Hank Nussbacher wrote on 08/11/2021 05:12:
Does anyone have further insight into the European initiative known as DNS4EU?
seems to be a dns resolver service.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021JC0014&rid=3
Not sure what value this will bring to humanity. Nick
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project. According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries). dns4eu.eu has been registered by DG Connect <https://en.wikipedia.org/wiki/Directorate-General_for_Communications_Networks,_Content_and_Technology>
Hi Hank, all, I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU. The information page for the HLIG is here: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922 It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note. Best regards, Chris
On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project.
According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
dns4eu.eu has been registered by DG Connect <https://en.wikipedia.org/wiki/Directorate-General_for_Communications_Networks,_Content_and_Technology>
Please do, Chris. Thanks! On 08.11.2021 14:54, Chris Buckridge wrote:
[...], but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
Hi Hank, all, A number of us from the RIPE NCC (and others from the RIPE community) were in yesterday’s HLIG meeting. There was a presentation on DNS4EU, and I’m trying to track down those slides and whether they’ll be made public - at this point, there’s nothing on the site, but we’ll certainly share any slides (or a public report on the meeting) when they become available. The significant output was that the Commission expects to have a public Call for Proposals around the end of this year, as part of Connecting Europe Facility (CEF 2) programme, for an EU-governed public DNS resolver service. Obviously the CfP will contain more detail when it is made public. This is also in line with the Commission’s statement back in June 2021 in section 1.6 of this document: https://data.consilium.europa.eu/doc/document/ST-10137-2021-ADD-1/en/pdf In the meantime, others may be able to share insights, and we will share links to public documents from yesterday’s session as we obtain them. Cheers Chris
On 11 Nov 2021, at 07:29, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On 08/11/2021 15:54, Chris Buckridge wrote:
Anyone here attend yesterday's HLIG meeting and can share a presentation or meeting notes?
Thanks, Hank
Hi Hank, all,
I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
The information page for the HLIG is here:
It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
Best regards, Chris
On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project.
According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
dns4eu.eu has been registered by DG Connect
Hi Hank, all, Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting. The slides were as follow: 1. DNS Resolution Markets: Problems * Consolidation (+DoH) * Incidents affecting large DNS resolvers * Data Protection Rights * Prevention of Cyberattacks; Virus; Malware 2. DNS4EU: Concept * DNS4EU is conceived as an alternative to existing DNS resolution services, increasing overall internet resilience, and offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service, based in the EU, that guarantees data protection according to EU rules and increases the protection from malware, phishing and cyberattacks. 3. DNS4EU: Characteristics * Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies. * Be fully transparent and compliant with the GDPR. * Offer state-of-the art, ad-hoc DNS filtering against phishing or malware based on existing global thread feeds and own feeds. * Conform to the latest security and privacy technological standards, including DoH. * Develop wholesale discovery and resolution services for other digital service providers, including ISPs and Cloud service providers. 4. DNS4EU: Next Steps * Pending confirmation: Connecting Europe Facility (CEF2) – European Cloud * Federation Initiative * 50% of the initial infrastructure investment * Expected publication of the call: End of 2021 * Conform to the latest security and privacy technological standards, including DoH. * Federated Structure: High-quality consortiums, potentially including vertical industries, to best increase the footprint and customer base of DNS4EU in the EU, reduce costs through shared resources, operations and cyber security feeds, and ensure the long-term sustainability of DNS4EU —— The Commission staff have also expressed their interest in any feedback from this working group that might help “fine tune the proposal” (I believe the discussion here has already provided some relevant insights). However, at this point, the next step is likely to be publication of the call for proposals, as referenced in the fourth slide above. Cheers Chris
On 8 Nov 2021, at 14:54, Chris Buckridge <chrisb@ripe.net> wrote:
Hi Hank, all,
I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
The information page for the HLIG is here: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
Best regards, Chris
On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project.
According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
dns4eu.eu has been registered by DG Connect <https://en.wikipedia.org/wiki/Directorate-General_for_Communications_Networks,_Content_and_Technology>
On 15 Dec 2021, at 11:30, Chris Buckridge <chrisb@ripe.net> wrote:
Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
Many thanks for this Chris.
Thanks, Chris! On 15.12.2021 12:30, Chris Buckridge wrote:
Hi Hank, all,
Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
[...]
Cheers Chris
Thank you Chris.
offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service
I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this? — Moritz
On 15 Dec 2021, at 12:30, Chris Buckridge <chrisb@ripe.net> wrote:
Signed PGP part Hi Hank, all,
Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
The slides were as follow:
1. DNS Resolution Markets: Problems * Consolidation (+DoH) * Incidents affecting large DNS resolvers * Data Protection Rights * Prevention of Cyberattacks; Virus; Malware
2. DNS4EU: Concept * DNS4EU is conceived as an alternative to existing DNS resolution services, increasing overall internet resilience, and offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service, based in the EU, that guarantees data protection according to EU rules and increases the protection from malware, phishing and cyberattacks.
3. DNS4EU: Characteristics * Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies. * Be fully transparent and compliant with the GDPR. * Offer state-of-the art, ad-hoc DNS filtering against phishing or malware based on existing global thread feeds and own feeds. * Conform to the latest security and privacy technological standards, including DoH. * Develop wholesale discovery and resolution services for other digital service providers, including ISPs and Cloud service providers.
4. DNS4EU: Next Steps * Pending confirmation: Connecting Europe Facility (CEF2) – European Cloud * Federation Initiative * 50% of the initial infrastructure investment * Expected publication of the call: End of 2021 * Conform to the latest security and privacy technological standards, including DoH. * Federated Structure: High-quality consortiums, potentially including vertical industries, to best increase the footprint and customer base of DNS4EU in the EU, reduce costs through shared resources, operations and cyber security feeds, and ensure the long-term sustainability of DNS4EU
——
The Commission staff have also expressed their interest in any feedback from this working group that might help “fine tune the proposal” (I believe the discussion here has already provided some relevant insights). However, at this point, the next step is likely to be publication of the call for proposals, as referenced in the fourth slide above.
Cheers Chris
On 8 Nov 2021, at 14:54, Chris Buckridge <chrisb@ripe.net> wrote:
Hi Hank, all,
I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
The information page for the HLIG is here: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
Best regards, Chris
On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project.
According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
dns4eu.eu has been registered by DG Connect <https://en.wikipedia.org/wiki/Directorate-General_for_Communications_Networks,_Content_and_Technology>
On Thu, Dec 16, 2021 at 08:59:42AM +0100, Moritz Müller via dns-wg <dns-wg@ripe.net> wrote a message of 179 lines which said:
I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?
One possible response is that the people who write these statements don't know what they are talking about. But of course, I cannot believe that. So, another possible response: in Brussels, they see that some users move away from the IAP resolver to a public resolver, so there is probably a reason for that. (Unfortunately, DNS4EU may not address this reason.)
On 16 Dec 2021, at 10:10, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
On 16/12/2021 10:07, Stephane Bortzmeyer wrote:
On Thu, Dec 16, 2021 at 08:59:42AM +0100, Moritz Müller via dns-wg <dns-wg@ripe.net> wrote a message of 179 lines which said:
I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?
One possible response is that the people who write these statements don't know what they are talking about. But of course, I cannot believe that. So, another possible response: in Brussels, they see that some users move away from the IAP resolver to a public resolver, so there is probably a reason for that. (Unfortunately, DNS4EU may not address this reason.)
Or simply some politician traveled to Canada and said to his aide "Why can't we do that as well?" https://www.cira.ca/cybersecurity-services/canadian-shield
My sense is that discussions around DoH in recent years have given new prominence to this particular element in the DNS*, and as Hank notes, newly interested policymakers don’t have to look far to find examples of other, more state-defined/endorsed approaches. But the expected CfP may provide some more clarity on exactly how the Commission sees this evolving. Chris * The ongoing Quad9 legal developments in Germany may have also kept the issue front of mind… https://www.quad9.net/news/press/german-court-rules-against/
Hi Chris (and everybody), Am Donnerstag, dem 16.12.2021 um 10:38 +0100 schrieb Chris Buckridge:
* The ongoing Quad9 legal developments in Germany may have also kept the issue front of mind… https://www.quad9.net/news/press/german-court-rules-against/
And this particular court - the 'Landgericht Hamburg' - is known for its strange sentences regarding issues in the 'IT world'. Apart from that, I share the oppinion that politicians actually don't know what DNS is all about. To make them understand better, one could use the 'S' method from SCAMPER: Substitude DNS with roads and traffic. Let's see: "3. DNS4EU: Characteristics * Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies." becomes: "* Have a large footprint within the EU. Providing tollways for high speed and road tunnels for vertical sectors ( ... ) or enhanced traffic control by policeman checking driver's license and vehicle conditions on a 24x7 base for particular destinations." And this shoud be covered by the GDPR? Lol. Best regards. --eh. -- Dr. Erwin Hoffmann | www.fehcom.de
On 16 Dec 2021, at 8:10 pm, Hank Nussbacher <hank@efes.iucc.ac.il> wrote:
Or simply some politician traveled to Canada and said to his aide "Why can't we do that as well?" https://www.cira.ca/cybersecurity-services/canadian-shield
most public sector work is derivative. Geoff
On 16 Dec 2021, at 8:07, Stephane Bortzmeyer wrote:
So, another possible response: in Brussels, they see that some users move away from the IAP resolver to a public resolver,
or (as may be seen in the suburbs of Dublin) a (locally) significant ISP configures their CPE devices to use 8.8.8.8 and its siblings. Now, if only there were an established public resolver operator, based in the EEA, who would be minded to respond to the CfP ... /Niall
On 16 Dec 2021, at 7:07 pm, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Thu, Dec 16, 2021 at 08:59:42AM +0100, Moritz Müller via dns-wg <dns-wg@ripe.net> wrote a message of 179 lines which said:
I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?
One possible response is that the people who write these statements don't know what they are talking about. But of course, I cannot believe that. So, another possible response: in Brussels, they see that some users move away from the IAP resolver to a public resolver, so there is probably a reason for that. (Unfortunately, DNS4EU may not address this reason.)
DNS resolutiuon is, economically speaking, a wasteland - users don't pay for queries so the infrastructure that handles queries is bundled up with other services, which is what your ISP does. But users don't generally decide on an IUSP based on the quality of that ISP’s DNS so the DNS department is part of the cost part of the business, not a revenue generator, so it gets little attention. Some ISPs have attempted to change this by monetising queries (selling the query logs) or changing responses (NXDOMAIN substitution) but such efforts has been generally regarded with extreme disfavor. So the DNS resolution environment limps along. There is however one party who feels that it has a legitimate business interest in an “honest” DNS, and that party is of course Google. NXDOMAIN substitution is a direct competitor to Google’s search services, and their search services are a key component of their core revenue. So for precisely the same reason why Google pay other folk money to make Google the default search engine on their platforms, spending money to create a blazing fast and accurate and honest DNS resolver is, for Google, money well spent. The problem for everyone else is the incursion of a US private entity into the heart of the Internet’s name resolution infrastructure. Over the past 16 months the number of EU users who pass queries to Google’s Public DNS has risen from a little over 15% to touching 30% - i.e.its market share in Europe has doubled in a little over one year! (https://stats.labs.apnic.net/rvrs/XE?hc=XE&hl=1&hs=0&ht=10&w=1&t=10&s=1) If you are working in the EC and you see yet another piece of the Internet’s digital communications infrastructure (and in the case of the DNS a very important and highlky informative piece if you were to peek at the data stream) being aggregated and centralized by a gigantic US entity, then wouldn’t you be a little bit disconcerted? I know I would! So I think this is not really about the quality of the alternatives available for European users (and ISPs) in the DNS resolution market. It's more about the observation that piece by piece and bit by bit the decentralised Internet is being centralized, and from an EU perspective its being centralised into non-EU private sector corporate domains. Although, if you care about DNSSEC, DoH, and similar then you might look at the piecemeal story about the adoption of DNSSEC validation in Europe (https://stats.labs.apnic.net/dnssec/XE?hc=XE&hx=0&hv=1&hp=1&hr=1&w=1&p=0) and ask youself why the adoption opf DNSSEC validation in Europe correlates with the expansion of Google DNS’s use footprint). If you care about such things and wanted to do something about it without simply handing over even more market presence to Google then you might want to try to stimulate local initiatives to improve the capability of DNS resolution infrastructure in the region. Geoff
As highly insightful as always, Geoff - thanks! On 17.12.2021 02:43, Geoff Huston wrote:
On 16 Dec 2021, at 7:07 pm, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Thu, Dec 16, 2021 at 08:59:42AM +0100, Moritz Müller via dns-wg <dns-wg@ripe.net> wrote a message of 179 lines which said:
I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?
One possible response is that the people who write these statements don't know what they are talking about. But of course, I cannot believe that. So, another possible response: in Brussels, they see that some users move away from the IAP resolver to a public resolver, so there is probably a reason for that. (Unfortunately, DNS4EU may not address this reason.)
DNS resolutiuon is, economically speaking, a wasteland - users don't pay for queries so the infrastructure that handles queries is bundled up with other services, which is what your ISP does. But users don't generally decide on an IUSP based on the quality of that ISP’s DNS so the DNS department is part of the cost part of the business, not a revenue generator, so it gets little attention. Some ISPs have attempted to change this by monetising queries (selling the query logs) or changing responses (NXDOMAIN substitution) but such efforts has been generally regarded with extreme disfavor. So the DNS resolution environment limps along.
[...]
On Fri, Dec 17, 2021 at 01:43:12AM +0000, Geoff Huston <gih@apnic.net> wrote a message of 67 lines which said:
The problem for everyone else is the incursion of a US private entity into the heart of the Internet’s name resolution infrastructure.
Over the past 16 months the number of EU users who pass queries to Google’s Public DNS has risen from a little over 15% to touching 30%
If you are working in the EC and you see yet another piece of the Internet’s digital communications infrastructure being aggregated and centralized by a gigantic US entity, then wouldn’t you be a little bit disconcerted?
I think we all understand the starting point, and the concern of the EC. The problem is that they apparently don't provide a detailed problem analysis. Observing that the market share of US public resolvers increases is one thing, understanding why is another thing, and which is very important to solve the problem. Was there are survey about the reasons for this switch to these resolvers? For instance, an important reason (may be the main one) why users use US public resolvers is because they don't implement censorship (SciHub, football events, music and film sharing). The DNS4EU project is silent about whether or not they will have censorship (a problematic silence!) but I note that they claim DNS4EU is a lying resolver. Even if lies are initially limited to malware and C&C, I have no doubt that the IP people (IP not being the Internet Protocol) will, as soon as they discover DNS4EU, ask for censorship and they are a very powerful lobby. If DNS4EU yields to their requirments, then the project is doomed.
So I think this is not really about the quality of the alternatives available for European users (and ISPs) in the DNS resolution market.
I don't think that many people switched to Google or Cloudflare because of DNSSEC validation (unfortunately) but may be they switched because of technical malfunctions. Each time there is a big breakage of the resolver of an IAP, everybody on the social networks advise "use 8.8.8.8" and people don't come back after that. So, even if DNSSEC doesn't matter, robustness does.
to try to stimulate local initiatives to improve the capability of DNS resolution infrastructure in the region.
Another challenge for DNS4EU will be to provide a quality service: managing a big public DNS resolver is not an easy task and I don't think that there are many european companies which I would trust for that. (At least among the companies that typically win the public calls for tender.)
In addition to said by Stephane Google made the technical solution that works for people and attracts them. Till now DNS4EU looks like an administrative initiative without a clearly defined perspective. If someone would make a technical solution in the EU and would offer it, and the solution would be solid and resilient there will not be a necessity in any initiatives.
On 17 Dec 2021, at 11:21, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Fri, Dec 17, 2021 at 01:43:12AM +0000, Geoff Huston <gih@apnic.net> wrote a message of 67 lines which said:
The problem for everyone else is the incursion of a US private entity into the heart of the Internet’s name resolution infrastructure.
Over the past 16 months the number of EU users who pass queries to Google’s Public DNS has risen from a little over 15% to touching 30%
If you are working in the EC and you see yet another piece of the Internet’s digital communications infrastructure being aggregated and centralized by a gigantic US entity, then wouldn’t you be a little bit disconcerted?
I think we all understand the starting point, and the concern of the EC. The problem is that they apparently don't provide a detailed problem analysis. Observing that the market share of US public resolvers increases is one thing, understanding why is another thing, and which is very important to solve the problem. Was there are survey about the reasons for this switch to these resolvers?
For instance, an important reason (may be the main one) why users use US public resolvers is because they don't implement censorship (SciHub, football events, music and film sharing). The DNS4EU project is silent about whether or not they will have censorship (a problematic silence!) but I note that they claim DNS4EU is a lying resolver. Even if lies are initially limited to malware and C&C, I have no doubt that the IP people (IP not being the Internet Protocol) will, as soon as they discover DNS4EU, ask for censorship and they are a very powerful lobby. If DNS4EU yields to their requirments, then the project is doomed.
So I think this is not really about the quality of the alternatives available for European users (and ISPs) in the DNS resolution market.
I don't think that many people switched to Google or Cloudflare because of DNSSEC validation (unfortunately) but may be they switched because of technical malfunctions. Each time there is a big breakage of the resolver of an IAP, everybody on the social networks advise "use 8.8.8.8" and people don't come back after that. So, even if DNSSEC doesn't matter, robustness does.
to try to stimulate local initiatives to improve the capability of DNS resolution infrastructure in the region.
Another challenge for DNS4EU will be to provide a quality service: managing a big public DNS resolver is not an easy task and I don't think that there are many european companies which I would trust for that. (At least among the companies that typically win the public calls for tender.)
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
-- Taras Heichenko tasic@academ.kiev.ua
Even if lies are initially limited to malware and C&C, I have no doubt that the IP people (IP not being the Internet Protocol) will, as soon as they discover DNS4EU, ask for censorship and they are a very powerful lobby. If DNS4EU yields to their requirments, then the project is doomed.
you mean such as the german court ruling in favor of sony over quad9? randy --- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery
Moritz, On Dec 15, 2021, at 11:59 PM, Moritz Müller via dns-wg <dns-wg@ripe.net> wrote:
offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?
My read is that the primary targets of DNS4EU is US-based “Big Tech” (whatever that means), particularly those firms that have a (shall we say) laissez faire attitude towards data privacy. In other words, Google (8.8.8.8). I’d imagine from the perspective of EC folks, DNS4EU would be a no-brainer: support EU-based business, give the finger to Google, give EU law enforcement a potential bone to get around DoH, make “rah rah” noises about EU data sovereignty, and provide, at least theoretically, a way to appease intellectual property lawyers. Since they’re talking about a “federated” service, I suspect ISPs who want to play by the EC’s rules will be considered a part of DNS4EU. Of course, if one were cynical, the question really is when the other shoe (e.g., legal mandates to abide by DNS4EU filtering requirements) will drop. Regards, -drc
Exactly I’m highly suspicious of it -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: dns-wg <dns-wg-bounces@ripe.net> on behalf of David Conrad <drc@virtualized.org> Date: Thursday, 16 December 2021 at 17:03 To: Moritz Müller <moritz.muller@sidn.nl> Cc: dns-wg@ripe.net <dns-wg@ripe.net> Subject: Re: [dns-wg] DNS4EU? [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. Moritz, On Dec 15, 2021, at 11:59 PM, Moritz Müller via dns-wg <dns-wg@ripe.net> wrote:
offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?
My read is that the primary targets of DNS4EU is US-based “Big Tech” (whatever that means), particularly those firms that have a (shall we say) laissez faire attitude towards data privacy. In other words, Google (8.8.8.8). I’d imagine from the perspective of EC folks, DNS4EU would be a no-brainer: support EU-based business, give the finger to Google, give EU law enforcement a potential bone to get around DoH, make “rah rah” noises about EU data sovereignty, and provide, at least theoretically, a way to appease intellectual property lawyers. Since they’re talking about a “federated” service, I suspect ISPs who want to play by the EC’s rules will be considered a part of DNS4EU. Of course, if one were cynical, the question really is when the other shoe (e.g., legal mandates to abide by DNS4EU filtering requirements) will drop. Regards, -drc
On Thu, Dec 16, 2021 at 09:03:24AM -0800, David Conrad <drc@virtualized.org> wrote a message of 84 lines which said:
Since they’re talking about a “federated” service, I suspect ISPs who want to play by the EC’s rules will be considered a part of DNS4EU.
Interesting. I thought that "federated" meant either a consortium of corporations created to manage the resolver (an Airbus for the DNS) or simply an anycasted resolver. But you're right, it is so vague, it could mean also a simple label, which may be given to existing DNS resolvers (a bit like Mozilla TRR).
Hi all, A further follow-up. The Commission today published the following Call for Proposals: https://hadea.ec.europa.eu/calls-proposals/equipping-backbone-networks-high-... (hat tip to Anastasia Sendrea, who I don’t think is currently on this list, for the heads up) Cheers Chris
On 15 Dec 2021, at 12:30, Chris Buckridge <chrisb@ripe.net> wrote:
Hi Hank, all,
Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
The slides were as follow:
1. DNS Resolution Markets: Problems * Consolidation (+DoH) * Incidents affecting large DNS resolvers * Data Protection Rights * Prevention of Cyberattacks; Virus; Malware
2. DNS4EU: Concept * DNS4EU is conceived as an alternative to existing DNS resolution services, increasing overall internet resilience, and offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service, based in the EU, that guarantees data protection according to EU rules and increases the protection from malware, phishing and cyberattacks.
3. DNS4EU: Characteristics * Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies. * Be fully transparent and compliant with the GDPR. * Offer state-of-the art, ad-hoc DNS filtering against phishing or malware based on existing global thread feeds and own feeds. * Conform to the latest security and privacy technological standards, including DoH. * Develop wholesale discovery and resolution services for other digital service providers, including ISPs and Cloud service providers.
4. DNS4EU: Next Steps * Pending confirmation: Connecting Europe Facility (CEF2) – European Cloud * Federation Initiative * 50% of the initial infrastructure investment * Expected publication of the call: End of 2021 * Conform to the latest security and privacy technological standards, including DoH. * Federated Structure: High-quality consortiums, potentially including vertical industries, to best increase the footprint and customer base of DNS4EU in the EU, reduce costs through shared resources, operations and cyber security feeds, and ensure the long-term sustainability of DNS4EU
——
The Commission staff have also expressed their interest in any feedback from this working group that might help “fine tune the proposal” (I believe the discussion here has already provided some relevant insights). However, at this point, the next step is likely to be publication of the call for proposals, as referenced in the fourth slide above.
Cheers Chris
On 8 Nov 2021, at 14:54, Chris Buckridge <chrisb@ripe.net> wrote:
Hi Hank, all,
I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
The information page for the HLIG is here: https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
Best regards, Chris
On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project.
According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
dns4eu.eu has been registered by DG Connect <https://en.wikipedia.org/wiki/Directorate-General_for_Communications_Networks,_Content_and_Technology>
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
On 08.11.2021 14:15, Stephane Bortzmeyer wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU?
There is very little actual information published on this project.
According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
... and mandatory to use, Stephane? If so, by whom? 500 million EU citizens? Or "merely" a subset thereof? If your rumors would and/or could tell, too, of course. Best, -C.
Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR. Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens. DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English. /Ulrich
On 10 Nov 2021, at 11:28, Carsten Schiefner <ripe-wgs.cs@schiefner.de> wrote:
On 08.11.2021 14:15, Stephane Bortzmeyer wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU? There is very little actual information published on this project. According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
... and mandatory to use, Stephane?
If so, by whom?
500 million EU citizens?
Or "merely" a subset thereof?
If your rumors would and/or could tell, too, of course.
Best,
-C.
On 10 Nov 2021, at 16:58, Ulrich Wisser via dns-wg <dns-wg@ripe.net> wrote:
Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR.
I am not sure that I understand how a resolver can follow GDPR. WHOIS, RDAP – ok, these services really may disclose some sensitive information. How does a resolver can break GDPR?
Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.
/Ulrich
On 10 Nov 2021, at 11:28, Carsten Schiefner <ripe-wgs.cs@schiefner.de> wrote:
On 08.11.2021 14:15, Stephane Bortzmeyer wrote:
On Mon, Nov 08, 2021 at 07:12:38AM +0200, Hank Nussbacher <hank@efes.iucc.ac.il> wrote a message of 34 lines which said:
Does anyone have further insight into the European initiative known as DNS4EU? There is very little actual information published on this project. According to some rumors, it would be a public DNS resolver, with built-in censorship (for the laws of 27 countries).
... and mandatory to use, Stephane?
If so, by whom?
500 million EU citizens?
Or "merely" a subset thereof?
If your rumors would and/or could tell, too, of course.
Best,
-C.
-- Taras Heichenko tasic@academ.kiev.ua
On Wed, Nov 10, 2021 at 05:05:53PM +0200, Taras Heichenko <tasic@academ.kiev.ua> wrote a message of 60 lines which said:
I am not sure that I understand how a resolver can follow GDPR. WHOIS, RDAP – ok, these services really may disclose some sensitive information. How does a resolver can break GDPR?
You should read RFC 7626. Executive summary: the fact that you request www.aa.org is a sensitive information (and may be personal data, depending on the way it is requested). The data is not sensitive (the DNS is public), not the fact that you request it.
On 10 Nov 2021, at 17:24, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Wed, Nov 10, 2021 at 05:05:53PM +0200, Taras Heichenko <tasic@academ.kiev.ua> wrote a message of 60 lines which said:
I am not sure that I understand how a resolver can follow GDPR. WHOIS, RDAP – ok, these services really may disclose some sensitive information. How does a resolver can break GDPR?
You should read RFC 7626. Executive summary: the fact that you request www.aa.org is a sensitive information (and may be personal data, depending on the way it is requested). The data is not sensitive (the DNS is public), not the fact that you request it.
Ah, I see thank you.
-- Taras Heichenko tasic@academ.kiev.ua
On Wed, Nov 10, 2021 at 04:24:16PM +0100, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote a message of 13 lines which said:
The data is not sensitive (the DNS is public), not the fact that you request it.
Correct sentence: the data is not sensitive (the DNS is public), but the fact that you request it *is* sensitive.
Salut Stephane, Am Mittwoch, dem 10.11.2021 um 16:34 +0100 schrieb Stephane Bortzmeyer:
On Wed, Nov 10, 2021 at 04:24:16PM +0100, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote a message of 13 lines which said:
The data is not sensitive (the DNS is public), not the fact that you request it.
Correct sentence: the data is not sensitive (the DNS is public), but the fact that you request it *is* sensitive.
100% Ack. Any attempts to provide privacy here is welcome. I've taken over the https://datatracker.ietf.org/doc/html/draft-dempsky-dnscurve-01 Dempsky/DNSCurve approach and be glad to provide a full solution now: https://www.fehcom.de/ipnet/djbdnscurve6.html Well, I do not expect to convince people to step into this solution immediately, but for restricted networks (let's say including IoT devices) it might be a useful alternative. This is a different scope perhaps and sharp edges certainly still exist. Though it is an almost zero cost alternative w.r.t. DNSSec. Regards. --eh. -- Dr. Erwin Hoffmann | www.fehcom.de
On Wed, Nov 10, 2021 at 08:51:41PM +0100, Erwin Hoffmann <feh@fehcom.de> wrote a message of 38 lines which said:
Well, I do not expect to convince people to step into this solution immediately, but for restricted networks (let's say including IoT devices) it might be a useful alternative. This is a different scope perhaps and sharp edges certainly still exist. Though it is an almost zero cost alternative w.r.t. DNSSec.
It does not seem to provide the same service as DNSsec, more the same service as DoT or DoH.
On 10 Nov 2021, at 17:34, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Wed, Nov 10, 2021 at 04:24:16PM +0100, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote a message of 13 lines which said:
The data is not sensitive (the DNS is public), not the fact that you request it.
Correct sentence: the data is not sensitive (the DNS is public), but the fact that you request it *is* sensitive.
BTW, did I get right that DNS4EU does not offer protection from this issue. It just propose to give this info into another hands? -- Taras Heichenko tasic@academ.kiev.ua
On Thu, Nov 11, 2021 at 08:01:46AM +0200, Taras Heichenko <tasic@academ.kiev.ua> wrote a message of 27 lines which said:
BTW, did I get right that DNS4EU does not offer protection from this issue. It just propose to give this info into another hands?
May be but, at this stage, it is too early to tell (remember, this is very vague, there is no actual, concrete plan).
On 10.11.2021 15:58, Ulrich Wisser via dns-wg wrote:
Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR. Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
On Wed, Nov 10, 2021 at 04:08:20PM +0100, Carsten Schiefner <ripe-wgs.cs@schiefner.de> wrote a message of 7 lines which said:
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
We can be reasonably sure it will not. If it is actually used, we can expect IP (not Internet Protocol) lawyers asking for a censorship of sci-hub.se and politicians asking for censorship of [current political issue in their country].
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
We can be reasonably sure it will not. If it is actually used, we can expect IP (not Internet Protocol) lawyers asking for a censorship of sci-hub.se and politicians asking for censorship of [current political issue in their country].
yes, but we can monitize this. how about a betting pool on how soon the IP lawyers and political censors jump on it. €10 that it takes them at least two months but less than four. randy
On Wed, 2021-11-10 at 16:08 +0100, Carsten Schiefner wrote:
On 10.11.2021 15:58, Ulrich Wisser via dns-wg wrote:
Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR. Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
Certainly not, as illustrated with Quad9 vs Sony Music [1]. While they are not EU, but Switzerland-based, this is afaik the closest operational approximation to what DNS4EU goals are. [1] https://www.quad9.net/news/blog/quad9-and-sony-music-german-injunction-statu... -- deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525
Having played Devil's advocate with my question a bit, Stephane's and Nils' assessments strongly cover my suspicion by a full 100%. I still wonder when the compulsory use of this DNS resolution service will consequently start for EU citizens eventually... On 10.11.2021 16:08, Carsten Schiefner wrote:
On 10.11.2021 15:58, Ulrich Wisser via dns-wg wrote:
Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR. Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
-------- Forwarded Message -------- Subject: Re: [dns-wg] DNS4EU? Date: Wed, 10 Nov 2021 16:21:33 +0100 From: Stephane Bortzmeyer <bortzmeyer@nic.fr> Organization: NIC France To: Carsten Schiefner <ripe-wgs.cs@schiefner.de> CC: dns-wg@ripe.net On Wed, Nov 10, 2021 at 04:08:20PM +0100, Carsten Schiefner <ripe-wgs.cs@schiefner.de> wrote a message of 7 lines which said:
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
We can be reasonably sure it will not. If it is actually used, we can expect IP (not Internet Protocol) lawyers asking for a censorship of sci-hub.se and politicians asking for censorship of [current political issue in their country]. -------- Forwarded Message -------- Subject: Re: [dns-wg] DNS4EU? Date: Wed, 10 Nov 2021 16:21:59 +0100 From: Nils Wisiol <nils@desec.io> To: Carsten Schiefner <ripe-wgs.cs@schiefner.de>, Ulrich Wisser <ulrich@wisser.se> CC: dns-wg@ripe.net On Wed, 2021-11-10 at 16:08 +0100, Carsten Schiefner wrote:
[...]
Are we sure that 'it' (definition...) will stop at "malware and pishing"?
Certainly not, as illustrated with Quad9 vs Sony Music [1]. While they are not EU, but Switzerland-based, this is afaik the closest operational approximation to what DNS4EU goals are. [1] https://www.quad9.net/news/blog/quad9-and-sony-music-german-injunction-statu...
I’d *love* to know how they expect to force anyone to use a specific DNS resolver. -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
On Mon, Nov 15, 2021 at 11:53:20AM +0000, Michele Neylon - Blacknight via dns-wg <dns-wg@ripe.net> wrote a message of 119 lines which said:
I’d *love* to know how they expect to force anyone to use a specific DNS resolver.
Political pressure on Mozilla so that they use by default the DoH resolver of DNS4EU? It is not "forcing" (users can still disable it) but it is close. A similar (?) case: https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-c...
Stephane Thanks – I hadn’t thought of that. I was still thinking along the lines of them trying to force ISPs to implement. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: Stephane Bortzmeyer <bortzmeyer@nic.fr> Date: Monday, 15 November 2021 at 11:57 To: Michele Neylon - Blacknight <michele@blacknight.com> Cc: Carsten Schiefner <ripe-wgs.cs@schiefner.de>, RIPE DNS Working Group <dns-wg@ripe.net> Subject: Re: DNS4EU? [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. On Mon, Nov 15, 2021 at 11:53:20AM +0000, Michele Neylon - Blacknight via dns-wg <dns-wg@ripe.net> wrote a message of 119 lines which said:
I’d *love* to know how they expect to force anyone to use a specific DNS resolver.
Political pressure on Mozilla so that they use by default the DoH resolver of DNS4EU? It is not "forcing" (users can still disable it) but it is close. A similar (?) case: https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-c...
Le Mon, Nov 15, 2021 at 12:57:06PM +0100, Stephane Bortzmeyer a écrit :
Political pressure on Mozilla so that they use by default the DoH resolver of DNS4EU? It is not "forcing" (users can still disable it) but it is close.
The marketshare of Mozilla is so low today that it will be a drop in the ocean. But perhaps Google will trade the big EU fine with using EU DNS :p -- Denis Fondras / Liopen
Moin! On 15 Nov 2021, at 7:57, Stephane Bortzmeyer wrote:
Political pressure on Mozilla so that they use by default the DoH resolver of DNS4EU? It is not "forcing" (users can still disable it) but it is close. It was Mozilla that came up with the bad idea of using a default DoH resolver instead of using the network provided one. I always said that was a bad idea.
A similar (?) case:
https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-c... I can see no downside on that. Canadian people now use a in country provider instead of the default US based provider. As said the bad idea was setting a default. That at least is a better default for Canadians.
So long -Ralf ——- Ralf Weber
[RIPE Vice-Chair hat OFF] On 15 Nov 2021, at 16:44, Ralf Weber wrote:
I can see no downside on that. Canadian people now use a in country provider instead of the default US based provider. As said the bad idea was setting a default. That at least is a better default for Canadians.
Besides, and IIUC, under this system, DNS filtering appears to be off by default and users can opt in to the "Protected" or "Family" levels of filtering. Niall O'Reilly Tolerant Networks Ltd
Pardon for top posting. I'm sick and grumpy. In addition the browser vendors, wouldn't regulators be able to define a class of orgs that are ISPs, then make a rule: ISPs must not do DNS resolution for your customers. Instead, you must forward to our resolver or you must announce our resolver's IP addresses in DHCP -- or we will fine you.
On Nov 15, 2021, at 6:57 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Mon, Nov 15, 2021 at 11:53:20AM +0000, Michele Neylon - Blacknight via dns-wg <dns-wg@ripe.net> wrote a message of 119 lines which said:
I’d *love* to know how they expect to force anyone to use a specific DNS resolver.
Political pressure on Mozilla so that they use by default the DoH resolver of DNS4EU? It is not "forcing" (users can still disable it) but it is close.
A similar (?) case:
https://urldefense.com/v3/__https://www.cira.ca/newsroom/canadian-shield/moz...
In addition the browser vendors, wouldn't regulators be able to define a class of orgs that are ISPs, then make a rule: ISPs must not do DNS resolution for your customers. Instead, you must forward to our resolver or you must announce our resolver's IP addresses in DHCP -- or we will fine you. What legal basis could be used to force service providers to outsource dns resolution? And what exact market distortion / level playing field
David Huberman wrote on 15/11/2021 21:12: problem would they be solving? This makes no sense. Regulators in the european union don't have the extraordinary powers of edict that are being described on this mailing list. Nick
What legal basis could be used to force service providers to outsource dns resolution? And what exact market distortion / level playing field problem would they be solving? This makes no sense. Regulators in the european union don't have the extraordinary powers of edict that are being described on this mailing list.
you can't fool me, hilliard. i saw the black helicopter at the ietf near dublin. randy
Randy Bush wrote on 15/11/2021 21:29:
you can't fool me, hilliard. i saw the black helicopter at the ietf near dublin.
You didn't see any black helicopters! The men in black suits said they weren't there. Nick
Hi Nick, Thanks for the reply.
On Nov 15, 2021, at 4:20 PM, Nick Hilliard <nick@foobar.org> wrote:
What legal basis could be used to force service providers to outsource dns resolution?
I guess I'm not grokking why you think this kind of regulation would have no legal basis when regulators are proposing something very similar in eIDAS article 45 (all web browsers must accept CAs which we the regulators approve) and in NIS2 for root server operators with more than 10 instances. The concept of Trusted Service Providers in EU regulations already exists and is already quite powerful. Thanks for your thoughts, David
David Huberman wrote on 15/11/2021 21:31:
I guess I'm not grokking why you think this kind of regulation would have no legal basis when regulators are proposing something very similar in eIDAS article 45 (all web browsers must accept CAs which we the regulators approve) and in NIS2 for root server operators with more than 10 instances. The concept of Trusted Service Providers in EU regulations already exists and is already quite powerful. Mandating specific CAs in a browser - although a remarkably stupid thing to do, if that's what's being discussed, and it's not clear from eIDAS art. 45 that this is necessary within the terms of that regulation - is not the same as hijacking dns resolution services. There's a gap between the two and it's not that small either.
Separately, NISD2 is not yet finalised, nor is it being mandated by regulators: it's being written by lawmakers, who have taken root servers out of scope of the directive. In relation to trust service providers, the requirements here relate mostly to process management and providing a legal framework in which TSPs can operate consistently across multiple countries. You can't really operate a society which depends on electronic trust mechanisms without having a legal framework for this. Nick
On Wed, Nov 10, 2021 at 03:58:40PM +0100, Ulrich Wisser via dns-wg <dns-wg@ripe.net> wrote a message of 40 lines which said:
DNS4EU is intended to provide DNS filtering of malware and pishing.
Most malware and phishing pages that are reported to us, as a registry, are not in "bad" domains but under a legitimate Web site which was cracked (not everybody updates Wordpress when they should) and one page was created to host the phishing site. So, the DNS is not at the correct level of granularity for that.
participants (19)
-
Carsten Schiefner -
Chris Buckridge -
David Conrad -
David Huberman -
Denis Fondras - Liopen -
Erwin Hoffmann -
Geoff Huston -
Hank Nussbacher -
Jim Reid -
Michele Neylon - Blacknight -
Moritz Müller -
Niall O'Reilly -
Nick Hilliard -
Nils Wisiol -
Ralf Weber -
Randy Bush -
Stephane Bortzmeyer -
Taras Heichenko -
Ulrich Wisser