[HN Gopher] Dear EU: Please Don't Ruin the Root ___________________________________________________________________ Dear EU: Please Don't Ruin the Root Author : Reventlov Score : 323 points Date : 2021-05-10 14:39 UTC (8 hours ago) (HTM) web link (berthub.eu) (TXT) w3m dump (berthub.eu) | politician wrote: | Browsers could alternatively ship with support for Namecoin [1] | or Unstoppable Domains [2]. Though, realistically, I'm suggesting | Opera or Brave. Mozilla isn't functionally capable of thinking | about doing something like that, and I don't think I have to | suggest a reason why the other browser vendor wouldn't entertain | the idea. | | [1] https://www.namecoin.org/ | | [2] https://unstoppabledomains.com/ | 542458 wrote: | Two things about these: | | 1- Having domain names be impossible to seize sounds like an | anti-feature for most businesses. If somebody pwns my company | or I have a disgruntled sysadmin I don't want them to be able | to indelibly transfer my domain name to themselves with no | recourse. Alternatively, if I lose the cryptographic keys to my | domain name, am I just completely hosed? | | 2- No renewal fees ever sounds like an anti-feature to | everybody who isn't a squatter. | worik wrote: | "The Internet functions because over 1300 servers provide a | starting point for every (website) name used online. These are | the root servers." | | That would be the Web. It is hard to take anything this person | says seriously when right at the start they confuse the Internet | and the Web. | yholio wrote: | He says "name", then ads "website" in parenthesis so non- | technical people can understand. Without name resolution, most | internet services will indeed fail. | akoncius wrote: | what do you mean? DNS works not only for web. all internet- | related things rely on DNS in one way or another. email, chats, | FTP etc. | Jolter wrote: | No, they are writing about DNS, which is in the core of how the | Internet works. Including the Web, yes, but virtually nothing | on the Internet would work without DNS. | stunt wrote: | A lot of things wont work, but you still can't say Web and | Internet are the same thing. | | I also think it isn't fair to nitpick the article for it. | PoignardAzur wrote: | While I don't want to dismiss OP's concerns, I vicariously enjoy | the turnaround of the US having to worry about someone else's | extraterritorial decisions. | | In practice, though, I don't think it would matter. It's not like | (1) the EU is asking to be allowed to install arbitrary programs | on root servers or (2) it will start bombing non-compliant | servers. | | Worst case, EU residents (or at least residents using PCs sold in | the EU) will only be able to access EU root servers, which will | still index 100% of the internet. I'm not super worried. | JPLeRouzic wrote: | > which will still index 100% of the internet | | No that's not true, for example sci-hub is not available on | DNSs compliant with EU's laws. | | In the document below they even cite Cloudflare as non- | cooperative, as well as several Asian marketplace and some | online pharmacies. | | https://trade.ec.europa.eu/doclib/docs/2018/december/tradoc_... | slim wrote: | That's already the case right now. That situation won't be | affected by the new regulations | coward76 wrote: | The US wouldn't worry, and would make their own internet with | hookers, blackjack, zero privacy, taxes, inane regulations and | pork, but it would be US controlled. This is how Americans | work. | | Edit: Downvote if you must but it is the mindset of many: | | https://www.bbc.com/news/technology-53686390 | will4274 wrote: | Alan Woodward seems to be the BBC's go-to person for scare | quotes about the internet. In your article: | | > "It's shocking," says Alan Woodward, a security expert | based at the University of Surrey. "This is the Balkanisation | of the internet happening in front of our eyes. | | > "The US government has for a long time criticised other | countries for controlling access to the internet... and now | we see the Americans doing the same thing." | | Previously, I saw Woodward giving bad information and | engaging in unfounded speculation in an article about Signal | - https://www.bbc.com/news/amp/technology-55412230. | | > Alan Woodward, a professor of computer science at Surrey | University, said Signal was "one of the most secure, if not | the most secure, messenger service publicly available". | | > "Signal employs end-to-end encryption, but goes further | than apps like WhatsApp by obscuring metadata - who talked to | who when and for how long," he explained. | | > "Cellebrite seem to have been able to recover the | decryption key, which seems extraordinary as they are usually | very well protected on modern mobile devices." | | > He added that if this was indeed true, it was no surprise | Cellebrite would have altered its blog. | | > "I suspect someone in authority told them to, or they | realised they may have provided enough detail to allow others | - who don't just supply to law-enforcement agencies - to | achieve the same result." | | A good rule of thumb might be, if you see Alan Woodward | quoted in support of the article, assume the author doesn't | know any genuine experts. | coward76 wrote: | This Republician idea gets floated enough without the BBC | article: | | https://www.cnbc.com/2019/02/04/the-splinternet-an- | internet-... | | https://www.reuters.com/article/us-usa-china-apps-pompeo- | bre... | | Or did want an older Democrat proposal: | | https://www.nytimes.com/2011/11/16/opinion/firewall-law- | coul... | | http://leahy.senate.gov/imo/media/doc/BillText- | PROTECTIPAct.... | | The idea of walling the internet is quite old. | ahubert wrote: | (author here - if there are any questions, please let me know!) | pmontra wrote: | First of all, I praise the initiative and the explanation. But | not everybody tweets. Is there an email address to send that | message to? | jollybean wrote: | Why is the EU trying to regulate outside it's jurisdiction? | | Why doesn't the EU simply provide a 'core' set of servers, | which they operate to a high degree of fidelity and robustness | so that 'should something go wrong' ... then the EU still has | these resilient services to reply upon? | | I don't see how someone doing a public service should | arbitrarily come under such scrutiny. | mattashii wrote: | It doesn't, really; see paragraph (65) in the document [0]. | It states something along the lines of "if you're providing | services stationed in the EU, or services directed people | that live in the EU, then you must comply with these | regulations". Basically, an import regulation for operators | that do not have a presence in the EU (but do target the EU | market), and an operating regulation for those that have a | presence in the EU. | | [0] | https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72172 | jart wrote: | I'm not sure where you got the word "target" from. In the | context of GDPR what the EU does is they believe European | people are their data subjects, they claim that personal | data is things like IP addresses, and if you record | information about these data subjects, like RIPE IPs in | NGINX logs, then the EU feels that you are governed by them | regardless of where you live or where your server is | hosted. Which to me sounds like basically everyone who's | plugged into the internet who hasn't configured their | firewall to drop traffic from ips starting with 2, 5, 25, | 31, 37, 46, 51, 53, 57, 62, 77, 78, 79, 80, 81, 82, 83, 84, | 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 109, 141, 145, | 151, 176, 178, 185, 188, 193, 194, 195, 212, 213, or 217. | In practice, the EU has explicitly exempted most of the | operators who wouldn't be economical to fine, but it's | pretty clear that the regulatory model is intended to | operate like a whitelist, i.e. you're under their dominion | unless they say you're not. What I found particularly | amusing in the context of the DNS topic at hand. Is when | people voiced concerns about normal people running DNS on a | Linux router or something being impacted by the | legislation, the EU's response in the document was like, no | no trust us if you're doing something like running a DNS | server on your "laptop" (yes they said laptop) then you're | not going to be impacted. How reassuring! | mattashii wrote: | I got the word "target" from the referenced section (65): | | > In order to determine whether such an entity is | offering services within the Union, it should be | ascertained whether it is apparent that the entity is | planning to offer services to persons in one or more | Member States. The mere accessibility in the Union of the | entity's or an intermediary's website or of an | emailaddress and of other contact details, or the use of | a language generally used in the third country where the | entity is established, is as such insufficient to | ascertain such an intention. However, factors such as the | use of a language or a currency generally used in one or | more Member States with the possibility of ordering | services in that other language, or the mentioning of | customers or users who are in the Union, may make it | apparent that the entity is planning to offer services | within the Union. | jollybean wrote: | 'target the EU market' is vague. | | These are independent operators, NGOs etc, services being | 'used by EU citizens' not really 'targeting Europeans'. | | From a liability perspective, to the author's point these | services I suppose would have to just filter out European | sources? | | Why would they publish a regulation so obviously vague, | full well knowing the reality on the ground? | | Why wouldn't they use language that unambiguously places | NASA etc. firmly 'in our out' of the regulations or, some | criteria which they would be one way or another? | | Seems odd. | latk wrote: | The text in question does define more closely what it | means to offer services in the EU. To lawyers (and to | anyone who has experience with GDPR compliance) this is | not a particularly vague statement. Admittedly, there's | no unambiguous bright line definition, but there's a lot | of jurisprudence on the matter. | | In reality, the question is not whether EU citizens will | use these services, but whether the operator of the | service is targeting people in the EU, i.e. whether the | operator _intends_ or reasonably _expects_ for EU people | to use their service. A US service will most likely be | fine if their reasoning goes something like this: (1) We | primarily intend to serve connections from the US. (2) | This expectation is reasonable based on our network | topology. (3) But we don 't care if someone else | connects. | | It would not be appropriate to exempt specific | organizations since those organizations may change their | targeting in the future. It already exempts most non-EU | organizations, due to the criterion that they don't | target the EU. | | We had the same panicking in 2018 when the GDPR came into | force and - quelle surprise - there are no fines for | random international websites. The EU doesn't insert | itself into your affairs if you don't insert yourself | into the EU market. | oaiey wrote: | That is exactly how gdpr is set up. Which is good. | | Regards NGOs: just because you do not make money does not | make you a saint. | | Regards vagueness: if you want to survive in an agile | environment without rewriting every second day, vagueness | is the way to go. | EricE wrote: | >That is exactly how gdpr is set up. Which is good. | | So if the US comes out with "GDPR- The Next Generation" | with similar mandates towards the EU would that also be | "good"? | | Asking for a friend. | oaiey wrote: | FISA courts and the law they are based on? The US is | explicitly or implicitly doing this all the time. | | Or the Hague invasion act which is pretty much that case | (US soldier are protected abroad against international | treaties). | yxhuvud wrote: | Yes, it most certainly would be good. | guerrilla wrote: | > Why is the EU trying to regulate outside it's jurisdiction? | | My first question is are they or is this the authors view? | latk wrote: | It is primarily the authors view. | | The proposed regulation - like many EU regulations - can | also apply to non-EU entities. In this sense, the EU does | try to exert extraterritorial jurisdiction. | | However, this is constrained to the case where the non-EU | entity targets people in the EU, so somehow participates in | the EU market. The origins of this "targeting criterion" | actually come from consumer protection cases, where it's | easy to understand: if you advertise your goods or services | to people in a particular country, you'll have to play by | that country's rules. | dncornholio wrote: | I can make the analogy that public transport is a public | service, but that doesn't mean people have to drive in old | and unsafe busses and trains right? | BuyMyBitcoins wrote: | It's the nature of governments and bureaucracies to try and | control as much as they can. The kinds of people who draft | these regulations aren't interested in limited legislation. | The United States is particularly guilty of this - we | frequently demand that other countries follow our regulatory | rules, especially around banking and "anti-terrorism". | kazen44 wrote: | > It's the nature of governments and bureaucracies to try | and control as much as they can. The kinds of people who | draft these regulations aren't interested in limited | legislation | | there is not really any other way to play the geopolitical | game sadly. | | Every goverment on earth is doing this to keep themselves | stable, some are just far more succesfull then others. | emouryto wrote: | Why not? | | Let's see... the past year the was a big scandal because | apparently multiple non-profits were selling the .ORG top | level domain name for $1B. They got these top level domain | for free from the US government (or some institution | thereof). | | I would certainly like the EU to regulate more of the | Internet instead of it being an US territory. | martimarkov wrote: | This is ICANN's responsibility and not root DNS servers. | | They are completely separate entities. | | If you dislike this go shout at ICANN. It's was US | organisation - now it's a "private" one[1] | | [1] https://www.icann.org/en/announcements/details/stewards | hip-o... | oneplane wrote: | If you want to look at it from that perspective: the same | reason the US does it. | | People also tend to forget that providing a service (in | whatever fashion) doesn't exist in a vacuum, there are the | services and then there are the consumers of those services | and they might have certain freedoms and rights that the | locality of the service in question might not honour. Take | the right to control your data for example, the US isn't very | good at providing that with the services they offer, and | they'd rather not have that freedom and rather make those few | percent more money. | kazen44 wrote: | Also, it makes sense in the broader EU strategy of becoming | less reliant on the US. | | The EU has a good amount of soft power, this is just | testing testing it's waters in directing policy more | directly. (other examples are the Iran deal after the US | left, and Intervention in Africa) | | Geopolitically, this makes a lot of sense, and i think the | idea has good intentions, but the implementation of the law | is where it falls short. | krona wrote: | > _I don 't see how someone doing a public service should | arbitrarily come under such scrutiny._ | | It doesn't seem arbitrary to me. The service provided exists | in many EU countries, and therefore _must_ eventually be | harmonised. This is the prime directive of the project. | jollybean wrote: | "and therefore must eventually be harmonised. This is the | prime directive of the project" | | That's not a very good prime directive. | | Don't regulate things that don't need to be regulated, i.e. | unless there is a very material benefit from it. | | If the EU is concerned about WW3 level resiliency for these | services, they can accomplish that themselves with a few | cord, 'hardened' services that meet their criteria. For | 'regular operations' it seems we're going quite well right | now. | | Unless there is a _threat_ posed by these heretofore | independent operators ... then I 'm don't see any obvious | material benefit here. | | I'm wondering if somehow these entities could be | compromised in a way that makes them a problem, more so | than just 'going offline', in which case, maybe there are | some benefits. | oaiey wrote: | Not they cannot. A DNS request in China is not targeting | a European root but a local one. And that can affect a | European citizen. | martimarkov wrote: | Umm idk if I put 1.1.1.1 as my DNS which root is it | targeting? The one in China? Or if I put 0.0.0.0 (IP of | EU run DNS server backed by EU run root) then is it still | China? | | There is a simpler solution rather than enforcing EU | oversight over root DNSes. | tick_tock_tick wrote: | Cloudflare is one of the private operators of root | servers mentioned in the article so you would be using | the F root server. | | https://blog.cloudflare.com/f-root/ | martimarkov wrote: | Hence why I said 0.0.0.0 as a root DNS created and | operated by EU | jollybean wrote: | Seems like it's the job of the 'EU citizen' to not use | foreign services if they don't want to use services which | are not consistent with their own regulatory standards. | guerrilla wrote: | > The current version of the NIS 2 directive explicitly says | the EU will regulate the root servers, and therefore NASA and | the US Department of Defense in this way | | Is the latter part of this your conclusion and interpretation? | I haven't looked at the source material but are you sure they | aren't just referring to root servers operating in the EU or by | EU companies. I find it hard to believe they would consider DoD | servers within their jusrisdiction. | tester756 wrote: | I have question about your other post which I found interesting | | >https://berthub.eu/articles/posts/how-tech-loses-out/ | | You wrote | | >We barely develop any software here anymore. So even very | European companies like like Nokia and Ericsson, that are now | trying to tell us that they are building our European | telecommunication infrastructure. They're actually not, they're | getting that built by other people in other countries far away. | Anything having to do with server and PC development and | manufacturing, there's nothing left of that in Europe anymore. | | As far as I've been told, then there are R&Ds in e.g Cracow, | Poland or Wroclaw (probably nor R&D) that actively recruit or | even train people | | What are they doing then? | guerrilla wrote: | Yeah, Ericsson employs about 13,000 people in Sweden and I | personally know they develop a lot of telco software. | squarefoot wrote: | My latest news (~2 yrs ago though) from friends working at | Ericsson is that beside hardware they also started | outsourcing software to far east entities. I don't have | details, but over here they sack about 300 people every | year, mostly developers. It might be different in Sweden | though. | BenjiWiebe wrote: | How many do they hire per year? 400? | squarefoot wrote: | No idea, and Covid may have changed things, however | pretty much every year he feared to be included in the | list of people that had to go either directly or through | a fake spin off, a common trick used by many corporations | to lay off workers. | Jolter wrote: | Ericsson has hired several thousand engineers per year in | the past couple of years, globally. You can see the | history of their Wikipedia page for the nitty-gritty... | Jolter wrote: | If by Far East you mean China, I'm not aware of any | outsourcing there at all. Ericsson has big R&D centers | there but I believe they are all in-house operations, | owned and controlled directly by Ericsson. | | Now, India on the other hand... | Jolter wrote: | Ericsson is very multinational. The core of its management is | in Sweden, a lot of systems management and architecture are | indeed controlled from there. There are development units in | dozens of countries across all continents, albeit with a | emphasis on Europe, the US and China. A lot of subcontractors | from/in India are involved in product development, too, but | mostly for systems operations and maintenance of "sunsetting" | products. All told, I am not aware of a single Ericsson | product that is "led" from China or India, but I could | certainly be wrong. | oaiey wrote: | What is your expectation what a state actor like the EU should | do to protect it's citizens infrastructure? | | Rely on a third party like the US which has secret courts and | gives a shit about EU citizen privacy, their property or their | lifes? | | Or give it in the hands of the industry? Which only has one | motive: making money. | | Or leave it unregulated with no safety for no one? | | DNS is about trust. We need trust into this thing. And | honestly: i would not trust DNS offered in China and most | likely also not the US, or 99% of the carriers | sam_lowry_ wrote: | Second that. The article lacks the good parts. It's clear | that the rapporteur has not figured it out yet how to deal | with the root DNS servers, but there is a broad consensus | over the strategic autonomy goal [1]. | | One way or another, EU will force its way. Should it do it by | e.g. empowering DIGIT to run root DNS servers? | | They will for sure tender it off to a murky consortium, but | at least there will be a positive political move. | | [1] https://en.wikipedia.org/wiki/Strategic_autonomy | darkarmani wrote: | Can't the EU run its own DNS infrastructure? Why force its | way into something it doesn't even understand? | sam_lowry_ wrote: | There was an effort to run EU-based root DNS servers. | ORSN, IIRC. Maybe we have so many root servers in EU due | to ORSN showing its teeth. | oaiey wrote: | I also think that the article is focused too much about the | auditing and regulations instead of suggesting a better | model. | oefrha wrote: | The article very clearly suggests the current model. | EricE wrote: | I love the assumption that there is "a better model." | This reeks of the quintessential "let's solve a problem | that doesn't exist." | | Here's an even better and more logical idea - for those | who have concerns about the current DNS root server | arrangements, what specifically are they? And what would | you propose as solutions to their perceived deficiencies? | Bonus points if you can raise actual technical arguments | and not just feelings. | oaiey wrote: | Fair point. I don't have a different idea in the current | geopolitical situation. | martimarkov wrote: | You are free to choose your DNS provider. On the other hand | if we take your view and apply it in reverse: why should an | American or Chinese person trust the EU to regulate the | internet? | | DNS roots have worked flawlessly. The EU can just create EU | roots and be in control of them and regulate those. Nobody is | opposed to that. You can even enforce vendors to only include | EU roots when selling devices in the EU (I'm against this | personally) or to ISPs (I'm more okay with this). But as a | person who loves the EU I'm very much opposed to enforcing EU | values and views to 3rd parties. | guitarbill wrote: | > But as a person who loves the EU I'm very much opposed to | enforcing EU values and views to 3rd parties. | | I'm not quite clear how that's different from ICANN? | Ostensibly they're now "multistakeholder", but were under | the United States Department of Commerce until 2016. And | were infamously in denial about the GDPR impact to WHOIS. | | To be clear, I'm not saying the EU proposal is in any way | good, I have no idea. But this issue has been brewing for a | while, and I don't think it's unreasonable to be critical | of ICANN et al and preparing for eventualities. Even if it | is the status quo, leaving a major part of the internet in | the hands of some unaccountable NGO is a huge risk. | petre wrote: | > You can even enforce vendors to only include EU roots | when selling devices in the EU | | Please don't give them ideas. Not even the Kremlin has done | that, although they did something similar with geolocation | devices. | | Otherwise I fully agree. If the EU wants to audit, they | should establish their own root server infrastructure, pay | for it and audit that. If I was a root server operator | providing what is essentially a free service and this was | enforced on me, I'd rather shut down or block EU netblocks | than be bothered by EU cyber security auditors. | martimarkov wrote: | I mean if it's done in the right way and actually hosted | by universities with high reputation: | Oxford/Cambridge/Southampton (obvs not in Europe anymore | but it illustrates my point) then I think it might be | okay. Nothing wrong with making sure dns works in Europe | if all other dns roots fail. | | The implementation part will be tricky but not | impossible. Heck ipv6 is still not rolled out and we | actually need it. Do you think they will be able to do | this faster? | Skunkleton wrote: | There is less and less choice over your DNS provider. With | the classic DNS protocol, requests were routinely hijacked | by ISPs. With new protocols like DOH, you now have to go | manually configure every application and cross your fingers | it does what you want. Not everything can be configured to | a specific DOH gateway. | | As it stands today, I can no longer reliably block hosts by | domain name on my own network thanks to DOH. | setBoolean wrote: | This really rubs me the wrong way about DoH. At the | moment I mitigate this by outright blocking the Top 10 | public DNS servers network wide. | readams wrote: | This is a completely separate problem and not related to | the root DNS servers. As an individual user, you do not | contact the roots. | oaiey wrote: | No normal users chooses a DNS server. | | Everyone should regulate and audit them. How we do with | medical devices, and other stuff. The internet is no | unicorn with special treatment. | | The last paragraph is right until I think about my EU- | WhatsApp trying to make connections in Singapore. They try | to protect me as a citizen. | EricE wrote: | What value would regulation bring to a system that is | currently working, has worked flawlessly for over 40 | years and shows no need of imminent "improvement" from a | law like this. | | Exactly what problem would this law saw? So far all I am | seeing are vaugue assurances and warm feelings but zero | substance of how it would improve anything. | | Indeed, if history is our guide any change is far more | likely to hurt rather than help. Therefore it is | incumbent on those seeking the change to defend it - how | exactly will this law "improve" things. Please be | _specific_ and factual and leave feelings to the poets | and philosophers. | oaiey wrote: | So the argument is: medical devices yes, internet which | is used for everything: no. | | Not every jurisdiction in the world is based on extreme | fines (like the US) but many are build on strict | regulations (like most European countries). | | Personally, i cannot speak about the concrete law and nis | 2 thingy. | renewiltord wrote: | You control the client. Don't ask my server if you don't | want to. I'm not making you do it. | | If you want to ask my server, send me information in the | protocol that says that you want me to meet a certain | standard and I'll blackhole the request if I can't meet | it. | | This is how SSL/TLS works and it works well. | martimarkov wrote: | Fine then enforce that: | | Any software that is used by EU citizens (downloaded from | EU App Store or EU vendor website) should use EU DNS | servers. (The user should be allowed to change the DNS on | per device and per app lvl) | | I'd be okay with that. And I think that solves your | issue, my issue and EU's issue. | guitarbill wrote: | Is that feasible for millions or billions of already | manufactured, exiting devices? | martimarkov wrote: | Simply - no. Devices that are old enough which have no OS | updates then... no. But any new device or already | supported ones: yes why not. It's just an update from the | manufacturer. You can even say: If the device is within | EOL<1 year just update the DNS to the EU DNS. Other | devices will need to have the option of choosing DNS | addresses. | | Another approach is what we do with cars: we don't ban | ICE cars, we have different "tiers" (Euro5, Euro6) of | emissions and phase them out. We can do the same thing. | Any device manufactured after 2020 will need to implement | this "feature". It will take a few years to propagate but | it is a very feasible approach. | zepearl wrote: | Don't most devices use just DHCP, which in turn in most | cases just use the DNS settings of the Internet Provider | (IP) that is being used (indirectly, as usually the local | router is set like that) => if a local government asks | the IPs to use specific root servers then the problem | should be solved? | | (or maybe I'm not understanding the core problem...) | [deleted] | Deukhoofd wrote: | From what I read in the proposal the core idea of it is solid. | DNS is a vital piece of infrastructure, and we should take steps | to ensure it keeps working. Putting together task forces to make | sure it is secure therefore sounds like a very good idea. | | Root servers might be out of scope to some degree for this | however. Interestingly enough the root servers also aren't | mentioned in the proposal itself, nor in the annex listing | essential services. They're only mentioned in the lead up, which | is the argument for why it's needed. It somewhat feels like they | left it in accidentally, especially with the parliament | immediately amending to scrap it from the lead up as well. | fsckboy wrote: | > Putting together task forces to make sure it is secure | therefore sounds like a very good idea. | | the top comment on HN for topics like this frequently follows | the format of your comment, saying something that sounds so | reasonable, who could object? | | But the way the internet works didn't come about magically, it | was planned and modified through trial and error by experts | who, working together, can be seen as nothing other than a task | force. So you are looking for a new task force to interrupt and | disturb a task force that already exists. This will inevitably | lead to the need for yet another new task force to look into | what this task force has done... | ur-whale wrote: | > DNS is a vital piece of infrastructure | | It is, and therefore it should be 100% decentralized, if only | to keep it out of the grabby hands of governments, EU or | otherwise. | theshrike79 wrote: | Hear me out: BLOCKCHAIN DNS! | | /s | watt wrote: | https://en.wikipedia.org/wiki/Namecoin all you want | twobitshifter wrote: | Aaron Swartz (edit) had the same idea | http://www.aaronsw.com/weblog/squarezooko | BugsJustFindMe wrote: | There's no ch in Swartz | Sargos wrote: | This ended with /s but DNS and other global namespace | management systems are actually one of the problems | blockchains solve perfectly. We all need to know what the | value of some key->value pair is and have that information | always available and easy to update. Blockchains handle | data distribution natively, allow updates from authorized | parties, and have 100% uptime. Transitioning DNS to | something like ENS is something with lots of upsides and | few downsides. | | Take a look at https://ens.domains/about and | https://handshake.org/ | jonhearty wrote: | Handshake.org provides an alternate root zone that seems | pretty relevant here | madeofpalk wrote: | Is the 12 root server organisations an example of | decentralisation? | EricE wrote: | Yup. As well as the decentralization and diversity of the | technical operations of each pool. Operational diversity | can be as important or even more important than technical | diversity since humans tend to be the weakest links in | technical chains :p | [deleted] | ur-whale wrote: | > Is the 12 root server organisations an example of | decentralisation? | | It isn't. | | Proof: the fact that US random three letter agencies can | take down websites. | Denvercoder9 wrote: | Taking down websites has nothing at all to do with the | root servers. The root servers only distribute | information about which nameserver is responsible for | which TLD, and doesn't concern individual websites at | all. | _-david-_ wrote: | It is impossible to build any website that cannot be | taken down. The government could seize the physical | servers if they wanted to. By your definition that means | nothing is decentralized. | booleandilemma wrote: | This sounds like a problem to solve. | _-david-_ wrote: | How? Even if you were to host a website on a satellite | the government could launch a rocket and blow it up. If | the website is hosted on Earth they could physically cut | cables if they wanted to. There is no way to fully | prevent the government from preventing access to a | website. The internet is decentralized, but not fully | immune from governments. | jrockway wrote: | I mean, you can have more than one copy of the website. | Maybe a government can send one satellite-destroying | missile, but probably not thousands of them. | | Think about how many people have the Linux kernel Git | repo cloned on their workstation. It would be essentially | impossible for any government to destroy all copies. | Sargos wrote: | >It is impossible to build any website that cannot be | taken down | | This is becoming less true each day, especially with the | advent of IPFS and Ethereum. Uniswap's website will never | go down. uniswap.org might be seized but uniswap.eth | cannot be altered by anyone. | | In a few decades it will be normal for websites to be | decentralized and permanent. It's actually quite needed | for the robustness of critical internet architecture. | salawat wrote: | No it isn't. It's a crutch, but also one of the most | centralized, manipulable levers for controlling what is and | isn't discoverable on the Net. | | Think about it. Domain names are seizable. IP's aren't. You | can't stop someone with an IP from existing. | | Whenever someone talks about regulating DNS, it should | translate to "We want to take control of Namespace | management. | wyager wrote: | So, we take a system that has been working perfectly for 40 | years, and throw some government "task forces" at it, and we | hope this makes it work better? | EricE wrote: | The single biggest thing keeping the root servers working is | the very model this law would disrupt. | | Indeed, you want ecosystem diversity. You don't want every | operator of a pool of root servers doing everything the same | way because if someone figures out how to disrupt those | operations and if everyone is operating the same way then | _poof_ - they all fall down. | | Top down planning/regulation has it's place, but it's hardly | the solution - and brings zero value to this topic. | | Indeed, in 40 years the model has worked just fine - surviving | technical, political and legal challenges and no one was the | wiser. There is zero in this law that would improve upon that | record. | KronisLV wrote: | Here's a naive question - why couldn't the institution that's | supposed to do the planning/regulation be the one that's | obligated to provide the necessary resources for the parties | being regulated, if they lack them themselves? | | > The non-profit root server operators might have to leave | the EU and put up active measures so that no Europeans can | use their root servers. They can't afford to do all the | paperwork for NIS 2. | | For example, if a university cannot afford to file the | necessary paperwork, why couldn't the EU be the ones that are | obligated to send someone over to handle the legwork and help | them out? | | I know that something like that would never work for reasons | that the lovely people here would hopefully point out (since | i don't really deal with the legal stuff that often), but | here's another example - i live in Latvia, and the government | actually helps me to fill out and pay my taxes somewhat. | Granted, it only handles the most common cases and | calculations in the form of a self-service web app, but if a | lot of paperwork is just forms anyways, why not apply it to | other domains? | | In contrast, telling a university that they'll need to invest | significant time and resources into something that they | simply cannot do on their own, knowing the implications of | this, doesn't appear fair. | [deleted] | zyamada wrote: | Having worked at a university, but not in this domain, my | 2-cents is that what they're trying to say is that can't | afford the paperwork in the context of the the associated | internal political war that commonly comes along with | trying to do anything like this in academia. | anticristi wrote: | Devil's advocate here. The DNS root servers worked, but don't | quite feel up to speed with regulations. AFAIU, the root | servers still receive FQDN and IP, which is not GDPR-friendly | and technically unnecessary. | | Also, I'm not sure what happens if a crazy US president | decided to disrupt .eu. | | While regulating root DNS servers might be undesirable now, | it sure feels like the right moment to start the | conversation. | Denvercoder9 wrote: | _> AFAIU, the root servers still receive FQDN and IP, which | is not GDPR-friendly and technically unnecessary._ | | This is only a problem for a tiny fraction of queries. The | records served by the root servers can be cached (e.g. .com | has a TTL of 2 days), so most queries don't even hit the | root servers. It's a much bigger problem for the registry | nameservers. | khuey wrote: | The US government is no longer in control of the root | servers, and even if it were, I doubt .eu would be at the | top of the target list. | [deleted] | _-david-_ wrote: | > AFAIU, the root servers still receive FQDN | | This part is solved with qname minimisation. | madeofpalk wrote: | The majority of the (long) tl;dr focuses on, and is under the | assumption that non-EU RSOs will object and not comply with the | NIS 2 directive and... have to shut down or block access to EU? | Is there any substance to this actually happening? Is the NIS 2 | directive an unreasonable burden on critical infrastructure such | as those who run the root DNS? | | I've never really heard of this "NIS 2 directive" but it seems | completely reasonable, and it's even unclear whether non-EU folk | like NASA would even be under scope. The only way I can see that | being tested is if NASA (or whoever) seriously screw up and have | a breach, and get attention on them. If that happens, then good! | They deserve the scrutiny! | | This reminds me a lot of the FUD (primarily) American's were | spreading about GDPR which ended up being mostly empty. | xbar wrote: | What FUD about GDPR has been empty? Do you manage much GDPR | data? | madeofpalk wrote: | All the rubbish claims about the EU bankrupting US mum and pa | websites. | 1vuio0pswjnm7 wrote: | "In addition, by downloading this file, every Internet service | provider can run their own root server." | | Any end user can do that as well. | | The truth is, root servers are not nearly as "essential" as the | major TLD servers, like .com, .net and .org | | I always have a current copy of the current root.zone (which does | not change very often). If the public root servers all went down | I would not see any noticeable effects. | | However if the .com servers went down, I would have to use a | local copy of the com.zone which is a much larger file to | download (via FTP, HN's favourite protocol to make fun of). | | An easier alternative is to keep a custom zone file with all the | domains that I use regularly. Does any single end user really | need access to the entire www. How much of the www does anyone | think they have really seen. | | For example, I have zone files with every domain that is posted | to HN, so I never have to worry about being able to read what | gets posted here. I can read fast without making any remote DNS | lookups. | nickpp wrote: | Why not? They already ruined the web browsing experience of | hundreds of millions of europeans with their brain dead | GDPR/cookie law/privacy note crapola. | | And they are also busy ruining chat encryption in the name of our | own safety, app stores in the name of anti-trust and online ad | business in the name of... whatever. | | The European Union - those who can't innovate, regulate. | Bayart wrote: | >The European Union - those who can't innovate, regulate. | | What a putrid aphorism. Law is a field of innovation _itself_. | xbar wrote: | 1. Yes. It is both putrid and inaccurate. 2. Is this law | actually innovative? Yes. It is an example of novel EU | overreach. If I am Japanese citizen operating a root DNS | server in Kyoto, why am I suddenly subject to EU regulation | and scrutiny? This is new. | | EU regulators are innovative. I can think of a lot of other | innovators like them. | | I haven't recalled any that I like. Can you? | kazen44 wrote: | lets see: | | - intra eu Banking which is decades ahead of the US[1] - | having universal driving licenses and ID cards valid | throughout a continent and beyond[2] 3: High standards of | food safety [3] | | i could name a couple more, but i get you get the point. | | 1: https://en.wikipedia.org/wiki/Single_Euro_Payments_Area | 2: https://en.wikipedia.org/wiki/European_driving_licence | 3: https://eur-lex.europa.eu/summary/chapter/30.html | jazu wrote: | I don't trust the EU. They want to do this so they can censor | domain names more effectively (copyright, "terrorism"...) | tyingq wrote: | The peer comments here aren't quite right. The query that goes | to the root server, isn't "what's the name server for .com?". | It's "what's the IP for abc.example.com?" | | The root servers _choose_ to send referrals back for the TLD. | | They don't have to. They could answer the query directly, or | send a bogus authority record for "example.com", etc. | | So, technically, you could create some chaos in the way you're | describing if you ran a root server. (Plus the wrinkle of | DNSSEC). | Denvercoder9 wrote: | If that's their goal (I don't think it is), they are | hilariously incompetent at it, as the root servers do not have | anything to do with invidiual domain names at all. They only | map TLDs to nameservers. | ancarda wrote: | How would this even work? Don't the root servers just help you | find TLDs? To take down example.com, they'd have to take down | .com, right? | xalava wrote: | Interesting debate. However: | | - I doubt that the EU meant to directly investigate the pentagon, | the opposite might have some history. | | - The argument that there is redundancy and therefore it is safe | is incomplete to say the least. For instance, how heterogeneous | are operations, software, potential failures...? | blibble wrote: | if this is true the root servers will simply move out of the EU | | it's a lot easier to move than say, banking customers | toast0 wrote: | Really, recursive servers should be AXFRing the root zone on a | regular basis and not making live queries unless the AXFRd data | is sufficiently stale (or on cold start). Icann has some axfr | servers setup for this [1]. | | Some other transfer mechanism for the zone could be used, and | almost anything would do as the rate of change is slow and the | overall size relatively small. If it's a regular transfer, | there's less need to have servers as everywhere as possible as | is current policy. Popular TLD servers will likely continue to | try in as many places at once as they can be though. | | [1] https://www.dns.icann.org/services/axfr/ | swiley wrote: | The solution here seems simple: their buisness continuity plan is | for traffic to fail over to other functioning servers. | | As long as actually filing the paperwork is easy and the EU | accepts the idea that the system is already designed to handle | outages this sounds to me like a non-event. | EricE wrote: | So their "solution" is to tell these operators to continue to | run the protocol in the way it was designed since day one. For | over 40 years. | | Brilliant value being added there. A true benefit to all | mankind :p | dncornholio wrote: | Also I think if you can't handle a bit of paperwork, maybe you | should not handle a root server? | jaywalk wrote: | This is a whole lot more than "a bit of paperwork" including | granting EU representatives the ability to do on-site audits. | nemothekid wrote: | As I understand it, the services are run by non-profits. A | "bit of paperwork" (and truthfully, it's laughable to call | any government mandate a "bit" of paperwork) can quickly turn | into something that require legal hours which isn't free. | zepearl wrote: | I agree about not underestimating the needed effort, but to | be fair that service nowadays is absolutely | crucial/important for a lot of stuff, private & commercial, | involving $$$/lifes (maybe e.g. police etc... run some | services over it)/whatever. | | Probably the criticality/importance of the service must be | balanced by appropriate controls/checks/procedures/etc... . | EricE wrote: | Maybe people's time could be spent better administering | servers - i.e. doing useful work - than complying with | busywork from bureaucrats intent on solving problems that | don't exist. | | Or even worse, bureaucrats making shit up to not only justify | their existence but justify the expansion of their empires - | which is exactly what this smells like. | | There is nothing broken or in need of fixing with how the | root servers have worked and work today. | zokier wrote: | The concern would be more credible if it came from actual root | server operator(s) | tptacek wrote: | Bert Hubert has quite a bit of DNS credibility. | ahubert wrote: | Shrinking at a rapid clip though :-) But thanks! It may also | be good to know several root operators provided a ton of | feedback on this post. | EricE wrote: | >Shrinking at a rapid clip though | | Shrinking by whom? EU partisans or the technical world at | large? Quite a difference about who's "shrinking" I | couldn't care less about. | wccrawford wrote: | Bert Hubert, apparently. | | The person you replied seems to be Bert Hubert. | ezoe wrote: | Since EU doesn't have an authority over non-EU countries, they | just pond a sand or cut themselves off from the internet like | North Korea. | disabled wrote: | As a dual US|EU citizen, I would not mind it at all. I am no | Luddite either. | the_duke wrote: | The EU is an important enough market that most companies will | want to serve EU customers, which means they have to abide. | | GDPR has forced all companies to at least think about data | security and personal data, and given rights to know what data | is stored and to demand deletion. | | Sure, there are annoying consent modals, enforcement is | lacking, many companies don't actually follow the law properly, | and I've lost access to some websites/apps that don't want to | deal with it. | | But this is a domain where standards are severely lacking, but | necessary. No one will do it without being forced to. | | The biggest downside (for me) is the extra regulatory burden | for small companies, but this particular legislation won't | affect small companies much anyway. | nonameiguess wrote: | It's not totally clear they would really try to do this, but | there is no world in which US military DNS servers submit to | inspection, auditing, and regulation by the EU. This is | nothing like regulating commercial service providers. Even | where FVEY reciprocity agreements exist, it's only for | products, not for equipment and processes. Even where the US | government operates facilities in the UK, there are parts of | those facilities non-US persons aren't allowed into. Since | the UK left, no EU member state is even a part of FVEY. | | Granted, DNS is not classified, so those specific | restrictions do not apply, but you still can't just go up to | the Pentagon unannounced with an EU regulator badge and | expect to be let into the building. | oneplane wrote: | Yet the US military wants to inspect the EU's stuff so it | seems to be a bit of a one-way thing right now. | | The US wants to do all sorts of shady stuff to the rest of | the world, but as soon as someone wants to do some of that | the other way around it suddenly is all sorts of bad. | kazen44 wrote: | this "one way street" is one of the major talking points | of many EU politicians in creating a more self sufficient | union in terms of military power. | | It is still a long way to go though. | finiteseries wrote: | It's not a two way street. | | The Californian defense minister doesn't exist, and | didn't proclaim last November that "illusions of US | strategic autonomy must come to an end" in response to | criticism from the Texan president, citing sobering facts | like "without the nuclear and conventional capabilities | of the E.U., California and America cannot protect | themselves." | | https://www.politico.eu/article/german-minister-to- | macron-eu... | dahfizz wrote: | > this is a domain where standards are severely lacking, but | necessary. | | Source? DNS has worked perfectly for decades without out of | touch politicians at the helm. | pyrale wrote: | > DNS has worked perfectly for decades | | I know a few people that would disagree. In fact, Google | maintains a list of such opinions on the topic at [1]. | | [1]: https://www.google.com/search?q=it%27s+always+DNS | darkarmani wrote: | I would say "perfectly" is an exaggeration in terms of | not every request being perfect, but as a system it has | worked perfectly as designed. | | Name another system that has delivered the sheer quantity | of results compared to the number of faults. I can't even | imagine how many answers have been given DNS servers. | the_duke wrote: | I was talking about IT security and data handling standards | in general, not specifically about the concrete issue of | root servers. | ad404b8a372f2b9 wrote: | If only, it might give birth to better online services as | alternatives to the data-vampires over in the US. | emteycz wrote: | No, all technologists from EU would jump over. | wizzwizz4 wrote: | No we wouldn't. We might connect the internets back | together, though, if only to keep chatting with our non-EU | IRC buddies. | emteycz wrote: | I don't know a single one that wouldn't not only jump | over networks, but borders too. People are getting angry | as it is now. Many of them are leaving because of the | failure to handle covid, also PSD2, the inability to | access many pages due to GDPR, the encryption ban plans, | the tracked digital money plans, etc. | | The Ukrainians that were here for a decade or more are | choosing to go back to Ukraine rather than stay in this, | what an image of the EU. | | My 70 y/o grandmother is literally the only reason I'm | still here. | joshuaissac wrote: | PSD2 has been great for EU citizens because it lets them | use personal finance apps of choice instead of being | locked in to their bank's own app. | | GDPR has been good even for non-EU citizens because it | prompted some companies to provide data controls for all | users, not just EU citizens. I have only come across a | few American local news sites that block EU visitors. | | There are other reasons technologists may leave, such as | higher salaries and larger capital markets in the US, but | GDPR, PSD2 and Covid-19 would not be incentives for most. | [deleted] | Quanttek wrote: | > "The non-profit root server operators might have to leave the | EU and put up active measures so that no Europeans can use their | root servers. They can't afford to do all the paperwork for NIS | 2." | | I think this is the point where the argument falters. The author | is overstating the cost impact regulatory compliance has and | understates the non-profit resources. Also, the idea that | commercial providers will take over with their competitive edge | in regulatory compliance doesn't work, since there is really no | impact of such compliance skills on service quality. Everybody | provides the same service, so if the operators can comply somehow | (even if slow and badly), they are good | einpoklum wrote: | > I love Europe, and I want to see the European Union succeed. | | As a socialist (regardless of my more specific views), I really | cannot understand how these two views can be held at once. | | The EU is an anti-democratic mechanism for concentrating economic | and political power in few hands within Europe. Many member | states basically forced it onto their citizens despite mass | objections and even votes against entrance (or rather, adoption | of the Maastricht treaty). And the EU has brought mostly negative | effects for most Europeans IMHO. It would have been much better | for residents of the continent to bring countries, societies and | economies closer without this kind of central control. | | The proposed measure, of forcing good-will providers of root | servers, to have to submit to EU inspections of premises, is a | (admittedly rather minor) example of this aspect of the "spirit" | of the EU. | mordae wrote: | I dunno. I am pretty sure CZ.NIC is going to be OK with this | legislation, given they already comply with pretty stringent | rules we have now and they even run the actual CERT from the NIS | 1. | stunt wrote: | Anyone knows if EU supports these operators or not? Financially | or different ways? The EU does support some vital infrastructure | projects as far as I remember. | | I wouldn't be worried about fines. I think the EU is very | reasonable and flexible when it comes to enforcing these type of | legislations. ___________________________________________________________________ (page generated 2021-05-10 23:00 UTC)