You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.2

DNS Working Group

Threaded
Collapse

[dns-wg] DNS4EU?

User Image

Hank Nussbacher

2021-11-08 06:12:38 CET

  

    
    body p { margin-bottom: 0cm; margin-top: 0pt; } 
  
  
    

Does anyone have further insight into the European initiative known as DNS4EU?

Quoting CENTR:

https://www.centr.org/news/eu-updates/june2021.html

"On 10 June, the European Parliament adopted a resolution on the EU Cybersecurity Strategy, calling for inter alia “a new robust security framework for EU critical infrastructures in order to safeguard EU security interests”. The resolution calls on the European Commission to “prepare provisions to ensure the accessibility, availability and integrity of the public core of the internet and, therefore, the stability of cyber-space, particularly as regards the EU’s access to the global DNS root system”. The Resolution also “welcomes the proposal for a European Domain Name System (DNS4EU) as a tool for a more resilient internet core” and “asks the Commission to evaluate how this DNS4EU could use the latest technologies, security protocols and cyber-threats expertise in order to offer a fast, secure and resilient DNS for all Europeans”. "

Thanks,

Hank

Nick Hilliard

2021-11-08 14:01:06 CET

Hank Nussbacher wrote on 08/11/2021 05:12:
> Does anyone have further insight into the European initiative known as 
> DNS4EU?

seems to be a dns resolver service.

> https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021JC0014&rid=3

Not sure what value this will bring to humanity.

Nick

Stephane Bortzmeyer

2021-11-08 14:15:23 CET

On Mon, Nov 08, 2021 at 07:12:38AM +0200,
 Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote 
 a message of 34 lines which said:

>    Does anyone have further insight into the European initiative
>    known as DNS4EU?

There is very little actual information published on this project.

According to some rumors, it would be a public DNS resolver, with
built-in censorship (for the laws of 27 countries).

dns4eu.eu has been registered by DG Connect




User Image

Chris Buckridge

2021-11-08 14:54:57 CET

RIPE NCC staff member

Hi Hank, all,

I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.

The information page for the HLIG is here:
https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922

It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.

Best regards,
Chris

> On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
> Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
> a message of 34 lines which said:
> 
>>   Does anyone have further insight into the European initiative
>>   known as DNS4EU?
> 
> There is very little actual information published on this project.
> 
> According to some rumors, it would be a public DNS resolver, with
> built-in censorship (for the laws of 27 countries).
> 
> dns4eu.eu has been registered by DG Connect
> 
> 
> 
> 

Carsten Schiefner

2021-11-10 11:08:23 CET

Please do, Chris.

Thanks!

On 08.11.2021 14:54, Chris Buckridge wrote:
> [...], but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.

Carsten Schiefner

2021-11-10 11:28:22 CET

On 08.11.2021 14:15, Stephane Bortzmeyer wrote:
> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>   Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
>   a message of 34 lines which said:
> 
>>     Does anyone have further insight into the European initiative
>>     known as DNS4EU?
> 
> There is very little actual information published on this project.
> 
> According to some rumors, it would be a public DNS resolver, with
> built-in censorship (for the laws of 27 countries).

... and mandatory to use, Stephane?

If so, by whom?

500 million EU citizens?

Or "merely" a subset thereof?

If your rumors would and/or could tell, too, of course.

Best,

	-C.

User Image

Ulrich Wisser

2021-11-10 15:58:40 CET

Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR.
Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.

DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.


/Ulrich

> On 10 Nov 2021, at 11:28, Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de> wrote:
> 
> On 08.11.2021 14:15, Stephane Bortzmeyer wrote:
>> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>>  Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
>>  a message of 34 lines which said:
>>>    Does anyone have further insight into the European initiative
>>>    known as DNS4EU?
>> There is very little actual information published on this project.
>> According to some rumors, it would be a public DNS resolver, with
>> built-in censorship (for the laws of 27 countries).
> 
> ... and mandatory to use, Stephane?
> 
> If so, by whom?
> 
> 500 million EU citizens?
> 
> Or "merely" a subset thereof?
> 
> If your rumors would and/or could tell, too, of course.
> 
> Best,
> 
> 	-C.
> 


User Image

Taras Heichenko

2021-11-10 16:05:53 CET

> On 10 Nov 2021, at 16:58, Ulrich Wisser via dns-wg <dns-wg _at_ ripe _dot_ net> wrote:
> 
> Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR.

I am not sure that I understand how a resolver can follow GDPR. WHOIS, RDAP – ok, these services really may disclose some sensitive
information. How does a resolver can break GDPR?

> Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
> 
> DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.
> 
> 
> /Ulrich
> 
>> On 10 Nov 2021, at 11:28, Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de> wrote:
>> 
>> On 08.11.2021 14:15, Stephane Bortzmeyer wrote:
>>> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>>> Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
>>> a message of 34 lines which said:
>>>>   Does anyone have further insight into the European initiative
>>>>   known as DNS4EU?
>>> There is very little actual information published on this project.
>>> According to some rumors, it would be a public DNS resolver, with
>>> built-in censorship (for the laws of 27 countries).
>> 
>> ... and mandatory to use, Stephane?
>> 
>> If so, by whom?
>> 
>> 500 million EU citizens?
>> 
>> Or "merely" a subset thereof?
>> 
>> If your rumors would and/or could tell, too, of course.
>> 
>> Best,
>> 
>> 	-C.
>> 
> 
> 

--
Taras Heichenko
tasic _at_ academ.kiev _dot_ ua






Carsten Schiefner

2021-11-10 16:08:20 CET

On 10.11.2021 15:58, Ulrich Wisser via dns-wg wrote:
> Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR.
> Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
> 
> DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.

Are we sure that 'it' (definition...) will stop at "malware and pishing"?

Stephane Bortzmeyer

2021-11-10 16:21:33 CET

On Wed, Nov 10, 2021 at 04:08:20PM +0100,
 Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de> wrote 
 a message of 7 lines which said:

> Are we sure that 'it' (definition...) will stop at "malware and
> pishing"?

We can be reasonably sure it will not. If it is actually used, we can
expect IP (not Internet Protocol) lawyers asking for a censorship of
sci-hub.se and politicians asking for censorship of [current political
issue in their country].


User Image

Nils Wisiol

2021-11-10 16:21:59 CET

On Wed, 2021-11-10 at 16:08 +0100, Carsten Schiefner wrote:
> On 10.11.2021 15:58, Ulrich Wisser via dns-wg wrote:
> > Well, the general idea is that the resolver provides a reliable
> > service that strictly follows GDPR.
> > Current large open resolvers fall under the US Cloud Act with no
> > privacy for non US citizens.
> > 
> > DNS4EU is intended to provide DNS filtering of malware and pishing.
> > But with the intention of actually having thread feeds that carry
> > threads in languages other than English.
> 
> Are we sure that 'it' (definition...) will stop at "malware and
> pishing"?

Certainly not, as illustrated with Quad9 vs Sony Music [1]. While they
are not EU, but Switzerland-based, this is afaik the closest
operational approximation to what DNS4EU goals are.

[1] 
https://www.quad9.net/news/blog/quad9-and-sony-music-german-injunction-status/


-- 
deSEC e.V. · Kyffhäuserstr. 5 · 10781 Berlin · Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525



Stephane Bortzmeyer

2021-11-10 16:24:16 CET

On Wed, Nov 10, 2021 at 05:05:53PM +0200,
 Taras Heichenko <tasic _at_ academ.kiev _dot_ ua> wrote 
 a message of 60 lines which said:

> I am not sure that I understand how a resolver can follow
> GDPR. WHOIS, RDAP – ok, these services really may disclose some
> sensitive information. How does a resolver can break GDPR?

You should read RFC 7626. Executive summary: the fact that you request
www.aa.org is a sensitive information (and may be personal data,
depending on the way it is requested). The data is not sensitive (the
DNS is public), not the fact that you request it.


Stephane Bortzmeyer

2021-11-10 16:30:20 CET

On Wed, Nov 10, 2021 at 03:58:40PM +0100,
 Ulrich Wisser via dns-wg <dns-wg _at_ ripe _dot_ net> wrote 
 a message of 40 lines which said:

> DNS4EU is intended to provide DNS filtering of malware and pishing.

Most malware and phishing pages that are reported to us, as a
registry, are not in "bad" domains but under a legitimate Web site
which was cracked (not everybody updates Wordpress when they should)
and one page was created to host the phishing site. So, the DNS is not
at the correct level of granularity for that.


User Image

Taras Heichenko

2021-11-10 16:32:16 CET

> On 10 Nov 2021, at 17:24, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Wed, Nov 10, 2021 at 05:05:53PM +0200,
> Taras Heichenko <tasic _at_ academ.kiev _dot_ ua> wrote 
> a message of 60 lines which said:
> 
>> I am not sure that I understand how a resolver can follow
>> GDPR. WHOIS, RDAP – ok, these services really may disclose some
>> sensitive information. How does a resolver can break GDPR?
> 
> You should read RFC 7626. Executive summary: the fact that you request
> www.aa.org is a sensitive information (and may be personal data,
> depending on the way it is requested). The data is not sensitive (the
> DNS is public), not the fact that you request it.

Ah, I see thank you.

> 

--
Taras Heichenko
tasic _at_ academ.kiev _dot_ ua






Stephane Bortzmeyer

2021-11-10 16:34:35 CET

On Wed, Nov 10, 2021 at 04:24:16PM +0100,
 Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote 
 a message of 13 lines which said:

> The data is not sensitive (the DNS is public), not the fact that you
> request it.

Correct sentence: the data is not sensitive (the DNS is public), but
the fact that you request it *is* sensitive.

Erwin Hoffmann

2021-11-10 20:51:41 CET

Salut Stephane,


Am Mittwoch, dem 10.11.2021 um 16:34 +0100 schrieb Stephane Bortzmeyer:
> On Wed, Nov 10, 2021 at 04:24:16PM +0100,
>  Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote 
>  a message of 13 lines which said:
> 
> > The data is not sensitive (the DNS is public), not the fact that you
> > request it.
> 
> Correct sentence: the data is not sensitive (the DNS is public), but
> the fact that you request it *is* sensitive.

100% Ack. Any attempts to provide privacy here is welcome. 

I've taken over the 
	
	https://datatracker.ietf.org/doc/html/draft-dempsky-dnscurve-01

Dempsky/DNSCurve approach and be glad to provide a full solution now:

	https://www.fehcom.de/ipnet/djbdnscurve6.html

Well, I do not expect to convince people to step into this solution
immediately, but for restricted networks (let's say including IoT
devices) it might be a useful alternative. This is a different scope
perhaps and sharp edges certainly still exist. Though it is an almost
zero cost alternative w.r.t. DNSSec. 

Regards.
--eh.  




-- 
Dr. Erwin Hoffmann | www.fehcom.de


User Image

Randy Bush

2021-11-10 22:35:40 CET

>> Are we sure that 'it' (definition...) will stop at "malware and
>> pishing"?
> 
> We can be reasonably sure it will not. If it is actually used, we can
> expect IP (not Internet Protocol) lawyers asking for a censorship of
> sci-hub.se and politicians asking for censorship of [current political
> issue in their country].

yes, but we can monitize this.  how about a betting pool on how soon the
IP lawyers and political censors jump on it.  ¤10 that it takes them at
least two months but less than four.

randy

User Image

Taras Heichenko

2021-11-11 07:01:46 CET

> On 10 Nov 2021, at 17:34, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Wed, Nov 10, 2021 at 04:24:16PM +0100,
> Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote 
> a message of 13 lines which said:
> 
>> The data is not sensitive (the DNS is public), not the fact that you
>> request it.
> 
> Correct sentence: the data is not sensitive (the DNS is public), but
> the fact that you request it *is* sensitive.

BTW, did I get right that DNS4EU does not offer protection from this issue. It just propose to
give this info into another hands?

--
Taras Heichenko
tasic _at_ academ.kiev _dot_ ua






User Image

Hank Nussbacher

2021-11-11 07:29:55 CET

  
    
    body p { margin-bottom: 0cm; margin-top: 0pt; } 
  
  
    On 08/11/2021 15:54, Chris Buckridge
      wrote:
    
    
    Anyone here attend yesterday's HLIG
      meeting and can share a presentation or meeting notes?
    
    
    Thanks,
    Hank
    
    
    
    F30AC7B9-F6DC-4534-A0B4-AC2DB3EB91BC _at_ ripe _dot_ net">
      Hi Hank, all,

I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.

The information page for the HLIG is here:
https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922

It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.

Best regards,
Chris


      
        On 8 Nov 2021, at 14:15, Stephane Bortzmeyer bortzmeyer _at_ nic _dot_ fr"><bortzmeyer _at_ nic _dot_ fr> wrote:

On Mon, Nov 08, 2021 at 07:12:38AM +0200,
Hank Nussbacher hank _at_ efes.iucc.ac _dot_ il"><hank _at_ efes.iucc.ac _dot_ il> wrote
a message of 34 lines which said:


        
            Does anyone have further insight into the European initiative
  known as DNS4EU?

        
        
There is very little actual information published on this project.

According to some rumors, it would be a public DNS resolver, with
built-in censorship (for the laws of 27 countries).

dns4eu.eu has been registered by DG Connect





      
      

    
    

User Image

Chris Buckridge

2021-11-11 11:15:16 CET

RIPE NCC staff member

Hi Hank, all,

A number of us from the RIPE NCC (and others from the RIPE community) were in yesterday’s HLIG meeting.

There was a presentation on DNS4EU, and I’m trying to track down those slides and whether they’ll be made public - at this point, there’s nothing on the site, but we’ll certainly share any slides (or a public report on the meeting) when they become available.

The significant output was that the Commission expects to have a public Call for Proposals around the end of this year, as part of Connecting Europe Facility (CEF 2) programme, for an EU-governed public DNS resolver service. Obviously the CfP will contain more detail when it is made public.

This is also in line with the Commission’s statement back in June 2021 in section 1.6 of this document:
https://data.consilium.europa.eu/doc/document/ST-10137-2021-ADD-1/en/pdf

In the meantime, others may be able to share insights, and we will share links to public documents from yesterday’s session as we obtain them.

Cheers
Chris


> On 11 Nov 2021, at 07:29, Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote:
> 
> On 08/11/2021 15:54, Chris Buckridge wrote:
> 
> Anyone here attend yesterday's HLIG meeting and can share a presentation or meeting notes?
> 
> Thanks,
> Hank
> 
>> Hi Hank, all,
>> 
>> I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
>> 
>> The information page for the HLIG is here:
>> 
>> https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
>> 
>> 
>> It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
>> 
>> Best regards,
>> Chris
>> 
>> 
>>> On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr>
>>>  wrote:
>>> 
>>> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>>> Hank Nussbacher
>>> <hank _at_ efes.iucc.ac _dot_ il>
>>>  wrote
>>> a message of 34 lines which said:
>>> 
>>> 
>>>>   Does anyone have further insight into the European initiative
>>>>   known as DNS4EU?
>>>> 
>>> There is very little actual information published on this project.
>>> 
>>> According to some rumors, it would be a public DNS resolver, with
>>> built-in censorship (for the laws of 27 countries).
>>> 
>>> dns4eu.eu has been registered by DG Connect
>>> 
>>> 

Stephane Bortzmeyer

2021-11-11 11:59:32 CET

On Thu, Nov 11, 2021 at 08:01:46AM +0200,
 Taras Heichenko <tasic _at_ academ.kiev _dot_ ua> wrote 
 a message of 27 lines which said:

> BTW, did I get right that DNS4EU does not offer protection from this
> issue. It just propose to give this info into another hands?

May be but, at this stage, it is too early to tell (remember, this is
very vague, there is no actual, concrete plan).

Stephane Bortzmeyer

2021-11-11 12:02:04 CET

On Wed, Nov 10, 2021 at 08:51:41PM +0100,
 Erwin Hoffmann <feh _at_ fehcom _dot_ de> wrote 
 a message of 38 lines which said:

> Well, I do not expect to convince people to step into this solution
> immediately, but for restricted networks (let's say including IoT
> devices) it might be a useful alternative. This is a different scope
> perhaps and sharp edges certainly still exist. Though it is an
> almost zero cost alternative w.r.t. DNSSec.

It does not seem to provide the same service as DNSsec, more the same
service as DoT or DoH.


User Image

Andrew Campling

2021-11-11 12:26:09 CET

I'll be giving an update on DNS4EU on my weekly encrypted DNS call next Monday and will cover the points in the presentation at the HLIG meeting yesterday.  I've invited the Commission team to join but can't guarantee that they will be on the call at the moment.  

Please email me directly if you don't currently attend the calls and would like an invitation - they take place every Monday at 16:00 UTC.  Recordings of past calls are accessible at https://419.consulting/encrypted-dns.   


Andrew

-----Original Message-----
Date: Thu, 11 Nov 2021 11:15:16 +0100
From: Chris Buckridge <chrisb _at_ ripe _dot_ net>
To: Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il>
Cc: dns-wg _at_ ripe _dot_ net
Subject: Re: [dns-wg] DNS4EU?
Message-ID: <8E01ADB6-5AF2-4EDB-BB89-BEA4E4C31EFC _at_ ripe _dot_ net>
Content-Type: text/plain; charset="utf-8"

Hi Hank, all,

A number of us from the RIPE NCC (and others from the RIPE community) were in yesterday?s HLIG meeting.

There was a presentation on DNS4EU, and I?m trying to track down those slides and whether they?ll be made public - at this point, there?s nothing on the site, but we?ll certainly share any slides (or a public report on the meeting) when they become available.

The significant output was that the Commission expects to have a public Call for Proposals around the end of this year, as part of Connecting Europe Facility (CEF 2) programme, for an EU-governed public DNS resolver service. Obviously the CfP will contain more detail when it is made public.

This is also in line with the Commission?s statement back in June 2021 in section 1.6 of this document:
https://data.consilium.europa.eu/doc/document/ST-10137-2021-ADD-1/en/pdf

In the meantime, others may be able to share insights, and we will share links to public documents from yesterday?s session as we obtain them.

Cheers
Chris


Andrea Kurucsó

2021-11-11 12:36:30 CET

Hi,

Please unsubsribe me...I keep getting a lot of emails but I have been not
involved in this work for ages now....I try to unsubscribe but I keep
getting email.
It is getting very annoying. Please do something about it.

Thx.


*Üdvözlettel,Kurucsó Andrea*

*+36 20 544 3439*



Andrew Campling  ezt írta (időpont: 2021.
nov. 11., Cs, 12:26):

> I'll be giving an update on DNS4EU on my weekly encrypted DNS call next
> Monday and will cover the points in the presentation at the HLIG meeting
> yesterday.  I've invited the Commission team to join but can't guarantee
> that they will be on the call at the moment.
>
> Please email me directly if you don't currently attend the calls and would
> like an invitation - they take place every Monday at 16:00 UTC.  Recordings
> of past calls are accessible at https://419.consulting/encrypted-dns.
>
>
> Andrew
>
> -----Original Message-----
> Date: Thu, 11 Nov 2021 11:15:16 +0100
> From: Chris Buckridge <chrisb _at_ ripe _dot_ net>
> To: Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il>
> Cc: dns-wg _at_ ripe _dot_ net
> Subject: Re: [dns-wg] DNS4EU?
> Message-ID: <8E01ADB6-5AF2-4EDB-BB89-BEA4E4C31EFC _at_ ripe _dot_ net>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Hank, all,
>
> A number of us from the RIPE NCC (and others from the RIPE community) were
> in yesterday?s HLIG meeting.
>
> There was a presentation on DNS4EU, and I?m trying to track down those
> slides and whether they?ll be made public - at this point, there?s nothing
> on the site, but we?ll certainly share any slides (or a public report on
> the meeting) when they become available.
>
> The significant output was that the Commission expects to have a public
> Call for Proposals around the end of this year, as part of Connecting
> Europe Facility (CEF 2) programme, for an EU-governed public DNS resolver
> service. Obviously the CfP will contain more detail when it is made public.
>
> This is also in line with the Commission?s statement back in June 2021 in
> section 1.6 of this document:
> https://data.consilium.europa.eu/doc/document/ST-10137-2021-ADD-1/en/pdf
>
> In the meantime, others may be able to share insights, and we will share
> links to public documents from yesterday?s session as we obtain them.
>
> Cheers
> Chris
>
>
>

Carsten Schiefner

2021-11-15 12:12:40 CET

dns-wg-request _at_ ripe _dot_ net?subject=unsubscribe>

On 11.11.2021 12:36, Andrea Kurucsó wrote:
> Hi,
> 
> Please unsubsribe me...I keep getting a lot of emails but I have been
> not involved in this work for ages now....I try to unsubscribe but I
> keep getting email.
> It is getting very annoying. Please do something about it.
> 
> Thx.
> 
> *
> /Üdvözlettel,/
> 
> /Kurucsó Andrea/*
> */
> /*
> */+36 20 544 3439/**/
> /*
> */ /*

Carsten Schiefner

2021-11-15 12:22:43 CET

Having played Devil's advocate with my question a bit, Stephane's and
Nils' assessments strongly cover my suspicion by a full 100%.

I still wonder when the compulsory use of this DNS resolution service
will consequently start for EU citizens eventually...

On 10.11.2021 16:08, Carsten Schiefner wrote:
> On 10.11.2021 15:58, Ulrich Wisser via dns-wg wrote:
>> Well, the general idea is that the resolver provides a reliable service that strictly follows GDPR.
>> Current large open resolvers fall under the US Cloud Act with no privacy for non US citizens.
>>
>> DNS4EU is intended to provide DNS filtering of malware and pishing. But with the intention of actually having thread feeds that carry threads in languages other than English.
> 
> Are we sure that 'it' (definition...) will stop at "malware and pishing"?

-------- Forwarded Message --------
Subject: Re: [dns-wg] DNS4EU?
Date: Wed, 10 Nov 2021 16:21:33 +0100
From: Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr>
Organization: NIC France
To: Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de>
CC: dns-wg _at_ ripe _dot_ net

On Wed, Nov 10, 2021 at 04:08:20PM +0100,
 Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de> wrote  a message of 7
lines which said:

> Are we sure that 'it' (definition...) will stop at "malware and
> pishing"?

We can be reasonably sure it will not. If it is actually used, we can
expect IP (not Internet Protocol) lawyers asking for a censorship of
sci-hub.se and politicians asking for censorship of [current political
issue in their country].

-------- Forwarded Message --------
Subject: Re: [dns-wg] DNS4EU?
Date: Wed, 10 Nov 2021 16:21:59 +0100
From: Nils Wisiol <nils _at_ desec _dot_ io>
To: Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de>, Ulrich Wisser
<ulrich _at_ wisser _dot_ se>
CC: dns-wg _at_ ripe _dot_ net

On Wed, 2021-11-10 at 16:08 +0100, Carsten Schiefner wrote:
> [...]
>
> Are we sure that 'it' (definition...) will stop at "malware and
> pishing"?

Certainly not, as illustrated with Quad9 vs Sony Music [1]. While they
are not EU, but Switzerland-based, this is afaik the closest
operational approximation to what DNS4EU goals are.

[1]
https://www.quad9.net/news/blog/quad9-and-sony-music-german-injunction-status/

User Image

Michele Neylon

2021-11-15 12:53:20 CET

I’d *love* to know how they expect to force anyone to use a specific DNS resolver.

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845

Stephane Bortzmeyer

2021-11-15 12:57:06 CET

On Mon, Nov 15, 2021 at 11:53:20AM +0000,
 Michele Neylon - Blacknight via dns-wg <dns-wg _at_ ripe _dot_ net> wrote 
 a message of 119 lines which said:

> I’d *love* to know how they expect to force anyone to use a specific
> DNS resolver.

Political pressure on Mozilla so that they use by default the DoH
resolver of DNS4EU? It is not "forcing" (users can still disable it)
but it is close.

A similar (?) case:

https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-canadas-online-privacy-through-firefox



User Image

Michele Neylon

2021-11-15 12:59:50 CET

Stephane

Thanks – I hadn’t thought of that. I was still thinking along the lines of them trying to force ISPs to implement.

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


From: Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr>
Date: Monday, 15 November 2021 at 11:57
To: Michele Neylon - Blacknight <michele _at_ blacknight _dot_ com>
Cc: Carsten Schiefner <ripe-wgs.cs _at_ schiefner _dot_ de>, RIPE DNS Working Group <dns-wg _at_ ripe _dot_ net>
Subject: Re: DNS4EU?
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

On Mon, Nov 15, 2021 at 11:53:20AM +0000,
 Michele Neylon - Blacknight via dns-wg <dns-wg _at_ ripe _dot_ net> wrote
 a message of 119 lines which said:

> I’d *love* to know how they expect to force anyone to use a specific
> DNS resolver.

Political pressure on Mozilla so that they use by default the DoH
resolver of DNS4EU? It is not "forcing" (users can still disable it)
but it is close.

A similar (?) case:

https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-canadas-online-privacy-through-firefox

User Image

Denis Fondras

2021-11-15 13:07:01 CET

Le Mon, Nov 15, 2021 at 12:57:06PM +0100, Stephane Bortzmeyer a écrit :
> Political pressure on Mozilla so that they use by default the DoH
> resolver of DNS4EU? It is not "forcing" (users can still disable it)
> but it is close.
> 

The marketshare of Mozilla is so low today that it will be a drop in the ocean.

But perhaps Google will trade the big EU fine with using EU DNS :p

-- 
Denis Fondras / Liopen

Ralf Weber

2021-11-15 17:44:34 CET

Moin!

On 15 Nov 2021, at 7:57, Stephane Bortzmeyer wrote:
> Political pressure on Mozilla so that they use by default the DoH
> resolver of DNS4EU? It is not "forcing" (users can still disable it)
> but it is close.
It was Mozilla that came up with the bad idea of using a default DoH resolver instead of using the network provided one. I always said that was a bad idea.

> A similar (?) case:
>
> https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-canadas-online-privacy-through-firefox
I can see no downside on that. Canadian people now use a in country provider instead of the default US based provider. As said the bad idea was setting a default. That at least is a better default for Canadians.

So long
-Ralf
——-
Ralf Weber

User Image

Niall O'Reilly

2021-11-15 18:30:20 CET

[RIPE Vice-Chair hat OFF]

On 15 Nov 2021, at 16:44, Ralf Weber wrote:

> I can see no downside on that. Canadian people now use a in country 
> provider instead of the default US based provider. As said the bad 
> idea was setting a default. That at least is a better default for 
> Canadians.

Besides, and IIUC, under this system, DNS filtering appears to be off by 
default
and users can opt in to the "Protected" or "Family" levels of filtering.

Niall O'Reilly

Tolerant Networks Ltd

User Image

David Huberman

2021-11-15 22:12:25 CET

Pardon for top posting. I'm sick and grumpy.

In addition the browser vendors, wouldn't regulators be able to define a class of orgs that are ISPs, then make a rule: ISPs must not do DNS resolution for your customers. Instead, you must forward to our resolver or you must announce our resolver's IP addresses in DHCP -- or we will fine you.  




> On Nov 15, 2021, at 6:57 AM, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Mon, Nov 15, 2021 at 11:53:20AM +0000,
> Michele Neylon - Blacknight via dns-wg <dns-wg _at_ ripe _dot_ net> wrote 
> a message of 119 lines which said:
> 
>> I’d *love* to know how they expect to force anyone to use a specific
>> DNS resolver.
> 
> Political pressure on Mozilla so that they use by default the DoH
> resolver of DNS4EU? It is not "forcing" (users can still disable it)
> but it is close.
> 
> A similar (?) case:
> 
> https://urldefense.com/v3/__https://www.cira.ca/newsroom/canadian-shield/mozilla-partners-cira-upgrade-canadas-online-privacy-through-firefox__;!!PtGJab4!rsQPs-NAjn6K1r4qkEwgcP071gw7GDTF_y9TYMCGiwQ1xwS3_46fbtYfAuE6__Uc-0VR0mLI6A$ 
> 
> 

Nick Hilliard

2021-11-15 22:20:19 CET

David Huberman wrote on 15/11/2021 21:12:
> In addition the browser vendors, wouldn't regulators be able to
> define a class of orgs that are ISPs, then make a rule: ISPs must not
> do DNS resolution for your customers. Instead, you must forward to
> our resolver or you must announce our resolver's IP addresses in DHCP
> -- or we will fine you.
What legal basis could be used to force service providers to outsource 
dns resolution? And what exact market distortion / level playing field 
problem would they be solving? This makes no sense.  Regulators in the 
european union don't have the extraordinary powers of edict that are 
being described on this mailing list.

Nick

User Image

Randy Bush

2021-11-15 22:29:48 CET

> What legal basis could be used to force service providers to outsource
> dns resolution? And what exact market distortion / level playing field
> problem would they be solving? This makes no sense.  Regulators in the
> european union don't have the extraordinary powers of edict that are
> being described on this mailing list.

you can't fool me, hilliard.  i saw the black helicopter at the ietf
near dublin.

randy

User Image

David Huberman

2021-11-15 22:31:40 CET

Hi Nick,

Thanks for the reply.

> On Nov 15, 2021, at 4:20 PM, Nick Hilliard <nick _at_ foobar _dot_ org> wrote:
> 
> What legal basis could be used to force service providers to outsource dns resolution? 

I guess I'm not grokking why you think this kind of regulation would have no legal basis when regulators are proposing something very similar in eIDAS article 45 (all web browsers must accept CAs which we the regulators approve) and in NIS2 for root server operators with more than 10 instances. The concept of Trusted Service Providers in EU regulations already exists and is already quite powerful.

Thanks for your thoughts,
David 

Nick Hilliard

2021-11-15 23:12:58 CET

David Huberman wrote on 15/11/2021 21:31:
> I guess I'm not grokking why you think this kind of regulation would
> have no legal basis when regulators are proposing something very
> similar in eIDAS article 45 (all web browsers must accept CAs which
> we the regulators approve) and in NIS2 for root server operators with
> more than 10 instances. The concept of Trusted Service Providers in
> EU regulations already exists and is already quite powerful.
Mandating specific CAs in a browser - although a remarkably stupid thing 
to do, if that's what's being discussed, and it's not clear from eIDAS 
art. 45 that this is necessary within the terms of that regulation - is 
not the same as hijacking dns resolution services.  There's a gap 
between the two and it's not that small either.

Separately, NISD2 is not yet finalised, nor is it being mandated by 
regulators: it's being written by lawmakers, who have taken root servers 
out of scope of the directive.

In relation to trust service providers, the requirements here relate 
mostly to process management and providing a legal framework in which 
TSPs can operate consistently across multiple countries.  You can't 
really operate a society which depends on electronic trust mechanisms 
without having a legal framework for this.

Nick

Nick Hilliard

2021-11-15 23:15:57 CET

Randy Bush wrote on 15/11/2021 21:29:
> you can't fool me, hilliard.  i saw the black helicopter at the ietf
> near dublin.

You didn't see any black helicopters!  The men in black suits said they 
weren't there.

Nick

User Image

Chris Buckridge

2021-12-15 12:30:33 CET

RIPE NCC staff member

Hi Hank, all,

Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.

The slides were as follow:

1. DNS Resolution Markets: Problems
* Consolidation (+DoH)
* Incidents affecting large DNS resolvers
* Data Protection Rights
* Prevention of Cyberattacks; Virus; Malware

2. DNS4EU: Concept
* DNS4EU is conceived as an alternative to existing DNS resolution services, increasing overall internet resilience, and offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service, based in the EU, that guarantees data protection according to EU rules and increases the protection from malware, phishing and cyberattacks.

3. DNS4EU: Characteristics
* Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies.
* Be fully transparent and compliant with the GDPR.
* Offer state-of-the art, ad-hoc DNS filtering against phishing or malware based on existing global thread feeds and own feeds.
* Conform to the latest security and privacy technological standards, including DoH.
* Develop wholesale discovery and resolution services for other digital service providers, including ISPs and Cloud service providers.

4. DNS4EU: Next Steps
* Pending confirmation: Connecting Europe Facility (CEF2) – European Cloud
* Federation Initiative
* 50% of the initial infrastructure investment
* Expected publication of the call: End of 2021
* Conform to the latest security and privacy technological standards, including DoH.
* Federated Structure: High-quality consortiums, potentially including vertical industries, to best increase the footprint and customer base of DNS4EU in the EU, reduce costs through shared resources, operations and cyber security feeds, and ensure the long-term sustainability of DNS4EU

——

The Commission staff have also expressed their interest in any feedback from this working group that might help “fine tune the proposal” (I believe the discussion here has already provided some relevant insights). However, at this point, the next step is likely to be publication of the call for proposals, as referenced in the fourth slide above.

Cheers
Chris


> On 8 Nov 2021, at 14:54, Chris Buckridge <chrisb _at_ ripe _dot_ net> wrote:
> 
> Hi Hank, all,
> 
> I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
> 
> The information page for the HLIG is here:
> https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
> 
> It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
> 
> Best regards,
> Chris
> 
>> On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
>> 
>> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>> Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
>> a message of 34 lines which said:
>> 
>>>  Does anyone have further insight into the European initiative
>>>  known as DNS4EU?
>> 
>> There is very little actual information published on this project.
>> 
>> According to some rumors, it would be a public DNS resolver, with
>> built-in censorship (for the laws of 27 countries).
>> 
>> dns4eu.eu has been registered by DG Connect
>> 
>> 
>> 
>> 
> 

Jim Reid

2021-12-15 12:50:58 CET

> On 15 Dec 2021, at 11:30, Chris Buckridge <chrisb _at_ ripe _dot_ net> wrote:
> 
> Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.

Many thanks for this Chris.


Carsten Schiefner

2021-12-15 19:55:29 CET

Thanks, Chris!

On 15.12.2021 12:30, Chris Buckridge wrote:
> Hi Hank, all,
> 
> Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
> 
> [...]
> 
> Cheers
> Chris

User Image

Moritz Müller

2021-12-16 08:59:42 CET

Thank you Chris.

>  offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service

I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?

—
Moritz

> On 15 Dec 2021, at 12:30, Chris Buckridge <chrisb _at_ ripe _dot_ net> wrote:
> 
> Signed PGP part
> Hi Hank, all,
> 
> Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
> 
> The slides were as follow:
> 
> 1. DNS Resolution Markets: Problems
> * Consolidation (+DoH)
> * Incidents affecting large DNS resolvers
> * Data Protection Rights
> * Prevention of Cyberattacks; Virus; Malware
> 
> 2. DNS4EU: Concept
> * DNS4EU is conceived as an alternative to existing DNS resolution services, increasing overall internet resilience, and offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service, based in the EU, that guarantees data protection according to EU rules and increases the protection from malware, phishing and cyberattacks.
> 
> 3. DNS4EU: Characteristics
> * Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies.
> * Be fully transparent and compliant with the GDPR.
> * Offer state-of-the art, ad-hoc DNS filtering against phishing or malware based on existing global thread feeds and own feeds.
> * Conform to the latest security and privacy technological standards, including DoH.
> * Develop wholesale discovery and resolution services for other digital service providers, including ISPs and Cloud service providers.
> 
> 4. DNS4EU: Next Steps
> * Pending confirmation: Connecting Europe Facility (CEF2) – European Cloud
> * Federation Initiative
> * 50% of the initial infrastructure investment
> * Expected publication of the call: End of 2021
> * Conform to the latest security and privacy technological standards, including DoH.
> * Federated Structure: High-quality consortiums, potentially including vertical industries, to best increase the footprint and customer base of DNS4EU in the EU, reduce costs through shared resources, operations and cyber security feeds, and ensure the long-term sustainability of DNS4EU
> 
> ——
> 
> The Commission staff have also expressed their interest in any feedback from this working group that might help “fine tune the proposal” (I believe the discussion here has already provided some relevant insights). However, at this point, the next step is likely to be publication of the call for proposals, as referenced in the fourth slide above.
> 
> Cheers
> Chris
> 
> 
>> On 8 Nov 2021, at 14:54, Chris Buckridge <chrisb _at_ ripe _dot_ net> wrote:
>> 
>> Hi Hank, all,
>> 
>> I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
>> 
>> The information page for the HLIG is here:
>> https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
>> 
>> It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
>> 
>> Best regards,
>> Chris
>> 
>>> On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
>>> 
>>> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>>> Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
>>> a message of 34 lines which said:
>>> 
>>>> Does anyone have further insight into the European initiative
>>>> known as DNS4EU?
>>> 
>>> There is very little actual information published on this project.
>>> 
>>> According to some rumors, it would be a public DNS resolver, with
>>> built-in censorship (for the laws of 27 countries).
>>> 
>>> dns4eu.eu has been registered by DG Connect
>>> 
>>> 
>>> 
>>> 
>> 
> 
> 
> 

Stephane Bortzmeyer

2021-12-16 09:07:19 CET

On Thu, Dec 16, 2021 at 08:59:42AM +0100,
 Moritz Müller via dns-wg <dns-wg _at_ ripe _dot_ net> wrote 
 a message of 179 lines which said:

> I was wondering: Why does the EC believe that the resolvers users
> currently rely on (e.g. provided by their ISP) provide
> “low-quality”? Are there any studies about this?

One possible response is that the people who write these statements
don't know what they are talking about. But of course, I cannot
believe that. So, another possible response: in Brussels, they see
that some users move away from the IAP resolver to a public resolver,
so there is probably a reason for that. (Unfortunately, DNS4EU may not
address this reason.)


User Image

Hank Nussbacher

2021-12-16 10:10:16 CET

  
    
    body p { margin-bottom: 0cm; margin-top: 0pt; } 
  
  
    On 16/12/2021 10:07, Stephane
      Bortzmeyer wrote:
    
    Ybrzt3T2KAXjvoQp _at_ nic _dot_ fr">
      On Thu, Dec 16, 2021 at 08:59:42AM +0100,
 Moritz Müller via dns-wg dns-wg _at_ ripe _dot_ net"><dns-wg _at_ ripe _dot_ net> wrote 
 a message of 179 lines which said:


      
        I was wondering: Why does the EC believe that the resolvers users
currently rely on (e.g. provided by their ISP) provide
“low-quality”? Are there any studies about this?

      
      
One possible response is that the people who write these statements
don't know what they are talking about. But of course, I cannot
believe that. So, another possible response: in Brussels, they see
that some users move away from the IAP resolver to a public resolver,
so there is probably a reason for that. (Unfortunately, DNS4EU may not
address this reason.)


    
    

Or simply some politician traveled to Canada and said to his aide "Why can't we do that as well?"

https://www.cira.ca/cybersecurity-services/canadian-shield

-Hank

User Image

Chris Buckridge

2021-12-16 10:38:05 CET

RIPE NCC staff member

> On 16 Dec 2021, at 10:10, Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote:
> 
> On 16/12/2021 10:07, Stephane Bortzmeyer wrote:
>> On Thu, Dec 16, 2021 at 08:59:42AM +0100,
>>  Moritz Müller via dns-wg
>> <dns-wg _at_ ripe _dot_ net>
>>  wrote
>>  a message of 179 lines which said:
>> 
>> 
>>> I was wondering: Why does the EC believe that the resolvers users
>>> currently rely on (e.g. provided by their ISP) provide
>>> “low-quality”? Are there any studies about this?
>>> 
>> One possible response is that the people who write these statements
>> don't know what they are talking about. But of course, I cannot
>> believe that. So, another possible response: in Brussels, they see
>> that some users move away from the IAP resolver to a public resolver,
>> so there is probably a reason for that. (Unfortunately, DNS4EU may not
>> address this reason.)
>> 
>> 
> Or simply some politician traveled to Canada and said to his aide "Why can't we do that as well?"
> https://www.cira.ca/cybersecurity-services/canadian-shield

My sense is that discussions around DoH in recent years have given new prominence to this particular element in the DNS*, and as Hank notes, newly interested policymakers don’t have to look far to find examples of other, more state-defined/endorsed approaches. But the expected CfP may provide some more clarity on exactly how the Commission sees this evolving.

Chris

* The ongoing Quad9 legal developments in Germany may have also kept the issue front of mind… https://www.quad9.net/news/press/german-court-rules-against/

Erwin Hoffmann

2021-12-16 11:41:53 CET

Hi Chris (and everybody),


Am Donnerstag, dem 16.12.2021 um 10:38 +0100 schrieb Chris Buckridge:


> * The ongoing Quad9 legal developments in Germany may have also kept
> the issue front of mind…
> https://www.quad9.net/news/press/german-court-rules-against/

And this particular court - the 'Landgericht Hamburg' - is known for
its strange sentences regarding issues in the 'IT world'.

Apart from that, I share the oppinion that politicians actually don't
know what DNS is all about. To make them understand better, one could
use the 'S' method from SCAMPER: Substitude DNS with roads and traffic.

Let's see:

"3. DNS4EU: Characteristics
* Have a large footprint within the EU, enabling paid premium services
such as specific performance and security criteria for vertical sectors
(health, transport, industry, finance, etc.) or enhanced security
(filtering, 24x7 support) for companies."

becomes:

"* Have a large footprint within the EU. Providing tollways for high
speed and road tunnels for vertical sectors ( ... ) or enhanced traffic
control by policeman checking driver's license and vehicle conditions
on a 24x7 base for particular destinations."

And this shoud be covered by the GDPR? Lol.  

Best regards.
--eh. 



-- 
Dr. Erwin Hoffmann | www.fehcom.de


User Image

Niall O'Reilly

2021-12-16 14:59:30 CET

On 16 Dec 2021, at 8:07, Stephane Bortzmeyer wrote:

> So, another possible response: in Brussels, they see
> that some users move away from the IAP resolver to a public resolver,

or (as may be seen in the suburbs of Dublin) a (locally) significant
ISP configures their CPE devices to use 8.8.8.8 and its siblings.

Now, if only there were an established public resolver operator,
based in the EEA, who would be minded to respond to the CfP ...

/Niall
User Image

David Conrad

2021-12-16 18:03:24 CET

Moritz,

On Dec 15, 2021, at 11:59 PM, Moritz Müller via dns-wg <dns-wg _at_ ripe _dot_ net> wrote:
>> offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service
> I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?

My read is that the primary targets of DNS4EU is US-based “Big Tech” (whatever that means), particularly those firms that have a (shall we say) laissez faire attitude towards data privacy.  In other words, Google (8.8.8.8).  I’d imagine from the perspective of EC folks, DNS4EU would be a no-brainer: support EU-based business, give the finger to Google, give EU law enforcement a potential bone to get around DoH, make “rah rah” noises about EU data sovereignty, and provide, at least theoretically, a way to appease intellectual property lawyers.

Since they’re talking about a “federated” service, I suspect ISPs who want to play by the EC’s rules will be considered a part of DNS4EU.

Of course, if one were cynical, the question really is when the other shoe (e.g., legal mandates to abide by DNS4EU filtering requirements) will drop.

Regards,
-drc

User Image

Michele Neylon

2021-12-16 18:05:09 CET

Exactly

I’m highly suspicious of it

--
Mr Michele Neylon
Blacknight Solutions
Hosting, Colocation & Domains
https://www.blacknight.com/
https://blacknight.blog/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Personal blog: https://michele.blog/
Some thoughts: https://ceo.hosting/
-------------------------------
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845


From: dns-wg <dns-wg-bounces _at_ ripe _dot_ net> on behalf of David Conrad <drc _at_ virtualized _dot_ org>
Date: Thursday, 16 December 2021 at 17:03
To: Moritz Müller <moritz.muller _at_ sidn _dot_ nl>
Cc: dns-wg _at_ ripe _dot_ net <dns-wg _at_ ripe _dot_ net>
Subject: Re: [dns-wg] DNS4EU?
[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Moritz,

On Dec 15, 2021, at 11:59 PM, Moritz Müller via dns-wg <dns-wg _at_ ripe _dot_ net> wrote:
>> offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service
> I was wondering: Why does the EC believe that the resolvers users currently rely on (e.g. provided by their ISP) provide “low-quality”? Are there any studies about this?

My read is that the primary targets of DNS4EU is US-based “Big Tech” (whatever that means), particularly those firms that have a (shall we say) laissez faire attitude towards data privacy.  In other words, Google (8.8.8.8).  I’d imagine from the perspective of EC folks, DNS4EU would be a no-brainer: support EU-based business, give the finger to Google, give EU law enforcement a potential bone to get around DoH, make “rah rah” noises about EU data sovereignty, and provide, at least theoretically, a way to appease intellectual property lawyers.

Since they’re talking about a “federated” service, I suspect ISPs who want to play by the EC’s rules will be considered a part of DNS4EU.

Of course, if one were cynical, the question really is when the other shoe (e.g., legal mandates to abide by DNS4EU filtering requirements) will drop.

Regards,
-drc
User Image

Geoff Huston

2021-12-17 02:43:12 CET

> On 16 Dec 2021, at 7:07 pm, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Thu, Dec 16, 2021 at 08:59:42AM +0100,
> Moritz Müller via dns-wg <dns-wg _at_ ripe _dot_ net> wrote 
> a message of 179 lines which said:
> 
>> I was wondering: Why does the EC believe that the resolvers users
>> currently rely on (e.g. provided by their ISP) provide
>> “low-quality”? Are there any studies about this?
> 
> One possible response is that the people who write these statements
> don't know what they are talking about. But of course, I cannot
> believe that. So, another possible response: in Brussels, they see
> that some users move away from the IAP resolver to a public resolver,
> so there is probably a reason for that. (Unfortunately, DNS4EU may not
> address this reason.)
> 

DNS resolutiuon is, economically speaking, a wasteland - users don't pay for queries so
the infrastructure that handles queries is bundled up with other services, which
is what your ISP does. But users don't generally decide on an IUSP based on the
quality of that ISP’s DNS so the DNS department is part of the cost part of the
business, not a revenue generator, so it gets little attention. Some ISPs have
attempted to change this by monetising queries (selling the query logs) or
changing responses (NXDOMAIN substitution) but such efforts has been generally
regarded with extreme disfavor. So the DNS resolution environment limps along.

There is however one party who feels that it has a legitimate business interest in
an “honest” DNS, and that party is of course Google. NXDOMAIN substitution is 
a direct competitor to Google’s search services, and their search services
are a key component of their core revenue. So for precisely the same
reason why Google pay other folk money to make Google the default search engine
on their platforms, spending money to create a blazing fast and accurate and honest
DNS resolver is, for Google, money well spent.

The problem for everyone else is the incursion of a US private entity into
the heart of the Internet’s name resolution infrastructure.
 
Over the past 16 months the number of EU users who pass queries to Google’s 
Public DNS has risen from a little over 15% to touching 30% - i.e.its market
share in Europe has doubled in a little over one year! 
(https://stats.labs.apnic.net/rvrs/XE?hc=XE&hl=1&hs=0&ht=10&w=1&t=10&s=1)

If you are working in the EC and you see yet another piece of the Internet’s
digital communications infrastructure (and in the case of the DNS a very important
and highlky informative piece if you were to peek at the data stream)
being aggregated and centralized by a gigantic US entity, then wouldn’t you be
a little bit disconcerted? I know I would!

So I think this is not really about the quality of the alternatives available
for European users (and ISPs) in the DNS resolution market. It's more
about the observation that piece by piece and bit by bit the decentralised
Internet is being centralized, and from an EU perspective its being
centralised into non-EU private sector corporate domains.

Although, if you care about DNSSEC, DoH, and similar then you might look
at the piecemeal story about the adoption of DNSSEC validation in Europe
(https://stats.labs.apnic.net/dnssec/XE?hc=XE&hx=0&hv=1&hp=1&hr=1&w=1&p=0)
and ask youself why the adoption opf DNSSEC validation in Europe
correlates with the expansion of Google DNS’s use footprint). If you care
about such things and wanted to do something about it without simply handing
over even more market presence to Google then you might want to try to stimulate
local initiatives to improve the capability of DNS resolution 
infrastructure in the region.

Geoff









User Image

Geoff Huston

2021-12-17 02:43:17 CET

> On 16 Dec 2021, at 8:10 pm, Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote:
>> 
> Or simply some politician traveled to Canada and said to his aide "Why can't we do that as well?"
> https://www.cira.ca/cybersecurity-services/canadian-shield

most public sector work is derivative.

Geoff


Carsten Schiefner

2021-12-17 08:57:12 CET

As highly insightful as always, Geoff - thanks!

On 17.12.2021 02:43, Geoff Huston wrote:
> 
> 
>> On 16 Dec 2021, at 7:07 pm, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
>>
>> On Thu, Dec 16, 2021 at 08:59:42AM +0100,
>> Moritz Müller via dns-wg <dns-wg _at_ ripe _dot_ net> wrote 
>> a message of 179 lines which said:
>>
>>> I was wondering: Why does the EC believe that the resolvers users
>>> currently rely on (e.g. provided by their ISP) provide
>>> “low-quality”? Are there any studies about this?
>>
>> One possible response is that the people who write these statements
>> don't know what they are talking about. But of course, I cannot
>> believe that. So, another possible response: in Brussels, they see
>> that some users move away from the IAP resolver to a public resolver,
>> so there is probably a reason for that. (Unfortunately, DNS4EU may not
>> address this reason.)
>>
> 
> DNS resolutiuon is, economically speaking, a wasteland - users don't pay for queries so
> the infrastructure that handles queries is bundled up with other services, which
> is what your ISP does. But users don't generally decide on an IUSP based on the
> quality of that ISP’s DNS so the DNS department is part of the cost part of the
> business, not a revenue generator, so it gets little attention. Some ISPs have
> attempted to change this by monetising queries (selling the query logs) or
> changing responses (NXDOMAIN substitution) but such efforts has been generally
> regarded with extreme disfavor. So the DNS resolution environment limps along.
> 
> [...]

Stephane Bortzmeyer

2021-12-17 10:21:48 CET

On Fri, Dec 17, 2021 at 01:43:12AM +0000,
 Geoff Huston <gih _at_ apnic _dot_ net> wrote 
 a message of 67 lines which said:

> The problem for everyone else is the incursion of a US private
> entity into the heart of the Internet’s name resolution
> infrastructure.
>  
> Over the past 16 months the number of EU users who pass queries to
> Google’s Public DNS has risen from a little over 15% to touching 30%
> 
> If you are working in the EC and you see yet another piece of the
> Internet’s digital communications infrastructure being aggregated
> and centralized by a gigantic US entity, then wouldn’t you be a
> little bit disconcerted?

I think we all understand the starting point, and the concern of the
EC. The problem is that they apparently don't provide a detailed
problem analysis. Observing that the market share of US public
resolvers increases is one thing, understanding why is another thing,
and which is very important to solve the problem. Was there are survey
about the reasons for this switch to these resolvers?

For instance, an important reason (may be the main one) why users use
US public resolvers is because they don't implement censorship
(SciHub, football events, music and film sharing). The DNS4EU project
is silent about whether or not they will have censorship (a
problematic silence!) but I note that they claim DNS4EU is a lying
resolver. Even if lies are initially limited to malware and C&C, I
have no doubt that the IP people (IP not being the Internet Protocol)
will, as soon as they discover DNS4EU, ask for censorship and they are
a very powerful lobby. If DNS4EU yields to their requirments, then the
project is doomed.

> So I think this is not really about the quality of the alternatives
> available for European users (and ISPs) in the DNS resolution
> market.

I don't think that many people switched to Google or Cloudflare
because of DNSSEC validation (unfortunately) but may be they switched
because of technical malfunctions. Each time there is a big breakage
of the resolver of an IAP, everybody on the social networks advise
"use 8.8.8.8" and people don't come back after that. So, even if
DNSSEC doesn't matter, robustness does.

> to try to stimulate local initiatives to improve the capability of
> DNS resolution infrastructure in the region.

Another challenge for DNS4EU will be to provide a quality service:
managing a big public DNS resolver is not an easy task and I don't
think that there are many european companies which I would trust for
that. (At least among the companies that typically win the public
calls for tender.)


Stephane Bortzmeyer

2021-12-17 10:39:58 CET

On Thu, Dec 16, 2021 at 09:03:24AM -0800,
 David Conrad <drc _at_ virtualized _dot_ org> wrote 
 a message of 84 lines which said:

> Since they’re talking about a “federated” service, I suspect ISPs
> who want to play by the EC’s rules will be considered a part of
> DNS4EU.

Interesting. I thought that "federated" meant either a consortium of
corporations created to manage the resolver (an Airbus for the DNS) or
simply an anycasted resolver. But you're right, it is so vague, it
could mean also a simple label, which may be given to existing DNS
resolvers (a bit like Mozilla TRR).

User Image

Taras Heichenko

2021-12-18 14:45:42 CET

In addition to said by Stephane Google made the technical solution that works for people and attracts them.
Till now DNS4EU looks like an administrative initiative without a clearly defined perspective. If someone would
make a technical solution in the EU and would offer it, and the solution would be solid and resilient there will
not be a necessity in any initiatives.

> On 17 Dec 2021, at 11:21, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Fri, Dec 17, 2021 at 01:43:12AM +0000,
> Geoff Huston <gih _at_ apnic _dot_ net> wrote 
> a message of 67 lines which said:
> 
>> The problem for everyone else is the incursion of a US private
>> entity into the heart of the Internet’s name resolution
>> infrastructure.
>> 
>> Over the past 16 months the number of EU users who pass queries to
>> Google’s Public DNS has risen from a little over 15% to touching 30%
>> 
>> If you are working in the EC and you see yet another piece of the
>> Internet’s digital communications infrastructure being aggregated
>> and centralized by a gigantic US entity, then wouldn’t you be a
>> little bit disconcerted?
> 
> I think we all understand the starting point, and the concern of the
> EC. The problem is that they apparently don't provide a detailed
> problem analysis. Observing that the market share of US public
> resolvers increases is one thing, understanding why is another thing,
> and which is very important to solve the problem. Was there are survey
> about the reasons for this switch to these resolvers?
> 
> For instance, an important reason (may be the main one) why users use
> US public resolvers is because they don't implement censorship
> (SciHub, football events, music and film sharing). The DNS4EU project
> is silent about whether or not they will have censorship (a
> problematic silence!) but I note that they claim DNS4EU is a lying
> resolver. Even if lies are initially limited to malware and C&C, I
> have no doubt that the IP people (IP not being the Internet Protocol)
> will, as soon as they discover DNS4EU, ask for censorship and they are
> a very powerful lobby. If DNS4EU yields to their requirments, then the
> project is doomed.
> 
>> So I think this is not really about the quality of the alternatives
>> available for European users (and ISPs) in the DNS resolution
>> market.
> 
> I don't think that many people switched to Google or Cloudflare
> because of DNSSEC validation (unfortunately) but may be they switched
> because of technical malfunctions. Each time there is a big breakage
> of the resolver of an IAP, everybody on the social networks advise
> "use 8.8.8.8" and people don't come back after that. So, even if
> DNSSEC doesn't matter, robustness does.
> 
>> to try to stimulate local initiatives to improve the capability of
>> DNS resolution infrastructure in the region.
> 
> Another challenge for DNS4EU will be to provide a quality service:
> managing a big public DNS resolver is not an easy task and I don't
> think that there are many european companies which I would trust for
> that. (At least among the companies that typically win the public
> calls for tender.)
> 
> 
> -- 
> 
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg

--
Taras Heichenko
tasic _at_ academ.kiev _dot_ ua






User Image

Randy Bush

2021-12-18 20:22:06 CET

> Even if lies are initially limited to malware and C&C, I have no doubt
> that the IP people (IP not being the Internet Protocol) will, as soon
> as they discover DNS4EU, ask for censorship and they are a very
> powerful lobby. If DNS4EU yields to their requirments, then the
> project is doomed.

you mean such as the german court ruling in favor of sony over quad9?

randy

---
randy _at_ psg _dot_ com
`gpg --locate-external-keys --auto-key-locate wkd randy _at_ psg _dot_ com`
signatures are back, thanks to dmarc header butchery

User Image

Andrew Campling

2021-12-20 12:28:45 CET

I've noted various comments about the EU's DNS4EU initiative on the list over the last week or so.  If anyone is interested in more detail and missed the related discussion on our weekly call a few weeks back, you can find the recording at https://419.consulting/encrypted-dns/f/dns4eu.  


> On 17 Dec 2021, at 11:21, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> On Fri, Dec 17, 2021 at 01:43:12AM +0000, Geoff Huston <gih _at_ apnic _dot_ net> 
> wrote a message of 67 lines which said:
> 
>> The problem for everyone else is the incursion of a US private entity 
>> into the heart of the Internet?s name resolution infrastructure.
>> 
>> Over the past 16 months the number of EU users who pass queries to 
>> Google?s Public DNS has risen from a little over 15% to touching 30%
>> 
>> If you are working in the EC and you see yet another piece of the 
>> Internet?s digital communications infrastructure being aggregated and 
>> centralized by a gigantic US entity, then wouldn?t you be a little 
>> bit disconcerted?
> 
> I think we all understand the starting point, and the concern of the 
> EC. The problem is that they apparently don't provide a detailed 
> problem analysis. Observing that the market share of US public 
> resolvers increases is one thing, understanding why is another thing, 
> and which is very important to solve the problem. Was there are survey 
> about the reasons for this switch to these resolvers?
> 
> For instance, an important reason (may be the main one) why users use 
> US public resolvers is because they don't implement censorship 
> (SciHub, football events, music and film sharing). The DNS4EU project 
> is silent about whether or not they will have censorship (a 
> problematic silence!) but I note that they claim DNS4EU is a lying 
> resolver. Even if lies are initially limited to malware and C&C, I 
> have no doubt that the IP people (IP not being the Internet Protocol) 
> will, as soon as they discover DNS4EU, ask for censorship and they are 
> a very powerful lobby. If DNS4EU yields to their requirments, then the 
> project is doomed.

The use of the pejorative term "lying" resolver is unhelpful in this context.  It is important to acknowledge that the vast majority of Internet users are not experts; indeed most are unaware of either the purpose or the existence of DNS.  They are however exposed to vast amounts of malicious content and, in my opinion, any mass-market resolver that does not block access to such content by default is not fit for purpose.  In addition, for citizens of countries covered by GDPR, accessing a resolver located in the same jurisdiction is beneficial as it doesn't then export personal data elsewhere - US-based resolvers have the disadvantage of falling under the US CLOUD Act and FISA 702.  

As far as protection of intellectual property is concerned, it seems reasonable to me that Internet companies comply with court orders in the same way that other companies have to do so: despite the assertions of cyberlibertarians, the Internet is not a separate place beyond the reach of national legislation.  This is just as well, otherwise we'd still be prey to the whims of surveillance capitalists and not protected by GDPR etc.  

> 
>> So I think this is not really about the quality of the alternatives 
>> available for European users (and ISPs) in the DNS resolution market.
> 
> I don't think that many people switched to Google or Cloudflare 
> because of DNSSEC validation (unfortunately) but may be they switched 
> because of technical malfunctions. Each time there is a big breakage 
> of the resolver of an IAP, everybody on the social networks advise 
> "use 8.8.8.8" and people don't come back after that. So, even if 
> DNSSEC doesn't matter, robustness does.
> 

I know that one of the drivers of the DNS4EU project was to improve the resilience of Internet infrastructure given the way that increased centralisation has weakened this over the last few years.  Providing an alternative open resolver is just one of several approaches being taken in this regard.  

An additional benefit of a European resolver is the opportunity to extract localised cybersecurity intelligence, something that I know the similar Canadian Shield project has already acknowledged has been an outcome of its operation.  Many of the commercial threat feeds are US-centric whereas DNS4EU provides the ability to draw insight from what may be a significant European user base.  


Andrew 


User Image

David Conrad

2021-12-21 19:56:58 CET

Andrew,

On Dec 20, 2021, at 3:28 AM, Andrew Campling  wrote:
> The use of the pejorative term "lying" resolver is unhelpful in this context.  It is important to acknowledge that the vast majority of Internet users are not experts; indeed most are unaware of either the purpose or the existence of DNS.

Sure.

> They are however exposed to vast amounts of malicious content and, in my opinion, any mass-market resolver that does not block access to such content by default is not fit for purpose.

The issue is probably the definition of “malicious content”. While I suspect most people would agree that redirecting (“lying”) about phishing, botnet c&c, and malware distribution domain names would be fine, where does the line get drawn and by whom? What other content would result in the DNS filtering hammer being brought down? CSAM domains? Hate speech domains? Intellectual property violations domains? Embarrassing-to-those-in-power domains? Etc. Without more detail in how filtering would be implemented, it is natural for folks to raise eyebrows.

> In addition, for citizens of countries covered by GDPR, accessing a resolver located in the same jurisdiction is beneficial as it doesn't then export personal data elsewhere - US-based resolvers have the disadvantage of falling under the US CLOUD Act and FISA 702.

True, however it may be worth noting that “legal intercept” applies in the EU even with GDPR and I’ve been told it is in some ways easier for local law enforcement to gain access in the EU jurisdictions than it is in the US.

> As far as protection of intellectual property is concerned, it seems reasonable to me that Internet companies comply with court orders in the same way that other companies have to do so: despite the assertions of cyberlibertarians, the Internet is not a separate place beyond the reach of national legislation.

Trotting out “cyberlibertarians” seems like a strawman to me. Intellectual property disputes can be very complicated (e.g., definitions of jurisdiction, applicability, and actor location) and DNS-based redirection tends to be a very large (and frequently easily avoided) hammer.

> This is just as well, otherwise we'd still be prey to the whims of surveillance capitalists and not protected by GDPR etc.

Out of curiosity, have any open resolver operators been accused of violating GDPR relating to resolver services? As far as I know, the larger operators tend to have very explicit privacy assurances (e.g., https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver , https://developers.google.com/speed/public-dns/privacy , etc).

> I know that one of the drivers of the DNS4EU project was to improve the resilience of Internet infrastructure given the way that increased centralisation has weakened this over the last few years.

Last I heard, there are over 3 million open resolvers in the IPv4 address space.  Harder to scan the IPv6 address space of course. Has there been consolidation of use of open resolvers?  Sure. However, the “stickiness” of DNS resolvers is very low and the options if you don’t like what a particular resolver operator is doing are so numerous, I find it a bit difficult to get worked up about it.

> Providing an alternative open resolver is just one of several approaches being taken in this regard.

> 
> An additional benefit of a European resolver is the opportunity to extract localised cybersecurity intelligence, something that I know the similar Canadian Shield project has already acknowledged has been an outcome of its operation.  Many of the commercial threat feeds are US-centric whereas DNS4EU provides the ability to draw insight from what may be a significant European user base.

Just as with the CIRA and TWNIC national resolver efforts, personally, I’m in the “meh, sure, why not?” camp as long as use of a particular resolver is not mandated. More is better and depending on implementation, I figure there can even be benefits to the general health of the DNS. It will be interesting to see how DNS4EU evolves.

Regards,
-drc

User Image

Chris Buckridge

2022-01-12 16:32:59 CET

RIPE NCC staff member

Hi all, 

A further follow-up. The Commission today published the following Call for Proposals: 
https://hadea.ec.europa.eu/calls-proposals/equipping-backbone-networks-high-performance-and-secure-dns-resolution-infrastructures-works_en

(hat tip to Anastasia Sendrea, who I don’t think is currently on this list, for the heads up)

Cheers
Chris

> On 15 Dec 2021, at 12:30, Chris Buckridge <chrisb _at_ ripe _dot_ net> wrote:
> 
> Hi Hank, all,
> 
> Apologies for the delay here - was hoping to have some more substantial information, but in the absence of that, our colleagues at the European Commission have been able to share the content of the four slides that they delivered at last month’s HLIG meeting.
> 
> The slides were as follow:
> 
> 1. DNS Resolution Markets: Problems
> * Consolidation (+DoH)
> * Incidents affecting large DNS resolvers
> * Data Protection Rights
> * Prevention of Cyberattacks; Virus; Malware
> 
> 2. DNS4EU: Concept
> * DNS4EU is conceived as an alternative to existing DNS resolution services, increasing overall internet resilience, and offering European citizens and private and public organizations the capacity to access the web with a high-quality and free service, based in the EU, that guarantees data protection according to EU rules and increases the protection from malware, phishing and cyberattacks.
> 
> 3. DNS4EU: Characteristics
> * Have a large footprint within the EU, enabling paid premium services such as specific performance and security criteria for vertical sectors (health, transport, industry, finance, etc.) or enhanced security (filtering, 24x7 support) for companies.
> * Be fully transparent and compliant with the GDPR.
> * Offer state-of-the art, ad-hoc DNS filtering against phishing or malware based on existing global thread feeds and own feeds.
> * Conform to the latest security and privacy technological standards, including DoH.
> * Develop wholesale discovery and resolution services for other digital service providers, including ISPs and Cloud service providers.
> 
> 4. DNS4EU: Next Steps
> * Pending confirmation: Connecting Europe Facility (CEF2) – European Cloud
> * Federation Initiative
> * 50% of the initial infrastructure investment
> * Expected publication of the call: End of 2021
> * Conform to the latest security and privacy technological standards, including DoH.
> * Federated Structure: High-quality consortiums, potentially including vertical industries, to best increase the footprint and customer base of DNS4EU in the EU, reduce costs through shared resources, operations and cyber security feeds, and ensure the long-term sustainability of DNS4EU
> 
> ——
> 
> The Commission staff have also expressed their interest in any feedback from this working group that might help “fine tune the proposal” (I believe the discussion here has already provided some relevant insights). However, at this point, the next step is likely to be publication of the call for proposals, as referenced in the fourth slide above.
> 
> Cheers
> Chris
> 
> 
>> On 8 Nov 2021, at 14:54, Chris Buckridge <chrisb _at_ ripe _dot_ net> wrote:
>> 
>> Hi Hank, all,
>> 
>> I don’t have a lot that I can add to what Nick and Stephane have already posted. But I will note that the European Commission has scheduled one of the regular meetings of its High Level Group on Internet Governance (HLIG) for this Wednesday; portions of those meeting agendas are generally open to industry stakeholders, and Wednesday’s agenda includes an update on DNS4EU.
>> 
>> The information page for the HLIG is here:
>> https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupId=2450&fromMeetings=true&meetingId=23922
>> 
>> It’s not clear whether registration for the meeting is still open at this point, but minutes are published publicly, and the RIPE NCC can report back to this working group if there are any updates of note.
>> 
>> Best regards,
>> Chris
>> 
>>> On 8 Nov 2021, at 14:15, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
>>> 
>>> On Mon, Nov 08, 2021 at 07:12:38AM +0200,
>>> Hank Nussbacher <hank _at_ efes.iucc.ac _dot_ il> wrote
>>> a message of 34 lines which said:
>>> 
>>>> Does anyone have further insight into the European initiative
>>>> known as DNS4EU?
>>> 
>>> There is very little actual information published on this project.
>>> 
>>> According to some rumors, it would be a public DNS resolver, with
>>> built-in censorship (for the laws of 27 countries).
>>> 
>>> dns4eu.eu has been registered by DG Connect
>>> 
>>> 
>>> 
>>> 
>> 
> 
> -- 
> 
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg


User Image

Anastasia Sendrea

2022-01-12 18:01:38 CET

Just to add some background that might betray some of the intent of this
initiative. in the first mention of the DNS4EU in the Cybersecurity
Strategy published in Dec 2020 a motivation for an EU based resolver to
reduce dependencies on - note-  a handful of non-EU companies, is marked by
a footnote informed by this paper
. This
seems like a great idea for somebody thinking about the following terms:
how to reduce dependencies on non-EU operated infrastructure, how to
provide an EU alternative and, add-ons, it has to comply with all the EU
values and norms. Fast forward, the add ons develop by being added by extra
technicalities and the CEF2 funding programme has a funding line for this.

Ideally there are stakeholders already in discussions with the EU
Commissions about what an upcoming funding programme should contain in
order to fit with the industry and the market needs. I would not be
surprised if this call for proposals is already targeted at known
stakeholders, but this could also not be the case. It is also telling that
this action looks a bit divorced from the rest of the funding line, which
is dedicated to the cloud federation. In the high level political discourse
- it's not divorced because it's part of the same narrative of reinforcing
EU resources vs non-EU, digital autonomy, sovereignty, etc. This aspect is
also reflected in the call document, which foresees an assessment of
suppliers to strictly exclude non-EU entities, i.e. non-EU entities are not
eligible for this call.

-- 
Sincerely,

Anastasia Șendrea
(Анастасия Шендря)
User Image

Anastasia Sendrea

2022-01-12 18:05:36 CET

Paper mentioned above: Consolidation in the DNS resolver market – how much,
how fast, how dangerous? by Roxana Radu
and  Michael Hausding


On Wed, Jan 12, 2022 at 6:01 PM Ana Sen <sendrea.anastasia _at_ gmail _dot_ com> wrote:

> Just to add some background that might betray some of the intent of this
> initiative. in the first mention of the DNS4EU in the Cybersecurity
> Strategy published in Dec 2020 a motivation for an EU based resolver to
> reduce dependencies on - note-  a handful of non-EU companies, is marked by
> a footnote informed by this paper
> .
> This seems like a great idea for somebody thinking about the following
> terms: how to reduce dependencies on non-EU operated infrastructure, how to
> provide an EU alternative and, add-ons, it has to comply with all the EU
> values and norms. Fast forward, the add ons develop by being added by extra
> technicalities and the CEF2 funding programme has a funding line for this.
>
> Ideally there are stakeholders already in discussions with the EU
> Commissions about what an upcoming funding programme should contain in
> order to fit with the industry and the market needs. I would not be
> surprised if this call for proposals is already targeted at known
> stakeholders, but this could also not be the case. It is also telling that
> this action looks a bit divorced from the rest of the funding line, which
> is dedicated to the cloud federation. In the high level political discourse
> - it's not divorced because it's part of the same narrative of reinforcing
> EU resources vs non-EU, digital autonomy, sovereignty, etc. This aspect is
> also reflected in the call document, which foresees an assessment of
> suppliers to strictly exclude non-EU entities, i.e. non-EU entities are not
> eligible for this call.
>
> --
> Sincerely,
>
> Anastasia Șendrea
> (Анастасия Шендря)
>


-- 
Sincerely,

Anastasia Șendrea
(Анастасия Шендря)

Stephane Bortzmeyer

2022-01-12 18:09:34 CET

On Wed, Jan 12, 2022 at 06:01:38PM +0100,
 Ana Sen <sendrea.anastasia _at_ gmail _dot_ com> wrote 
 a message of 84 lines which said:

> This aspect is also reflected in the call document, which foresees
> an assessment of suppliers to strictly exclude non-EU entities,
> i.e. non-EU entities are not eligible for this call.

Yes, I noticed that. Does it mean that the machines will not be on AWS
or other US hoster?

User Image

Anastasia Sendrea

2022-01-12 18:35:20 CET

 and that the data used will not be stored in Gcloud, AWS etc. Interesting
question, if you mean even studies or equipment used for the development of
the infrastructure shall not rely on non-EU CSPs, the text specifies that
projects must demonstrate 'that the network technologies and equipment
(including software and services) funded comply with the conditions
[...]  indicate
that
no security sensitive equipment or services deployed or used *within the
proposal *will be procured from third country suppliers - footnote According to
the EU coordinated risk assessment, the risk profiles of individual suppliers
can be assessed based on several factors. These factors include the
likelihood of interference from a third country.' A footnote further even
concedes that this kind of assessment would even apply to MNOs who rely on
third parties to perform maintenance and upgrade of networks. We are
thinking of the US providers, but the EP Rapporteur on the NIS 2 did laud
this initiative by highlighting that the DNS4EU is the only way to create a
protective shield from attacks from other world regions, giving Russia and
N Korea as examples.

Would anybody know which stakeholders have the capacity to apply for this
call?

Anastasia

On Wed, Jan 12, 2022 at 6:09 PM Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr>
wrote:

> On Wed, Jan 12, 2022 at 06:01:38PM +0100,
>  Ana Sen <sendrea.anastasia _at_ gmail _dot_ com> wrote
>  a message of 84 lines which said:
>
> > This aspect is also reflected in the call document, which foresees
> > an assessment of suppliers to strictly exclude non-EU entities,
> > i.e. non-EU entities are not eligible for this call.
>
> Yes, I noticed that. Does it mean that the machines will not be on AWS
> or other US hoster?
>


-- 
Sincerely,

Anastasia Șendrea
(Анастасия Шендря)

Jim Reid

2022-01-12 22:09:48 CET

> On 12 Jan 2022, at 17:09, Stephane Bortzmeyer <bortzmeyer _at_ nic _dot_ fr> wrote:
> 
> Does it mean that the machines will not be on AWS or other US hoster?

Stephane, that’s really a question for the EU officials who are in charge of the CFP.

FWIW  I think using AWS or whatever outside the EU for part of the resolver service will probably be OK, subject to some of the other requirements in the CFP. ie The successful EU-based bidder ensures any non-EU elements comply with stuff such as the Data Retention, GDPR and NIS directives, access to EU LEA, contracts are under jurisdiction in an EU member state, etc, etc. Though this is just guesswork on my part. Disclaimer: I am not an EU official and don’t play one on TV.

Questions about CFP detail should probably go to the email address given in the CFP doc:
"Non-IT related questions should be sent to: HaDEA-CEF-DIGITAL-CALLS _at_ ec.europa _dot_ eu”.



Jim Reid

2022-01-12 22:20:18 CET

> On 12 Jan 2022, at 17:35, Ana Sen <sendrea.anastasia _at_ gmail _dot_ com> wrote:
> 
> Would anybody know which stakeholders have the capacity to apply for this call? 

I can think of several. But I won’t identify them by name.

The obvious candidates are any of the larger (anycast) DNS providers, TLD registries, major registrars, etc. In other words, pretty much anyone that’s already running chunky global DNS infrastructure. They’ll have the economies of scale and deep pockets to take on this project. It’s possible but unlikely someone might take a punt on a start-up venture purely to go after this opportunity.


User Image

Randy Bush

2022-01-12 22:27:13 CET

since no one else has said it this time around the tree tracking the
woozle, ...

  how does this avoid creating a nice well-defined target for: IP
  shutdowns, censorship, saving children from abuse, terrorism, ...?

randy

---
randy _at_ psg _dot_ com
`gpg --locate-external-keys --auto-key-locate wkd randy _at_ psg _dot_ com`
signatures are back, thanks to dmarc header butchery

User Image

David Conrad

2022-01-12 23:47:57 CET

Randy,

On Jan 12, 2022, at 1:27 PM, Randy Bush <randy _at_ psg _dot_ com> wrote:
>  how does this avoid creating a nice well-defined target for: IP
>  shutdowns, censorship, saving children from abuse, terrorism, …?

I believe that’s covered in section 12 of the solicitation (https://hadea.ec.europa.eu/calls-proposals/equipping-backbone-networks-high-performance-and-secure-dns-resolution-infrastructures-works_en ):

"12. Lawful filtering: Filtering of URLs leading to illegal content based on legal requirements applicable in the EU or in national jurisdictions (e.g. based on court orders), in full compliance with EU rules.”

That is, perhaps unsurprisingly, it would seem attempting too avoid being such a target is an explicit non-goal.

(Of course, getting a resolver to filter URLs as opposed to domain names for such things will be an interesting trick)

Regards,
-drc

User Image

Anastasia Sendrea

2022-01-18 11:51:09 CET

just an update that tomorrow the EU Commission will organise an Info Day
(like a stakeholder workshop) to cover all the open CEF2 calls for
proposals to respond to any questions interested parties might have. Cloud
federation and DNS will be third on the agenda. The info day will run from
9 AM to 4 PM CEST. Link:
https://hadea.ec.europa.eu/events/1st-connecting-europe-facility-digital-calls-info-day_en

On Wed, Jan 12, 2022 at 10:27 PM Randy Bush <randy _at_ psg _dot_ com> wrote:

> since no one else has said it this time around the tree tracking the
> woozle, ...
>
>   how does this avoid creating a nice well-defined target for: IP
>   shutdowns, censorship, saving children from abuse, terrorism, ...?
>
> randy
>
> ---
> randy _at_ psg _dot_ com
> `gpg --locate-external-keys --auto-key-locate wkd randy _at_ psg _dot_ com`
> signatures are back, thanks to dmarc header butchery
>


-- 
Sincerely,

Anastasia Șendrea
(Анастасия Шендря)
User Image

Hank Nussbacher

2022-01-19 12:33:35 CET

On 18/01/2022 12:51, Ana Sen wrote:

I  left the webinar more confused than before it started.

In the actual call it states "Costs for operating the infrastructure 
during its lifetime will be excluded under the call." and later 
"Proposals should also define the post-project ownership of the 
infrastructure".  This call is for 36 months with only 50% co-funding.

So based on my reading of the 1st sentence, any servers placed at 
various colo sites (hosting costs), routing costs, etc are excluded?!

Does this mean that whoever wins this call will be spending a couple 
million Euro of their own money on manpower and equipment to implement 
DNS4EU?

What am I missing?

Thanks,
Hank

> just an update that tomorrow the EU Commission will organise an Info 
> Day (like a stakeholder workshop) to cover all the open CEF2 calls for 
> proposals to respond to any questions interested parties might have. 
> Cloud federation and DNS will be third on the agenda. The info day 
> will run from 9 AM to 4 PM CEST. Link: 
> https://hadea.ec.europa.eu/events/1st-connecting-europe-facility-digital-calls-info-day_en 
>
>
> On Wed, Jan 12, 2022 at 10:27 PM Randy Bush <randy _at_ psg _dot_ com> wrote:
>
>     since no one else has said it this time around the tree tracking the
>     woozle, ...
>
>       how does this avoid creating a nice well-defined target for: IP
>       shutdowns, censorship, saving children from abuse, terrorism, ...?
>
>     randy
>
>     ---
>     randy _at_ psg _dot_ com
>     `gpg --locate-external-keys --auto-key-locate wkd randy _at_ psg _dot_ com`
>     signatures are back, thanks to dmarc header butchery
>
>
>
> -- 
> Sincerely,
>
> Anastasia Șendrea
> (Анастасия Шендря)
>


User Image

Hank Nussbacher

2022-01-20 08:24:13 CET

On 19/01/2022 13:33, Hank Nussbacher wrote:

How the media sees DNS4EU:
https://therecord.media/eu-wants-to-build-its-own-dns-infrastructure-with-built-in-filtering-capabilities/

-Hank

> On 18/01/2022 12:51, Ana Sen wrote:
>
> I  left the webinar more confused than before it started.
>
> In the actual call it states "Costs for operating the infrastructure 
> during its lifetime will be excluded under the call." and later 
> "Proposals should also define the post-project ownership of the 
> infrastructure".  This call is for 36 months with only 50% co-funding.
>
> So based on my reading of the 1st sentence, any servers placed at 
> various colo sites (hosting costs), routing costs, etc are excluded?!
>
> Does this mean that whoever wins this call will be spending a couple 
> million Euro of their own money on manpower and equipment to implement 
> DNS4EU?
>
> What am I missing?
>
> Thanks,
> Hank
>
>> just an update that tomorrow the EU Commission will organise an Info 
>> Day (like a stakeholder workshop) to cover all the open CEF2 calls 
>> for proposals to respond to any questions interested parties might 
>> have. Cloud federation and DNS will be third on the agenda. The info 
>> day will run from 9 AM to 4 PM CEST. Link: 
>> https://hadea.ec.europa.eu/events/1st-connecting-europe-facility-digital-calls-info-day_en 
>>
>>
>> On Wed, Jan 12, 2022 at 10:27 PM Randy Bush <randy _at_ psg _dot_ com> wrote:
>>
>>     since no one else has said it this time around the tree tracking the
>>     woozle, ...
>>
>>       how does this avoid creating a nice well-defined target for: IP
>>       shutdowns, censorship, saving children from abuse, terrorism, ...?
>>
>>     randy
>>
>>     ---
>>     randy _at_ psg _dot_ com
>>     `gpg --locate-external-keys --auto-key-locate wkd randy _at_ psg _dot_ com`
>>     signatures are back, thanks to dmarc header butchery
>>
>>
>>
>> -- 
>> Sincerely,
>>
>> Anastasia Șendrea
>> (Анастасия Шендря)
>>
>
>


User Image

Jørgen Hovland

2022-01-21 20:28:14 CET

> What am I missing?The cost of making dnsmasq/, or , dns client recursive DoT/DoH/DoQ capable, which means dropping the need of any external recursive name server like DNS4U, is a couple of million euro funded by EU to create DNS4U, which then in turn will be eradicated by a single software update at some time in the future.I honestly belive it is money well spent. If EU spends an extreme amount of money on DNS4U, I might even join in and donate code (to the client resolver that is). Qname minimization solves the remaining part.Jørgen
At 09:22 20/01/2022 (UTC), Hank Nussbacher wrote:
On 19/01/2022 13:33, Hank Nussbacher wrote:

How the media sees DNS4EU:
https://therecord.media/eu-wants-to-build-its-own-dns-infrastructure-with-built-in-filtering-capabilities/

-Hank

> On 18/01/2022 12:51, Ana Sen wrote:
>
> I  left the webinar more confused than before it started.
>
> In the actual call it states "Costs for operating the infrastructure 
> during its lifetime will be excluded under the call." and later 
> "Proposals should also define the post-project ownership of the 
> infrastructure".  This call is for 36 months with only 50% co-funding.
>
> So based on my reading of the 1st sentence, any servers placed at 
> various colo sites (hosting costs), routing costs, etc are excluded?!
>
> Does this mean that whoever wins this call will be spending a couple 
> million Euro of their own money on manpower and equipment to implement 
> DNS4EU?
>
> What am I missing?
>
> Thanks,
> Hank
>
>> just an update that tomorrow the EU Commission will organise an Info 
>> Day (like a stakeholder workshop) to cover all the open CEF2 calls 
>> for proposals to respond to any questions interested parties might 
>> have. Cloud federation and DNS will be third on the agenda. The info 
>> day will run from 9 AM to 4 PM CEST. Link: 
>> https://hadea.ec.europa.eu/events/1st-connecting-europe-facility-digital-calls-info-day_en 
>>
>>
>> On Wed, Jan 12, 2022 at 10:27 PM Randy Bush <randy _at_ psg _dot_ com> wrote:
>>
>>     since no one else has said it this time around the tree tracking the
>>     woozle, ...
>>
>>       how does this avoid creating a nice well-defined target for: IP
>>       shutdowns, censorship, saving children from abuse, terrorism, ...?
>>
>>     randy
>>
>>     ---
>>     randy _at_ psg _dot_ com
>>     `gpg --locate-external-keys --auto-key-locate wkd randy _at_ psg _dot_ com`
>>     signatures are back, thanks to dmarc header butchery
>>
>>
>>
>> -- 
>> Sincerely,
>>
>> Anastasia Șendrea
>> (Анастасия Шендря)
>>
>
>


-- 

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg