy to make such charges stick in Washington when they’re made by engineers with Internet pedigrees, but they’re fundamentally unsound in light of the current state of the bills.
The Internet is not only a platform for socially beneficial innovations, it’s also a boon to those bent on anti-social, criminal pursuits. The group who commented on S. 968 (PIPA) and H.R. 3261 (SOPA) on this blog admit as much, and one of them has devoted considerable effort to ensure that Internet Service Providers (ISPs) possess the means to hide criminal web sites from their customers. This system, known as “Response Policy Zones” (RPZ,) was the inspiration for the Domain Name Service (DNS) response filtering in PIPA and SOPA.

The engineers argue there’s a fundamental difference between their use of Response Policy and the use proposed by Congress, asserting a different alignment of interests between Internet users willing to pay to download movies or to obtain drugs and those users who simply wish to be protected from computer viruses. Given the health impact of fake pharmaceuticals, the interests are much more closely aligned than they think.

The engineers are also concerned about possible effects of mandated Response Policy on the deployment of a relatively new system of protecting Internet domain names from attack, Secure DNS. This concern is somewhat understandable as the measures are currently less than clear on the details for hiding criminal domains. In some scenarios such a mandate could be troublesome, and it’s currently a poorly solved problem in the popular “BIND” DNS server. The best answer is found in the design specification for DNS itself, Internet RFC 1035.
Software interacts with Internet-based services through questions and answers. When a user wants to visit a web site such as “,” the web browser asks the DNS server for an Internet Protocol address in much the same way that we ask 411 operators for phone numbers. The operator typically provides the number, but may also tell the caller that the number is unlisted.
The inventor of DNS, Paul Mockapetris, provided it with the ability to respond to questions with five different answers, ranging from “here’s the information” and “I don’t understand the question,” to the one we’re interested in: “I refuse to answer for policy reasons.”
The first draft of SOPA asked DNS to “lie” to users about the location of blacklisted sites by “redirecting” them to a government web site, but the amended version doesn’t. DNS servers can now respond with an affirmative and truthful refusal to answer. Doing so is perfectly consistent with the design of traditional DNS and doesn’t conflict with Secure DNS.
The fact that DNS has been designed to respond to some queries this way from the very beginning may explain why the inventors of DNS and Secure DNS have refrained from signing letters of opposition to SOPA.
The design of DNS doesn’t currently allow the server to communicate the exact nature of its policy reasons for refusing to answer. If more clarity is needed, it’s possible to request additional response codes from the Internet Assigned Numbers Authority (IANA) that narrow the reason down to “government authority” in the case of SOPA or “local policy” in the case of RPZ. This would improve the current RPZ mechanism, which actually does “lie” to the user by claiming that the banned domain does not exist, but it’s not essential.
Not everyone likes the idea of using technical measures to reduce the incidence of crime on the Internet; Response Policy and anti-spam measures have drawn considerable fire from Internet traditionalists and ardent free speech mavens (see the comments to Paul Vixie’s blog post on RPZ.) But it’s unreasonable to claim that these measures are the products of “Internet ignorance” simply because Congress is not over-stocked with members who can describe Secure DNS in exacting detail; they’re consistent with the long-standing design of DNS.
It seems that SOPA’s technical critics may have forgotten a detail or two about this part of the Internet themselves.

Richard Bennett is a Senior Research Fellow with the Information Technology & Innovation Foundation and network engineer with four issued patents to his credit.