idea about forging dns data

[Sami Kerola]

Hello,

I am hostmaster and while ago co-worker asked is it possible to 
lie 2000-3000 names in resolver. His noble cause was kiddie porn 
sites which should resolve as some other IP than the real site 
where immoral materal exists.

First idea was to declare zone as a master on resolver and make it 
empty. Unfortunately all other hosts in same domain will stop 
working. This "solution" is also quite hard to keep clear because 
of many many zone files.

Second I thougt zone transfer from root server and putting bad 
names into root file where they'd be served. But that does not 
work because names in root file are not authoritative and resolver 
will look data from authorative server.

Third and last idea I came up with was cache poisoning. If there 
would be some deterministic way poison our own resolvers so that 
every single record could be forgery. This "forgery" zone could 
even have master server and there could be many sources of forgery 
records. So that one blocks kiddie porn, one blocks hoax web pages 
etc. What I know current bind does not have this kind of features, 
but how hard developing these could be? If this feature is 
possible does anyone else see anything good in this, mayby so much 
good that this feature will be developed?

Before everyone starts to shout about politics etc please read 
chapter below.

I am fully aware that all ideas above breaks DNS. I also 
acknowledge that data forgery zone is perfert tool for internet 
censorship and impacts negative way on freedom of speak. Putting 
nonsense into resolver cache migth also causes mystical failures 
everyone who uses the resolver.

-- 
    Sami Kerola
    http://personal.inet.fi/atk/kerolasa/