DNS Working Group Minutes - RIPE 86
Thursday, 25 May 2023 09:00 - 10:30 (UTC+2)
Chairs: João Damas, Moritz Müller, Willem Toorop
Scribe: Boris Duval
Status: Final
Administrivia
Willem Toorop welcomed everybody and opened the session.
Shielding Europe - DNS4EU's Pan-European Protective DNS Service for 100 Million Users
Andronikos Kyriakou
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/118-Shielding-Europe-DNS4EU.pdf
Brett Carr, AWS, asked whether blocking/filtering would be universal for telecoms operators, government or users, or whether it would be tailored to each group or customer.
Andronikos said that this would depend on individual cases, and that they would have some local intelligence available for governments. Regarding telecoms operators, he mentioned that there would be different options, and users would be able to select which one to choose from.
Max Tulyev, Netassist SL, stated that he saw two major Internet systems emerging, one in Russia and the other in Ukraine. In his opinion, the sole purpose of these systems was Internet censorship. He asked the presenter if there were safeguards in place to avoid censorship.
Andronikos said that they had often asked themselves this question. He mentioned that the European Commission would not have any access to the configuration of the system. The system would be run by the consortium, which consists of multiple independent member countries.
Michel Lanners, LU-CIX Management G.I.E, mentioned that he hadn't heard anything about exchanges and asked if the presenter was considering placing DNS nodes at Internet exchanges to make them universally available.
Andronikos mentioned that they hadn't considered it at the moment, but they would be happy to discuss it when the setup is finalised.
Internet user Peter Hessler mentioned that a common problem with this adult filtering system in many regions of the world is the suppression of any information that is not aimed at heterosexuals. He asked the presenter how he intended to prevent legitimate information from being filtered as adult content.
Andronikos said that this filtering would be optional and not imposed on End Users. He also mentioned that Whalebone and the rest of the consortium would be building a database to refine user cases to avoid blocking legitimate content.
Markus Zeilinger, University of Applied Sciences Upper Austria, asked if there was an official website for the DNS4EU project.
Andronikos said that whalebone.io had the latest information.
Michel Lanners mentioned that the project was co-funded by the European Union for the initial setup and asked about the long-term financing plan.
Andronikos said that one of the requirements was for the project to be commercially viable. He added that operators would be getting the service and all its benefits, and the same would apply for the DNS for governments.
Peter Koch, DENIC, asked how the consortium would be operating and if it would be covered under one regulator in one country.
Andronikos said that, from what he knew, the consortium would be operating from Czechia as Whalebone is leading, and it would fall under local regulations.
Sebastien Bachelet, End User, asked what could be the role of the ccTLD manager or registry.
Andronikos mentioned that as of now, they didn't have a specific role for the ccTLD managers, but they were open to discussing that.
Update on the DNS Resolver Task Force
Shane Kerr
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/112-ripe86-dns-resolver-tf.pdf
Brett Carr, AWS, mentioned that some of this work appeared to be similar to the KINDNS work carried out by ICANN OARC and asked Shane if the task force would collaborate with them.
Shane stated that there were currently no plans for a liaison effort, but they would draw inspiration from the KINDNS work when relevant.
Benno Overeinder, NLnet Labs, asked whether the DNS Working Group could provide proactive assistance to the task force. He suggested that, in addition to reviewing documents, the Working Group could potentially contribute by writing them and seeking input from the community. Benno also proposed collaborating with other organisations involved in DNS tracks or Working Groups, as well as the global cyber alliance, including individuals attending the meeting. He wondered if there was an opportunity for the task force to accommodate their interest, experience, or proactive contributions.
Shane responded that the task force would definitely need support from the Working Group for feedback and review. Regarding collaborations, Shane mentioned that the initial thinking of the task force was to adopt a traditional task force approach, where a group of experienced individuals would gather to generate ideas and develop a document. The intention was to receive feedback and constructive criticism from the community, resulting in an improved document. However, considering the extensive range of topics involved, Shane considered that this might not be the most effective approach. As the document is hosted on GitHub, where anyone can make requests and suggest text, Shane proposed actively reaching out and asking people to contribute.
Measuring Open Resolver Use in EU
Geoff Huston
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/115-2023-05-25-dns4eu.pdf
Markus asked how to explain the sharp drop in Google and Cloudflare usage compared to last year.
Geoff replied that he didn’t know why it declined.
Peter Hessler said that modern browsers, Chrome and Firefox specifically have certain settings that will override and ignore the system settings and the web browsers will choose their own preferred DNS servers. He asked if Geoff was able to measure whether or not the DNS resolvers he was seeing in his experiments were chosen by the web browser or if they were system‑configured DNS resolvers.
Geoff Huston mentioned that Cloudflare had collaborated with Firefox in their DNS over HTTPS work. He noted that if Cloudflare's popularity was increasing, then Firefox might also be involved. However, he pointed out that the situation in Europe contradicted this notion. Geoff emphasized that his analysis was limited to European data and did not represent the entire Internet. This led him to conclude that the partnership between the browser and open resolver engines did not seem to attract a significant number of users. Geoff expressed his belief that some of these initiatives were more prominent in presentations than in actual practice. He mentioned examining the use of Apple's private data relay, which impacts DNS usage. He found that the number of users utilizing Apple's published addresses for private relay was extremely small, highlighting a significant discrepancy between the hype surrounding these initiatives and their actual impact. Based on this evidence, Geoff speculated that the level of integration with browsers might not be as prevalent as some might hope or expect.
Connectbyname and the Proxy Control Option
Philip Homburg
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/48-talk.pdf
There were no questions.
DNSSEC Multi-signer Models
Matthijs Mekking
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/111-20230523-ripe86-dns-multisigner-matthijs-mekking.pdf
There were no questions.
RIPE NCC Update
Anand Buddhdev, RIPE NCC
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/122-RIPE86_DNS_Update.pdf
Marco Davids, SIDN Labs, asked why not reduce the expiration period from ten days to three days, considering the chain shown in the slide.
Anand replied that although they could lower the expiration period, it posed a challenge because they couldn't always determine the number of XFR servers in a chain. Matching the expiry with the zone expiry would be a hit-and-miss situation. Therefore, Anand believed that the expire option presented earlier was the most effective solution.
Lars-Johan Liman, Netnod, thanked Anand for his presentation, recognizing it as the type of informative session that helps the community build a stronger and more efficient DNS system. Sharing the challenges they encountered and their efforts to address them contributes to community development, making it a valuable contribution.
Robert Scheck, ETES Gmbh, asked about the rationale behind choosing Oracle Linux 9 instead of other commonly used Linux distributions.
Anand clarified that from their perspective, Rocky Linux, Oracle Linux, and other Linux distributions were all equally well supported. While acknowledging that some individuals might harbor reservations towards Oracle as a company, Anand emphasised that Oracle Linux 9 was a dependable, rock-solid, and supportable distribution, thus presenting no issues for their usage.
Port 53 DNS Hackathon: DNS Oops
Stefan Ubbink
The presentation is available at:
https://ripe86.ripe.net/wp-content/uploads/presentations/124-port53-hackathon-dns-oops-spuaur5ebpbb3g67hs3fms1epy.pdf
There were no questions.