[HN Gopher] Dear EU: Please Don't Ruin the Root
___________________________________________________________________
Dear EU: Please Don't Ruin the Root
Author : Reventlov
Score : 323 points
Date : 2021-05-10 14:39 UTC (8 hours ago)
(HTM) web link (berthub.eu)
(TXT) w3m dump (berthub.eu)
| politician wrote:
| Browsers could alternatively ship with support for Namecoin [1]
| or Unstoppable Domains [2]. Though, realistically, I'm suggesting
| Opera or Brave. Mozilla isn't functionally capable of thinking
| about doing something like that, and I don't think I have to
| suggest a reason why the other browser vendor wouldn't entertain
| the idea.
|
| [1] https://www.namecoin.org/
|
| [2] https://unstoppabledomains.com/
| 542458 wrote:
| Two things about these:
|
| 1- Having domain names be impossible to seize sounds like an
| anti-feature for most businesses. If somebody pwns my company
| or I have a disgruntled sysadmin I don't want them to be able
| to indelibly transfer my domain name to themselves with no
| recourse. Alternatively, if I lose the cryptographic keys to my
| domain name, am I just completely hosed?
|
| 2- No renewal fees ever sounds like an anti-feature to
| everybody who isn't a squatter.
| worik wrote:
| "The Internet functions because over 1300 servers provide a
| starting point for every (website) name used online. These are
| the root servers."
|
| That would be the Web. It is hard to take anything this person
| says seriously when right at the start they confuse the Internet
| and the Web.
| yholio wrote:
| He says "name", then ads "website" in parenthesis so non-
| technical people can understand. Without name resolution, most
| internet services will indeed fail.
| akoncius wrote:
| what do you mean? DNS works not only for web. all internet-
| related things rely on DNS in one way or another. email, chats,
| FTP etc.
| Jolter wrote:
| No, they are writing about DNS, which is in the core of how the
| Internet works. Including the Web, yes, but virtually nothing
| on the Internet would work without DNS.
| stunt wrote:
| A lot of things wont work, but you still can't say Web and
| Internet are the same thing.
|
| I also think it isn't fair to nitpick the article for it.
| PoignardAzur wrote:
| While I don't want to dismiss OP's concerns, I vicariously enjoy
| the turnaround of the US having to worry about someone else's
| extraterritorial decisions.
|
| In practice, though, I don't think it would matter. It's not like
| (1) the EU is asking to be allowed to install arbitrary programs
| on root servers or (2) it will start bombing non-compliant
| servers.
|
| Worst case, EU residents (or at least residents using PCs sold in
| the EU) will only be able to access EU root servers, which will
| still index 100% of the internet. I'm not super worried.
| JPLeRouzic wrote:
| > which will still index 100% of the internet
|
| No that's not true, for example sci-hub is not available on
| DNSs compliant with EU's laws.
|
| In the document below they even cite Cloudflare as non-
| cooperative, as well as several Asian marketplace and some
| online pharmacies.
|
| https://trade.ec.europa.eu/doclib/docs/2018/december/tradoc_...
| slim wrote:
| That's already the case right now. That situation won't be
| affected by the new regulations
| coward76 wrote:
| The US wouldn't worry, and would make their own internet with
| hookers, blackjack, zero privacy, taxes, inane regulations and
| pork, but it would be US controlled. This is how Americans
| work.
|
| Edit: Downvote if you must but it is the mindset of many:
|
| https://www.bbc.com/news/technology-53686390
| will4274 wrote:
| Alan Woodward seems to be the BBC's go-to person for scare
| quotes about the internet. In your article:
|
| > "It's shocking," says Alan Woodward, a security expert
| based at the University of Surrey. "This is the Balkanisation
| of the internet happening in front of our eyes.
|
| > "The US government has for a long time criticised other
| countries for controlling access to the internet... and now
| we see the Americans doing the same thing."
|
| Previously, I saw Woodward giving bad information and
| engaging in unfounded speculation in an article about Signal
| - https://www.bbc.com/news/amp/technology-55412230.
|
| > Alan Woodward, a professor of computer science at Surrey
| University, said Signal was "one of the most secure, if not
| the most secure, messenger service publicly available".
|
| > "Signal employs end-to-end encryption, but goes further
| than apps like WhatsApp by obscuring metadata - who talked to
| who when and for how long," he explained.
|
| > "Cellebrite seem to have been able to recover the
| decryption key, which seems extraordinary as they are usually
| very well protected on modern mobile devices."
|
| > He added that if this was indeed true, it was no surprise
| Cellebrite would have altered its blog.
|
| > "I suspect someone in authority told them to, or they
| realised they may have provided enough detail to allow others
| - who don't just supply to law-enforcement agencies - to
| achieve the same result."
|
| A good rule of thumb might be, if you see Alan Woodward
| quoted in support of the article, assume the author doesn't
| know any genuine experts.
| coward76 wrote:
| This Republician idea gets floated enough without the BBC
| article:
|
| https://www.cnbc.com/2019/02/04/the-splinternet-an-
| internet-...
|
| https://www.reuters.com/article/us-usa-china-apps-pompeo-
| bre...
|
| Or did want an older Democrat proposal:
|
| https://www.nytimes.com/2011/11/16/opinion/firewall-law-
| coul...
|
| http://leahy.senate.gov/imo/media/doc/BillText-
| PROTECTIPAct....
|
| The idea of walling the internet is quite old.
| ahubert wrote:
| (author here - if there are any questions, please let me know!)
| pmontra wrote:
| First of all, I praise the initiative and the explanation. But
| not everybody tweets. Is there an email address to send that
| message to?
| jollybean wrote:
| Why is the EU trying to regulate outside it's jurisdiction?
|
| Why doesn't the EU simply provide a 'core' set of servers,
| which they operate to a high degree of fidelity and robustness
| so that 'should something go wrong' ... then the EU still has
| these resilient services to reply upon?
|
| I don't see how someone doing a public service should
| arbitrarily come under such scrutiny.
| mattashii wrote:
| It doesn't, really; see paragraph (65) in the document [0].
| It states something along the lines of "if you're providing
| services stationed in the EU, or services directed people
| that live in the EU, then you must comply with these
| regulations". Basically, an import regulation for operators
| that do not have a presence in the EU (but do target the EU
| market), and an operating regulation for those that have a
| presence in the EU.
|
| [0]
| https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72172
| jart wrote:
| I'm not sure where you got the word "target" from. In the
| context of GDPR what the EU does is they believe European
| people are their data subjects, they claim that personal
| data is things like IP addresses, and if you record
| information about these data subjects, like RIPE IPs in
| NGINX logs, then the EU feels that you are governed by them
| regardless of where you live or where your server is
| hosted. Which to me sounds like basically everyone who's
| plugged into the internet who hasn't configured their
| firewall to drop traffic from ips starting with 2, 5, 25,
| 31, 37, 46, 51, 53, 57, 62, 77, 78, 79, 80, 81, 82, 83, 84,
| 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 109, 141, 145,
| 151, 176, 178, 185, 188, 193, 194, 195, 212, 213, or 217.
| In practice, the EU has explicitly exempted most of the
| operators who wouldn't be economical to fine, but it's
| pretty clear that the regulatory model is intended to
| operate like a whitelist, i.e. you're under their dominion
| unless they say you're not. What I found particularly
| amusing in the context of the DNS topic at hand. Is when
| people voiced concerns about normal people running DNS on a
| Linux router or something being impacted by the
| legislation, the EU's response in the document was like, no
| no trust us if you're doing something like running a DNS
| server on your "laptop" (yes they said laptop) then you're
| not going to be impacted. How reassuring!
| mattashii wrote:
| I got the word "target" from the referenced section (65):
|
| > In order to determine whether such an entity is
| offering services within the Union, it should be
| ascertained whether it is apparent that the entity is
| planning to offer services to persons in one or more
| Member States. The mere accessibility in the Union of the
| entity's or an intermediary's website or of an
| emailaddress and of other contact details, or the use of
| a language generally used in the third country where the
| entity is established, is as such insufficient to
| ascertain such an intention. However, factors such as the
| use of a language or a currency generally used in one or
| more Member States with the possibility of ordering
| services in that other language, or the mentioning of
| customers or users who are in the Union, may make it
| apparent that the entity is planning to offer services
| within the Union.
| jollybean wrote:
| 'target the EU market' is vague.
|
| These are independent operators, NGOs etc, services being
| 'used by EU citizens' not really 'targeting Europeans'.
|
| From a liability perspective, to the author's point these
| services I suppose would have to just filter out European
| sources?
|
| Why would they publish a regulation so obviously vague,
| full well knowing the reality on the ground?
|
| Why wouldn't they use language that unambiguously places
| NASA etc. firmly 'in our out' of the regulations or, some
| criteria which they would be one way or another?
|
| Seems odd.
| latk wrote:
| The text in question does define more closely what it
| means to offer services in the EU. To lawyers (and to
| anyone who has experience with GDPR compliance) this is
| not a particularly vague statement. Admittedly, there's
| no unambiguous bright line definition, but there's a lot
| of jurisprudence on the matter.
|
| In reality, the question is not whether EU citizens will
| use these services, but whether the operator of the
| service is targeting people in the EU, i.e. whether the
| operator _intends_ or reasonably _expects_ for EU people
| to use their service. A US service will most likely be
| fine if their reasoning goes something like this: (1) We
| primarily intend to serve connections from the US. (2)
| This expectation is reasonable based on our network
| topology. (3) But we don 't care if someone else
| connects.
|
| It would not be appropriate to exempt specific
| organizations since those organizations may change their
| targeting in the future. It already exempts most non-EU
| organizations, due to the criterion that they don't
| target the EU.
|
| We had the same panicking in 2018 when the GDPR came into
| force and - quelle surprise - there are no fines for
| random international websites. The EU doesn't insert
| itself into your affairs if you don't insert yourself
| into the EU market.
| oaiey wrote:
| That is exactly how gdpr is set up. Which is good.
|
| Regards NGOs: just because you do not make money does not
| make you a saint.
|
| Regards vagueness: if you want to survive in an agile
| environment without rewriting every second day, vagueness
| is the way to go.
| EricE wrote:
| >That is exactly how gdpr is set up. Which is good.
|
| So if the US comes out with "GDPR- The Next Generation"
| with similar mandates towards the EU would that also be
| "good"?
|
| Asking for a friend.
| oaiey wrote:
| FISA courts and the law they are based on? The US is
| explicitly or implicitly doing this all the time.
|
| Or the Hague invasion act which is pretty much that case
| (US soldier are protected abroad against international
| treaties).
| yxhuvud wrote:
| Yes, it most certainly would be good.
| guerrilla wrote:
| > Why is the EU trying to regulate outside it's jurisdiction?
|
| My first question is are they or is this the authors view?
| latk wrote:
| It is primarily the authors view.
|
| The proposed regulation - like many EU regulations - can
| also apply to non-EU entities. In this sense, the EU does
| try to exert extraterritorial jurisdiction.
|
| However, this is constrained to the case where the non-EU
| entity targets people in the EU, so somehow participates in
| the EU market. The origins of this "targeting criterion"
| actually come from consumer protection cases, where it's
| easy to understand: if you advertise your goods or services
| to people in a particular country, you'll have to play by
| that country's rules.
| dncornholio wrote:
| I can make the analogy that public transport is a public
| service, but that doesn't mean people have to drive in old
| and unsafe busses and trains right?
| BuyMyBitcoins wrote:
| It's the nature of governments and bureaucracies to try and
| control as much as they can. The kinds of people who draft
| these regulations aren't interested in limited legislation.
| The United States is particularly guilty of this - we
| frequently demand that other countries follow our regulatory
| rules, especially around banking and "anti-terrorism".
| kazen44 wrote:
| > It's the nature of governments and bureaucracies to try
| and control as much as they can. The kinds of people who
| draft these regulations aren't interested in limited
| legislation
|
| there is not really any other way to play the geopolitical
| game sadly.
|
| Every goverment on earth is doing this to keep themselves
| stable, some are just far more succesfull then others.
| emouryto wrote:
| Why not?
|
| Let's see... the past year the was a big scandal because
| apparently multiple non-profits were selling the .ORG top
| level domain name for $1B. They got these top level domain
| for free from the US government (or some institution
| thereof).
|
| I would certainly like the EU to regulate more of the
| Internet instead of it being an US territory.
| martimarkov wrote:
| This is ICANN's responsibility and not root DNS servers.
|
| They are completely separate entities.
|
| If you dislike this go shout at ICANN. It's was US
| organisation - now it's a "private" one[1]
|
| [1] https://www.icann.org/en/announcements/details/stewards
| hip-o...
| oneplane wrote:
| If you want to look at it from that perspective: the same
| reason the US does it.
|
| People also tend to forget that providing a service (in
| whatever fashion) doesn't exist in a vacuum, there are the
| services and then there are the consumers of those services
| and they might have certain freedoms and rights that the
| locality of the service in question might not honour. Take
| the right to control your data for example, the US isn't very
| good at providing that with the services they offer, and
| they'd rather not have that freedom and rather make those few
| percent more money.
| kazen44 wrote:
| Also, it makes sense in the broader EU strategy of becoming
| less reliant on the US.
|
| The EU has a good amount of soft power, this is just
| testing testing it's waters in directing policy more
| directly. (other examples are the Iran deal after the US
| left, and Intervention in Africa)
|
| Geopolitically, this makes a lot of sense, and i think the
| idea has good intentions, but the implementation of the law
| is where it falls short.
| krona wrote:
| > _I don 't see how someone doing a public service should
| arbitrarily come under such scrutiny._
|
| It doesn't seem arbitrary to me. The service provided exists
| in many EU countries, and therefore _must_ eventually be
| harmonised. This is the prime directive of the project.
| jollybean wrote:
| "and therefore must eventually be harmonised. This is the
| prime directive of the project"
|
| That's not a very good prime directive.
|
| Don't regulate things that don't need to be regulated, i.e.
| unless there is a very material benefit from it.
|
| If the EU is concerned about WW3 level resiliency for these
| services, they can accomplish that themselves with a few
| cord, 'hardened' services that meet their criteria. For
| 'regular operations' it seems we're going quite well right
| now.
|
| Unless there is a _threat_ posed by these heretofore
| independent operators ... then I 'm don't see any obvious
| material benefit here.
|
| I'm wondering if somehow these entities could be
| compromised in a way that makes them a problem, more so
| than just 'going offline', in which case, maybe there are
| some benefits.
| oaiey wrote:
| Not they cannot. A DNS request in China is not targeting
| a European root but a local one. And that can affect a
| European citizen.
| martimarkov wrote:
| Umm idk if I put 1.1.1.1 as my DNS which root is it
| targeting? The one in China? Or if I put 0.0.0.0 (IP of
| EU run DNS server backed by EU run root) then is it still
| China?
|
| There is a simpler solution rather than enforcing EU
| oversight over root DNSes.
| tick_tock_tick wrote:
| Cloudflare is one of the private operators of root
| servers mentioned in the article so you would be using
| the F root server.
|
| https://blog.cloudflare.com/f-root/
| martimarkov wrote:
| Hence why I said 0.0.0.0 as a root DNS created and
| operated by EU
| jollybean wrote:
| Seems like it's the job of the 'EU citizen' to not use
| foreign services if they don't want to use services which
| are not consistent with their own regulatory standards.
| guerrilla wrote:
| > The current version of the NIS 2 directive explicitly says
| the EU will regulate the root servers, and therefore NASA and
| the US Department of Defense in this way
|
| Is the latter part of this your conclusion and interpretation?
| I haven't looked at the source material but are you sure they
| aren't just referring to root servers operating in the EU or by
| EU companies. I find it hard to believe they would consider DoD
| servers within their jusrisdiction.
| tester756 wrote:
| I have question about your other post which I found interesting
|
| >https://berthub.eu/articles/posts/how-tech-loses-out/
|
| You wrote
|
| >We barely develop any software here anymore. So even very
| European companies like like Nokia and Ericsson, that are now
| trying to tell us that they are building our European
| telecommunication infrastructure. They're actually not, they're
| getting that built by other people in other countries far away.
| Anything having to do with server and PC development and
| manufacturing, there's nothing left of that in Europe anymore.
|
| As far as I've been told, then there are R&Ds in e.g Cracow,
| Poland or Wroclaw (probably nor R&D) that actively recruit or
| even train people
|
| What are they doing then?
| guerrilla wrote:
| Yeah, Ericsson employs about 13,000 people in Sweden and I
| personally know they develop a lot of telco software.
| squarefoot wrote:
| My latest news (~2 yrs ago though) from friends working at
| Ericsson is that beside hardware they also started
| outsourcing software to far east entities. I don't have
| details, but over here they sack about 300 people every
| year, mostly developers. It might be different in Sweden
| though.
| BenjiWiebe wrote:
| How many do they hire per year? 400?
| squarefoot wrote:
| No idea, and Covid may have changed things, however
| pretty much every year he feared to be included in the
| list of people that had to go either directly or through
| a fake spin off, a common trick used by many corporations
| to lay off workers.
| Jolter wrote:
| Ericsson has hired several thousand engineers per year in
| the past couple of years, globally. You can see the
| history of their Wikipedia page for the nitty-gritty...
| Jolter wrote:
| If by Far East you mean China, I'm not aware of any
| outsourcing there at all. Ericsson has big R&D centers
| there but I believe they are all in-house operations,
| owned and controlled directly by Ericsson.
|
| Now, India on the other hand...
| Jolter wrote:
| Ericsson is very multinational. The core of its management is
| in Sweden, a lot of systems management and architecture are
| indeed controlled from there. There are development units in
| dozens of countries across all continents, albeit with a
| emphasis on Europe, the US and China. A lot of subcontractors
| from/in India are involved in product development, too, but
| mostly for systems operations and maintenance of "sunsetting"
| products. All told, I am not aware of a single Ericsson
| product that is "led" from China or India, but I could
| certainly be wrong.
| oaiey wrote:
| What is your expectation what a state actor like the EU should
| do to protect it's citizens infrastructure?
|
| Rely on a third party like the US which has secret courts and
| gives a shit about EU citizen privacy, their property or their
| lifes?
|
| Or give it in the hands of the industry? Which only has one
| motive: making money.
|
| Or leave it unregulated with no safety for no one?
|
| DNS is about trust. We need trust into this thing. And
| honestly: i would not trust DNS offered in China and most
| likely also not the US, or 99% of the carriers
| sam_lowry_ wrote:
| Second that. The article lacks the good parts. It's clear
| that the rapporteur has not figured it out yet how to deal
| with the root DNS servers, but there is a broad consensus
| over the strategic autonomy goal [1].
|
| One way or another, EU will force its way. Should it do it by
| e.g. empowering DIGIT to run root DNS servers?
|
| They will for sure tender it off to a murky consortium, but
| at least there will be a positive political move.
|
| [1] https://en.wikipedia.org/wiki/Strategic_autonomy
| darkarmani wrote:
| Can't the EU run its own DNS infrastructure? Why force its
| way into something it doesn't even understand?
| sam_lowry_ wrote:
| There was an effort to run EU-based root DNS servers.
| ORSN, IIRC. Maybe we have so many root servers in EU due
| to ORSN showing its teeth.
| oaiey wrote:
| I also think that the article is focused too much about the
| auditing and regulations instead of suggesting a better
| model.
| oefrha wrote:
| The article very clearly suggests the current model.
| EricE wrote:
| I love the assumption that there is "a better model."
| This reeks of the quintessential "let's solve a problem
| that doesn't exist."
|
| Here's an even better and more logical idea - for those
| who have concerns about the current DNS root server
| arrangements, what specifically are they? And what would
| you propose as solutions to their perceived deficiencies?
| Bonus points if you can raise actual technical arguments
| and not just feelings.
| oaiey wrote:
| Fair point. I don't have a different idea in the current
| geopolitical situation.
| martimarkov wrote:
| You are free to choose your DNS provider. On the other hand
| if we take your view and apply it in reverse: why should an
| American or Chinese person trust the EU to regulate the
| internet?
|
| DNS roots have worked flawlessly. The EU can just create EU
| roots and be in control of them and regulate those. Nobody is
| opposed to that. You can even enforce vendors to only include
| EU roots when selling devices in the EU (I'm against this
| personally) or to ISPs (I'm more okay with this). But as a
| person who loves the EU I'm very much opposed to enforcing EU
| values and views to 3rd parties.
| guitarbill wrote:
| > But as a person who loves the EU I'm very much opposed to
| enforcing EU values and views to 3rd parties.
|
| I'm not quite clear how that's different from ICANN?
| Ostensibly they're now "multistakeholder", but were under
| the United States Department of Commerce until 2016. And
| were infamously in denial about the GDPR impact to WHOIS.
|
| To be clear, I'm not saying the EU proposal is in any way
| good, I have no idea. But this issue has been brewing for a
| while, and I don't think it's unreasonable to be critical
| of ICANN et al and preparing for eventualities. Even if it
| is the status quo, leaving a major part of the internet in
| the hands of some unaccountable NGO is a huge risk.
| petre wrote:
| > You can even enforce vendors to only include EU roots
| when selling devices in the EU
|
| Please don't give them ideas. Not even the Kremlin has done
| that, although they did something similar with geolocation
| devices.
|
| Otherwise I fully agree. If the EU wants to audit, they
| should establish their own root server infrastructure, pay
| for it and audit that. If I was a root server operator
| providing what is essentially a free service and this was
| enforced on me, I'd rather shut down or block EU netblocks
| than be bothered by EU cyber security auditors.
| martimarkov wrote:
| I mean if it's done in the right way and actually hosted
| by universities with high reputation:
| Oxford/Cambridge/Southampton (obvs not in Europe anymore
| but it illustrates my point) then I think it might be
| okay. Nothing wrong with making sure dns works in Europe
| if all other dns roots fail.
|
| The implementation part will be tricky but not
| impossible. Heck ipv6 is still not rolled out and we
| actually need it. Do you think they will be able to do
| this faster?
| Skunkleton wrote:
| There is less and less choice over your DNS provider. With
| the classic DNS protocol, requests were routinely hijacked
| by ISPs. With new protocols like DOH, you now have to go
| manually configure every application and cross your fingers
| it does what you want. Not everything can be configured to
| a specific DOH gateway.
|
| As it stands today, I can no longer reliably block hosts by
| domain name on my own network thanks to DOH.
| setBoolean wrote:
| This really rubs me the wrong way about DoH. At the
| moment I mitigate this by outright blocking the Top 10
| public DNS servers network wide.
| readams wrote:
| This is a completely separate problem and not related to
| the root DNS servers. As an individual user, you do not
| contact the roots.
| oaiey wrote:
| No normal users chooses a DNS server.
|
| Everyone should regulate and audit them. How we do with
| medical devices, and other stuff. The internet is no
| unicorn with special treatment.
|
| The last paragraph is right until I think about my EU-
| WhatsApp trying to make connections in Singapore. They try
| to protect me as a citizen.
| EricE wrote:
| What value would regulation bring to a system that is
| currently working, has worked flawlessly for over 40
| years and shows no need of imminent "improvement" from a
| law like this.
|
| Exactly what problem would this law saw? So far all I am
| seeing are vaugue assurances and warm feelings but zero
| substance of how it would improve anything.
|
| Indeed, if history is our guide any change is far more
| likely to hurt rather than help. Therefore it is
| incumbent on those seeking the change to defend it - how
| exactly will this law "improve" things. Please be
| _specific_ and factual and leave feelings to the poets
| and philosophers.
| oaiey wrote:
| So the argument is: medical devices yes, internet which
| is used for everything: no.
|
| Not every jurisdiction in the world is based on extreme
| fines (like the US) but many are build on strict
| regulations (like most European countries).
|
| Personally, i cannot speak about the concrete law and nis
| 2 thingy.
| renewiltord wrote:
| You control the client. Don't ask my server if you don't
| want to. I'm not making you do it.
|
| If you want to ask my server, send me information in the
| protocol that says that you want me to meet a certain
| standard and I'll blackhole the request if I can't meet
| it.
|
| This is how SSL/TLS works and it works well.
| martimarkov wrote:
| Fine then enforce that:
|
| Any software that is used by EU citizens (downloaded from
| EU App Store or EU vendor website) should use EU DNS
| servers. (The user should be allowed to change the DNS on
| per device and per app lvl)
|
| I'd be okay with that. And I think that solves your
| issue, my issue and EU's issue.
| guitarbill wrote:
| Is that feasible for millions or billions of already
| manufactured, exiting devices?
| martimarkov wrote:
| Simply - no. Devices that are old enough which have no OS
| updates then... no. But any new device or already
| supported ones: yes why not. It's just an update from the
| manufacturer. You can even say: If the device is within
| EOL<1 year just update the DNS to the EU DNS. Other
| devices will need to have the option of choosing DNS
| addresses.
|
| Another approach is what we do with cars: we don't ban
| ICE cars, we have different "tiers" (Euro5, Euro6) of
| emissions and phase them out. We can do the same thing.
| Any device manufactured after 2020 will need to implement
| this "feature". It will take a few years to propagate but
| it is a very feasible approach.
| zepearl wrote:
| Don't most devices use just DHCP, which in turn in most
| cases just use the DNS settings of the Internet Provider
| (IP) that is being used (indirectly, as usually the local
| router is set like that) => if a local government asks
| the IPs to use specific root servers then the problem
| should be solved?
|
| (or maybe I'm not understanding the core problem...)
| [deleted]
| Deukhoofd wrote:
| From what I read in the proposal the core idea of it is solid.
| DNS is a vital piece of infrastructure, and we should take steps
| to ensure it keeps working. Putting together task forces to make
| sure it is secure therefore sounds like a very good idea.
|
| Root servers might be out of scope to some degree for this
| however. Interestingly enough the root servers also aren't
| mentioned in the proposal itself, nor in the annex listing
| essential services. They're only mentioned in the lead up, which
| is the argument for why it's needed. It somewhat feels like they
| left it in accidentally, especially with the parliament
| immediately amending to scrap it from the lead up as well.
| fsckboy wrote:
| > Putting together task forces to make sure it is secure
| therefore sounds like a very good idea.
|
| the top comment on HN for topics like this frequently follows
| the format of your comment, saying something that sounds so
| reasonable, who could object?
|
| But the way the internet works didn't come about magically, it
| was planned and modified through trial and error by experts
| who, working together, can be seen as nothing other than a task
| force. So you are looking for a new task force to interrupt and
| disturb a task force that already exists. This will inevitably
| lead to the need for yet another new task force to look into
| what this task force has done...
| ur-whale wrote:
| > DNS is a vital piece of infrastructure
|
| It is, and therefore it should be 100% decentralized, if only
| to keep it out of the grabby hands of governments, EU or
| otherwise.
| theshrike79 wrote:
| Hear me out: BLOCKCHAIN DNS!
|
| /s
| watt wrote:
| https://en.wikipedia.org/wiki/Namecoin all you want
| twobitshifter wrote:
| Aaron Swartz (edit) had the same idea
| http://www.aaronsw.com/weblog/squarezooko
| BugsJustFindMe wrote:
| There's no ch in Swartz
| Sargos wrote:
| This ended with /s but DNS and other global namespace
| management systems are actually one of the problems
| blockchains solve perfectly. We all need to know what the
| value of some key->value pair is and have that information
| always available and easy to update. Blockchains handle
| data distribution natively, allow updates from authorized
| parties, and have 100% uptime. Transitioning DNS to
| something like ENS is something with lots of upsides and
| few downsides.
|
| Take a look at https://ens.domains/about and
| https://handshake.org/
| jonhearty wrote:
| Handshake.org provides an alternate root zone that seems
| pretty relevant here
| madeofpalk wrote:
| Is the 12 root server organisations an example of
| decentralisation?
| EricE wrote:
| Yup. As well as the decentralization and diversity of the
| technical operations of each pool. Operational diversity
| can be as important or even more important than technical
| diversity since humans tend to be the weakest links in
| technical chains :p
| [deleted]
| ur-whale wrote:
| > Is the 12 root server organisations an example of
| decentralisation?
|
| It isn't.
|
| Proof: the fact that US random three letter agencies can
| take down websites.
| Denvercoder9 wrote:
| Taking down websites has nothing at all to do with the
| root servers. The root servers only distribute
| information about which nameserver is responsible for
| which TLD, and doesn't concern individual websites at
| all.
| _-david-_ wrote:
| It is impossible to build any website that cannot be
| taken down. The government could seize the physical
| servers if they wanted to. By your definition that means
| nothing is decentralized.
| booleandilemma wrote:
| This sounds like a problem to solve.
| _-david-_ wrote:
| How? Even if you were to host a website on a satellite
| the government could launch a rocket and blow it up. If
| the website is hosted on Earth they could physically cut
| cables if they wanted to. There is no way to fully
| prevent the government from preventing access to a
| website. The internet is decentralized, but not fully
| immune from governments.
| jrockway wrote:
| I mean, you can have more than one copy of the website.
| Maybe a government can send one satellite-destroying
| missile, but probably not thousands of them.
|
| Think about how many people have the Linux kernel Git
| repo cloned on their workstation. It would be essentially
| impossible for any government to destroy all copies.
| Sargos wrote:
| >It is impossible to build any website that cannot be
| taken down
|
| This is becoming less true each day, especially with the
| advent of IPFS and Ethereum. Uniswap's website will never
| go down. uniswap.org might be seized but uniswap.eth
| cannot be altered by anyone.
|
| In a few decades it will be normal for websites to be
| decentralized and permanent. It's actually quite needed
| for the robustness of critical internet architecture.
| salawat wrote:
| No it isn't. It's a crutch, but also one of the most
| centralized, manipulable levers for controlling what is and
| isn't discoverable on the Net.
|
| Think about it. Domain names are seizable. IP's aren't. You
| can't stop someone with an IP from existing.
|
| Whenever someone talks about regulating DNS, it should
| translate to "We want to take control of Namespace
| management.
| wyager wrote:
| So, we take a system that has been working perfectly for 40
| years, and throw some government "task forces" at it, and we
| hope this makes it work better?
| EricE wrote:
| The single biggest thing keeping the root servers working is
| the very model this law would disrupt.
|
| Indeed, you want ecosystem diversity. You don't want every
| operator of a pool of root servers doing everything the same
| way because if someone figures out how to disrupt those
| operations and if everyone is operating the same way then
| _poof_ - they all fall down.
|
| Top down planning/regulation has it's place, but it's hardly
| the solution - and brings zero value to this topic.
|
| Indeed, in 40 years the model has worked just fine - surviving
| technical, political and legal challenges and no one was the
| wiser. There is zero in this law that would improve upon that
| record.
| KronisLV wrote:
| Here's a naive question - why couldn't the institution that's
| supposed to do the planning/regulation be the one that's
| obligated to provide the necessary resources for the parties
| being regulated, if they lack them themselves?
|
| > The non-profit root server operators might have to leave
| the EU and put up active measures so that no Europeans can
| use their root servers. They can't afford to do all the
| paperwork for NIS 2.
|
| For example, if a university cannot afford to file the
| necessary paperwork, why couldn't the EU be the ones that are
| obligated to send someone over to handle the legwork and help
| them out?
|
| I know that something like that would never work for reasons
| that the lovely people here would hopefully point out (since
| i don't really deal with the legal stuff that often), but
| here's another example - i live in Latvia, and the government
| actually helps me to fill out and pay my taxes somewhat.
| Granted, it only handles the most common cases and
| calculations in the form of a self-service web app, but if a
| lot of paperwork is just forms anyways, why not apply it to
| other domains?
|
| In contrast, telling a university that they'll need to invest
| significant time and resources into something that they
| simply cannot do on their own, knowing the implications of
| this, doesn't appear fair.
| [deleted]
| zyamada wrote:
| Having worked at a university, but not in this domain, my
| 2-cents is that what they're trying to say is that can't
| afford the paperwork in the context of the the associated
| internal political war that commonly comes along with
| trying to do anything like this in academia.
| anticristi wrote:
| Devil's advocate here. The DNS root servers worked, but don't
| quite feel up to speed with regulations. AFAIU, the root
| servers still receive FQDN and IP, which is not GDPR-friendly
| and technically unnecessary.
|
| Also, I'm not sure what happens if a crazy US president
| decided to disrupt .eu.
|
| While regulating root DNS servers might be undesirable now,
| it sure feels like the right moment to start the
| conversation.
| Denvercoder9 wrote:
| _> AFAIU, the root servers still receive FQDN and IP, which
| is not GDPR-friendly and technically unnecessary._
|
| This is only a problem for a tiny fraction of queries. The
| records served by the root servers can be cached (e.g. .com
| has a TTL of 2 days), so most queries don't even hit the
| root servers. It's a much bigger problem for the registry
| nameservers.
| khuey wrote:
| The US government is no longer in control of the root
| servers, and even if it were, I doubt .eu would be at the
| top of the target list.
| [deleted]
| _-david-_ wrote:
| > AFAIU, the root servers still receive FQDN
|
| This part is solved with qname minimisation.
| madeofpalk wrote:
| The majority of the (long) tl;dr focuses on, and is under the
| assumption that non-EU RSOs will object and not comply with the
| NIS 2 directive and... have to shut down or block access to EU?
| Is there any substance to this actually happening? Is the NIS 2
| directive an unreasonable burden on critical infrastructure such
| as those who run the root DNS?
|
| I've never really heard of this "NIS 2 directive" but it seems
| completely reasonable, and it's even unclear whether non-EU folk
| like NASA would even be under scope. The only way I can see that
| being tested is if NASA (or whoever) seriously screw up and have
| a breach, and get attention on them. If that happens, then good!
| They deserve the scrutiny!
|
| This reminds me a lot of the FUD (primarily) American's were
| spreading about GDPR which ended up being mostly empty.
| xbar wrote:
| What FUD about GDPR has been empty? Do you manage much GDPR
| data?
| madeofpalk wrote:
| All the rubbish claims about the EU bankrupting US mum and pa
| websites.
| 1vuio0pswjnm7 wrote:
| "In addition, by downloading this file, every Internet service
| provider can run their own root server."
|
| Any end user can do that as well.
|
| The truth is, root servers are not nearly as "essential" as the
| major TLD servers, like .com, .net and .org
|
| I always have a current copy of the current root.zone (which does
| not change very often). If the public root servers all went down
| I would not see any noticeable effects.
|
| However if the .com servers went down, I would have to use a
| local copy of the com.zone which is a much larger file to
| download (via FTP, HN's favourite protocol to make fun of).
|
| An easier alternative is to keep a custom zone file with all the
| domains that I use regularly. Does any single end user really
| need access to the entire www. How much of the www does anyone
| think they have really seen.
|
| For example, I have zone files with every domain that is posted
| to HN, so I never have to worry about being able to read what
| gets posted here. I can read fast without making any remote DNS
| lookups.
| nickpp wrote:
| Why not? They already ruined the web browsing experience of
| hundreds of millions of europeans with their brain dead
| GDPR/cookie law/privacy note crapola.
|
| And they are also busy ruining chat encryption in the name of our
| own safety, app stores in the name of anti-trust and online ad
| business in the name of... whatever.
|
| The European Union - those who can't innovate, regulate.
| Bayart wrote:
| >The European Union - those who can't innovate, regulate.
|
| What a putrid aphorism. Law is a field of innovation _itself_.
| xbar wrote:
| 1. Yes. It is both putrid and inaccurate. 2. Is this law
| actually innovative? Yes. It is an example of novel EU
| overreach. If I am Japanese citizen operating a root DNS
| server in Kyoto, why am I suddenly subject to EU regulation
| and scrutiny? This is new.
|
| EU regulators are innovative. I can think of a lot of other
| innovators like them.
|
| I haven't recalled any that I like. Can you?
| kazen44 wrote:
| lets see:
|
| - intra eu Banking which is decades ahead of the US[1] -
| having universal driving licenses and ID cards valid
| throughout a continent and beyond[2] 3: High standards of
| food safety [3]
|
| i could name a couple more, but i get you get the point.
|
| 1: https://en.wikipedia.org/wiki/Single_Euro_Payments_Area
| 2: https://en.wikipedia.org/wiki/European_driving_licence
| 3: https://eur-lex.europa.eu/summary/chapter/30.html
| jazu wrote:
| I don't trust the EU. They want to do this so they can censor
| domain names more effectively (copyright, "terrorism"...)
| tyingq wrote:
| The peer comments here aren't quite right. The query that goes
| to the root server, isn't "what's the name server for .com?".
| It's "what's the IP for abc.example.com?"
|
| The root servers _choose_ to send referrals back for the TLD.
|
| They don't have to. They could answer the query directly, or
| send a bogus authority record for "example.com", etc.
|
| So, technically, you could create some chaos in the way you're
| describing if you ran a root server. (Plus the wrinkle of
| DNSSEC).
| Denvercoder9 wrote:
| If that's their goal (I don't think it is), they are
| hilariously incompetent at it, as the root servers do not have
| anything to do with invidiual domain names at all. They only
| map TLDs to nameservers.
| ancarda wrote:
| How would this even work? Don't the root servers just help you
| find TLDs? To take down example.com, they'd have to take down
| .com, right?
| xalava wrote:
| Interesting debate. However:
|
| - I doubt that the EU meant to directly investigate the pentagon,
| the opposite might have some history.
|
| - The argument that there is redundancy and therefore it is safe
| is incomplete to say the least. For instance, how heterogeneous
| are operations, software, potential failures...?
| blibble wrote:
| if this is true the root servers will simply move out of the EU
|
| it's a lot easier to move than say, banking customers
| toast0 wrote:
| Really, recursive servers should be AXFRing the root zone on a
| regular basis and not making live queries unless the AXFRd data
| is sufficiently stale (or on cold start). Icann has some axfr
| servers setup for this [1].
|
| Some other transfer mechanism for the zone could be used, and
| almost anything would do as the rate of change is slow and the
| overall size relatively small. If it's a regular transfer,
| there's less need to have servers as everywhere as possible as
| is current policy. Popular TLD servers will likely continue to
| try in as many places at once as they can be though.
|
| [1] https://www.dns.icann.org/services/axfr/
| swiley wrote:
| The solution here seems simple: their buisness continuity plan is
| for traffic to fail over to other functioning servers.
|
| As long as actually filing the paperwork is easy and the EU
| accepts the idea that the system is already designed to handle
| outages this sounds to me like a non-event.
| EricE wrote:
| So their "solution" is to tell these operators to continue to
| run the protocol in the way it was designed since day one. For
| over 40 years.
|
| Brilliant value being added there. A true benefit to all
| mankind :p
| dncornholio wrote:
| Also I think if you can't handle a bit of paperwork, maybe you
| should not handle a root server?
| jaywalk wrote:
| This is a whole lot more than "a bit of paperwork" including
| granting EU representatives the ability to do on-site audits.
| nemothekid wrote:
| As I understand it, the services are run by non-profits. A
| "bit of paperwork" (and truthfully, it's laughable to call
| any government mandate a "bit" of paperwork) can quickly turn
| into something that require legal hours which isn't free.
| zepearl wrote:
| I agree about not underestimating the needed effort, but to
| be fair that service nowadays is absolutely
| crucial/important for a lot of stuff, private & commercial,
| involving $$$/lifes (maybe e.g. police etc... run some
| services over it)/whatever.
|
| Probably the criticality/importance of the service must be
| balanced by appropriate controls/checks/procedures/etc... .
| EricE wrote:
| Maybe people's time could be spent better administering
| servers - i.e. doing useful work - than complying with
| busywork from bureaucrats intent on solving problems that
| don't exist.
|
| Or even worse, bureaucrats making shit up to not only justify
| their existence but justify the expansion of their empires -
| which is exactly what this smells like.
|
| There is nothing broken or in need of fixing with how the
| root servers have worked and work today.
| zokier wrote:
| The concern would be more credible if it came from actual root
| server operator(s)
| tptacek wrote:
| Bert Hubert has quite a bit of DNS credibility.
| ahubert wrote:
| Shrinking at a rapid clip though :-) But thanks! It may also
| be good to know several root operators provided a ton of
| feedback on this post.
| EricE wrote:
| >Shrinking at a rapid clip though
|
| Shrinking by whom? EU partisans or the technical world at
| large? Quite a difference about who's "shrinking" I
| couldn't care less about.
| wccrawford wrote:
| Bert Hubert, apparently.
|
| The person you replied seems to be Bert Hubert.
| ezoe wrote:
| Since EU doesn't have an authority over non-EU countries, they
| just pond a sand or cut themselves off from the internet like
| North Korea.
| disabled wrote:
| As a dual US|EU citizen, I would not mind it at all. I am no
| Luddite either.
| the_duke wrote:
| The EU is an important enough market that most companies will
| want to serve EU customers, which means they have to abide.
|
| GDPR has forced all companies to at least think about data
| security and personal data, and given rights to know what data
| is stored and to demand deletion.
|
| Sure, there are annoying consent modals, enforcement is
| lacking, many companies don't actually follow the law properly,
| and I've lost access to some websites/apps that don't want to
| deal with it.
|
| But this is a domain where standards are severely lacking, but
| necessary. No one will do it without being forced to.
|
| The biggest downside (for me) is the extra regulatory burden
| for small companies, but this particular legislation won't
| affect small companies much anyway.
| nonameiguess wrote:
| It's not totally clear they would really try to do this, but
| there is no world in which US military DNS servers submit to
| inspection, auditing, and regulation by the EU. This is
| nothing like regulating commercial service providers. Even
| where FVEY reciprocity agreements exist, it's only for
| products, not for equipment and processes. Even where the US
| government operates facilities in the UK, there are parts of
| those facilities non-US persons aren't allowed into. Since
| the UK left, no EU member state is even a part of FVEY.
|
| Granted, DNS is not classified, so those specific
| restrictions do not apply, but you still can't just go up to
| the Pentagon unannounced with an EU regulator badge and
| expect to be let into the building.
| oneplane wrote:
| Yet the US military wants to inspect the EU's stuff so it
| seems to be a bit of a one-way thing right now.
|
| The US wants to do all sorts of shady stuff to the rest of
| the world, but as soon as someone wants to do some of that
| the other way around it suddenly is all sorts of bad.
| kazen44 wrote:
| this "one way street" is one of the major talking points
| of many EU politicians in creating a more self sufficient
| union in terms of military power.
|
| It is still a long way to go though.
| finiteseries wrote:
| It's not a two way street.
|
| The Californian defense minister doesn't exist, and
| didn't proclaim last November that "illusions of US
| strategic autonomy must come to an end" in response to
| criticism from the Texan president, citing sobering facts
| like "without the nuclear and conventional capabilities
| of the E.U., California and America cannot protect
| themselves."
|
| https://www.politico.eu/article/german-minister-to-
| macron-eu...
| dahfizz wrote:
| > this is a domain where standards are severely lacking, but
| necessary.
|
| Source? DNS has worked perfectly for decades without out of
| touch politicians at the helm.
| pyrale wrote:
| > DNS has worked perfectly for decades
|
| I know a few people that would disagree. In fact, Google
| maintains a list of such opinions on the topic at [1].
|
| [1]: https://www.google.com/search?q=it%27s+always+DNS
| darkarmani wrote:
| I would say "perfectly" is an exaggeration in terms of
| not every request being perfect, but as a system it has
| worked perfectly as designed.
|
| Name another system that has delivered the sheer quantity
| of results compared to the number of faults. I can't even
| imagine how many answers have been given DNS servers.
| the_duke wrote:
| I was talking about IT security and data handling standards
| in general, not specifically about the concrete issue of
| root servers.
| ad404b8a372f2b9 wrote:
| If only, it might give birth to better online services as
| alternatives to the data-vampires over in the US.
| emteycz wrote:
| No, all technologists from EU would jump over.
| wizzwizz4 wrote:
| No we wouldn't. We might connect the internets back
| together, though, if only to keep chatting with our non-EU
| IRC buddies.
| emteycz wrote:
| I don't know a single one that wouldn't not only jump
| over networks, but borders too. People are getting angry
| as it is now. Many of them are leaving because of the
| failure to handle covid, also PSD2, the inability to
| access many pages due to GDPR, the encryption ban plans,
| the tracked digital money plans, etc.
|
| The Ukrainians that were here for a decade or more are
| choosing to go back to Ukraine rather than stay in this,
| what an image of the EU.
|
| My 70 y/o grandmother is literally the only reason I'm
| still here.
| joshuaissac wrote:
| PSD2 has been great for EU citizens because it lets them
| use personal finance apps of choice instead of being
| locked in to their bank's own app.
|
| GDPR has been good even for non-EU citizens because it
| prompted some companies to provide data controls for all
| users, not just EU citizens. I have only come across a
| few American local news sites that block EU visitors.
|
| There are other reasons technologists may leave, such as
| higher salaries and larger capital markets in the US, but
| GDPR, PSD2 and Covid-19 would not be incentives for most.
| [deleted]
| Quanttek wrote:
| > "The non-profit root server operators might have to leave the
| EU and put up active measures so that no Europeans can use their
| root servers. They can't afford to do all the paperwork for NIS
| 2."
|
| I think this is the point where the argument falters. The author
| is overstating the cost impact regulatory compliance has and
| understates the non-profit resources. Also, the idea that
| commercial providers will take over with their competitive edge
| in regulatory compliance doesn't work, since there is really no
| impact of such compliance skills on service quality. Everybody
| provides the same service, so if the operators can comply somehow
| (even if slow and badly), they are good
| einpoklum wrote:
| > I love Europe, and I want to see the European Union succeed.
|
| As a socialist (regardless of my more specific views), I really
| cannot understand how these two views can be held at once.
|
| The EU is an anti-democratic mechanism for concentrating economic
| and political power in few hands within Europe. Many member
| states basically forced it onto their citizens despite mass
| objections and even votes against entrance (or rather, adoption
| of the Maastricht treaty). And the EU has brought mostly negative
| effects for most Europeans IMHO. It would have been much better
| for residents of the continent to bring countries, societies and
| economies closer without this kind of central control.
|
| The proposed measure, of forcing good-will providers of root
| servers, to have to submit to EU inspections of premises, is a
| (admittedly rather minor) example of this aspect of the "spirit"
| of the EU.
| mordae wrote:
| I dunno. I am pretty sure CZ.NIC is going to be OK with this
| legislation, given they already comply with pretty stringent
| rules we have now and they even run the actual CERT from the NIS
| 1.
| stunt wrote:
| Anyone knows if EU supports these operators or not? Financially
| or different ways? The EU does support some vital infrastructure
| projects as far as I remember.
|
| I wouldn't be worried about fines. I think the EU is very
| reasonable and flexible when it comes to enforcing these type of
| legislations.
___________________________________________________________________
(page generated 2021-05-10 23:00 UTC)