Remote Session - 21 April 2021

WG co-Chairs: Joao Damas, Shane Kerr, David Knight

On 21 April 2021 from 15:00 to 16:30 (UTC+2), the DNS Working Group held a remote session via Zoom.

Recording

1. European Resolver Policy
Andrew Campling
419 Consulting

Slides

Steve Crocker asked Andrew about DNS filtering on how the policy will draw the line between malicious content and government censorship. He added that there was a similar piece of legislation in the US in which the government attempted to force ISPs to block access to website that were seen as infringing copyright.

Andrew mentioned that in some EU markets, there is already a requirement to block access to copyright infringing sites. He added that in terms of malicious content, the requirement within the policy is to define the category of the content that may be blocked and design a complaint procedure for content that was inappropriately blocked. Andrew also pointed out that looking at filtering more broadly, it is quite common to provide opt-in/opt-out options under the control of End Users rather than having those filters being dictated by the DNS resolver owner.

Steve Crocker asked what the minimum requirement was to comply with the policy.

Andrew pointed out that DNS resolvers providers are not forced to comply with the policy and that they could also still be compliant without providing filtering. Although, if you’re providing resolvers for the mass market, Andrew mentioned that they will suggest that at the minimum you should provide filtering for malicious content.

Brett Carr asked if companies that want to adhere to this policy should also be audited by an independent organisation.

Andrew mentioned that as it will be economically challenging for smaller DNS resolvers, the policy authors decided not to include it. Instead, Andrew is relying on the “court of public opinion”. For instance, if a company declared themselves compliant but are not following the policy. They will have a chance to become compliant, otherwise they will be removed from the compliant company list and the cause of removal will be listed.

Brett pointed out at that some people might not know who is behind the policy. He added that it might help if it was re-made into a RIPE document or rubberstamped by a more well-known organisation.

Joao Damas found this question interesting and asked for more community feedback. Dave Knight suggested that Brett follow up on the mailing list about his recommendation.

Brett agreed.

Chris Buckridge asked Andrew for his thoughts on the EU Commission’s recent proposal to create an independent European public DNS resolver and how it will impact this policy.

Andrew mentioned that to his understanding, the Commission’s concern is the resilience of public DNS and the fact that most public DNS belong to non-EU entities. He added that their proposal was complimentary with the European Resolver Policy as it’s possible that the Commission would mandate that this new EU public DNS should operate under the criteria defined in this policy.

Peter Hessler (OpenBSD Project) deactivated Mozilla’s TRR as they felt it took away DNS control from the users, who had specified which resolvers the OS was to use. He then asked Andrew his thoughts on Mozilla’s practice to enforce their own public DNS and if their method would be compliant with the current policy.

Andrew replied that a resolver operator could adopt all the content of the resolver policy even if they have been queried via an application. Although, he mentioned that there was hesitation regarding Firefox. He added that they should add more information about their DNS consent options. Andrew pointed out that from his perspective it should be even better if these DNS opt-in options were dealt with at the ISP level.

Peter Hessler suggested to add a commentary or a firm recommendation to the policy draft to address this issue.

There were no further questions.



2. Update on RSSAC activities
Lars-Johan Liman
Netnod Internet Exchange

Steve Crocker asked if RSSAC was planning to work on resiliency (what is done and what needs doing, eg. DDoS attacks).

Lars-Johan replied that RSSAC was not currently working on this. He mentioned that it would be a bit concerning to collect all this information in one place as black hats would know all the targets they need to hit.

Brett asked the Lars-Johan how RSSAC was planning to monitor metrics for root server operations (RSSAC47) and which tools they were using.

Lars-Johan answered that the data is still not being collected yet. He added that RSSAC previously published their tools (e.g. GitHub repository).

Joao asked Lars-Johan if the fact that root server operators are in the same jurisdiction as the organisation that publish the root zone and “appoints the root servers” could cause circle dependency and trouble in the future.

Lars-Johan replied that this circle of dependency sits in a spotlight as everybody knows who to contact if things go bad. He added that if you would want to change this system, there would be high political risks and that could threaten the unity of the Internet.

There were no further questions.

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum