DNSSEC prevents spoofing (as does HTTPS), but that's about all it does that's relevant to SOPA. This may prevent a particular mechanism of SOPA enforcement, but that's easy enough for the government to work around, in theory.
Exactly. If an ISP simply returns an error for lookups of a blacklisted domain, DNSSEC shouldn't complain; it will just think there's a DNS outage.
Since no one has read it, here's the relevant text: "A service provider shall take technically feasible and reasonable measures designed to prevent access by its subscribers located within the United States to the foreign infringing site (or portion thereof) that is subject to the order, including measures designed to prevent the domain name of the foreign infringing site (or portion thereof) from resolving to that domain name's Internet Protocol address." (I wonder if I am now cursed.)
Right, I don't know know how most DNS client implementations handle time-outs but this could range from not mattering at all to degrading the performance of everything - imagine if twitter was taken down, then half the world's websites (I'm exaggerating a bit) that reference Twitter buttons would grind to a standstill (try browsing things like TechCrunch in China and you'll see this).
If ISPs wanted to avoid this scenario, it would essentially require fracturing DNS[SEC] into something the US Govt has the authority to sign properly without effecting the rest of the world - in other words a completely divided national internet.
Or we could just all switch to using DNSSEC servers on the Barbados Islands or something in the future.
I'm not talking about timeouts; I'm talking about immediately returning an error (apparently DNSSEC will break if you return NXDOMAIN, but there are other error codes). If browsers retry or hang after getting a DNS error, I guess they'll have to be fixed.
How do you mean 'break'? As I understand it, NXDOMAIN also has to be signed with a trust chain back to a root authority. I guess what I don't know enough to answer is if there are other equally sufficient error codes that don't require a trust chain (which would be surprising because allowing any non-trusted responses would seem to defeat the entire purpose of a non-tamperable DNS service)
It doesn't matter if the NXDOMAIN is forged or not (or whether forgery is detected or not). It's not like you can unforge and extract the original IP from such a response. Your browser can flash all the red warning lights it wants, you're not going to connect to the naughty site. DNSSEC does absolutely nothing to impede DNS blacklisting.
That's never been the issue. When people claim that "SOPA breaks DNSSEC" (note they don't say the reverse) they mean that a SOPA blockage looks the same as a MITM attack from the client's perspective. As I've explained earlier, ISPs can choose to make it look like a DNS server outage instead of an MITM; this might produce fewer misleading errors in the browser. SOPA works fine as written, it just makes DNS debugging harder. "Users running secure applications have a need to distinguish between policy-based failures and failures caused, for example, by the presence of an attack or a hostile network, or else downgrade attacks would likely be prolific." http://www.circleid.com/pdf/PROTECT-IP-Technical-Whitepaper-...
