Re: [cooperation-wg] DNS-based filtering
Pier Carlo I'm a bit confused by your assertions with respect to authoritative DNS. Can you please provide examples of domains where the situation you described could exist? Eg: "target domain name. In fact, for the sake of redundancy, a domain name may have many authoritative servers, spread around the world and also operated by different companies." I can't see how that could work technically, but maybe I'm missing something - an example would be helpful Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Domains http://www.blacknight.co/ http://blog.blacknight.com/ http://www.technology.ie Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 Twitter: http://twitter.com/mneylon ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 -----Original Message----- From: cooperation-wg-bounces@ripe.net [mailto:cooperation-wg-bounces@ripe.net] On Behalf Of Pier Carlo Chiodi Sent: Tuesday, January 7, 2014 6:23 PM To: cooperation-wg@ripe.net Subject: Re: [cooperation-wg] DNS-based filtering Dear Cooperation working group members, Il 07/11/2013 21:53, Meredith Whittaker ha scritto:
With that, I would be happy to help whoever leads pull together a draft, but I don't have the expertise to lead drafting.
as I have already anticipated in another thread, I finally completed a document about web blocking measures for law enforcement purposes. I tried to put together suggestions and hints taken from this mailing list and from documents herein reported. If you believe it's appropriate, it could be reviewed and maybe used as a starting point to eventually produce a RIPE NCC guide, in order to support legislators and stakeholders decisions; otherwise, it will be just another document about the topic! :) I share the document on Google Drive (replace FILE_ID with 0B2tYFe9mK9YfcGFUWkxEaldMdDg): https://drive.google.com/file/d/FILE_ID/edit?usp=sharing In case, just let me know how we can proceed with revisions. My two cents. Best regards, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position.
Eg: "target domain name. In fact, for the sake of redundancy, a domain name may have many
authoritative servers, spread around the world and also operated by different companies."
I can't see how that could work technically, but maybe I'm missing something - an example would be helpful
It could be a borderline case but I can think to a company which runs authoritative servers for its domain on its own and which buys a backup NS service from another company with servers out of borders. Maybe I'm missing something too? Thanks, -- Pier Carlo Chiodi http://pierky.com/aboutme The opinions expressed here represent my own and not those of any organization, entity or committee to which I may hold a position.
In message <D1AC4482BED7C04DAC43491E9A9DBEC3901E1628@BK-EXCHMBX01.blacknight.local>, at 02:10:47 on Sat, 25 Jan 2014, Michele Neylon - Blacknight <michele@blacknight.com> writes
I'm a bit confused by your assertions with respect to authoritative DNS.
Can you please provide examples of domains where the situation you described could exist?
Eg: "target domain name. In fact, for the sake of redundancy, a domain name may have many
authoritative servers, spread around the world and also operated by different companies."
{You know all this, so there's clearly some kind of terminology issue} Each domain is supposed to have two Name Servers (maybe we could also discuss whether that's a better, or more familiar, term to use in the text). There's no reason why they have to be adjacent either physically or on the same network (ie same AS). Best practice is supposed to be that they should be separated, although many commercial hosting companies appear not to. An over-complicated alternative example is the domain ripe.net, which has six such servers, only one of which is on ripe-ncc's network; the others are at nic.fr, apnic.net, isc.org and arin.net. http://mydnscheck.com/?domain=ripe.net In the diagram on page 6 of the document (and onwards), it would assist the reader a great deal if the 'example' website in question was not something associated with IANA, because currently it gives the very strong impression that IANA is hosting everyone's authoritative servers. I would suggest finding a suitable candidate, that isn't confusingly associated with any of the major I* organisations, with perhaps three diverse name servers. While not recommending it as the example for this paper, I note that intgovforum.org appears to have one hosting provider, with name servers on networks in Virginia, Georgia and Arizona. -- Roland Perry
On 25 Jan 2014, at 02:10, Michele Neylon - Blacknight <michele@blacknight.com> wrote:
Can you please provide examples of domains where the situation you described could exist?
Eg: "target domain name. In fact, for the sake of redundancy, a domain name may have many authoritative servers, spread around the world and also operated by different companies."
I can't see how that could work technically, but maybe I'm missing something - an example would be helpful
Ever heard of zone transfer Michele? :-) Many organisations spread DNS service for their domains across multiple providers: avoiding single points of failure and all that. For instance many TLDs rely on a mixture of name servers they operate themselves, some provided by other TLD registries -- I'll slave your zone if you slave mine -- and others from commercial anycast providers. It might be true that the majority of registrants just stick with whatever DNS is offered by their registrar but not all of them do that. Clueful ones certainly don't.
In message <1C69BAB0-37FC-48EF-A093-ED925C5D66F7@rfc1035.com>, at 09:42:18 on Sat, 25 Jan 2014, Jim Reid <jim@rfc1035.com> writes
It might be true that the majority of registrants just stick with whatever DNS is offered by their registrar but not all of them do that.
Clueful ones certainly don't.
For some value of "clueful". I expect the majority of registrants don't worry very much about continuity of service, nor would they even notice if their website was offline as a result (and the number who use something where an interruption might be more noticeable, like domain-based email rather than various cloud and connectivity-ISP-based email, must be an even smaller minority). Their "clue" is more of a financial sort, where they are happy to pay a few tens of dollars a year for the less resilient service, compared to something much more expensive for the greater resilience. That's partly why I said, earlier, that "Best practice is supposed to be that they should be separated, although many commercial hosting companies appear not to." Then there's the issue of hosting organisations who apparently put two Name Servers in the same /24 [for our non-technical readers that's two servers on the same branch-of-a-network-with-254-usable-IP-addresses, previously called a Class C; something that typically has no connectivity redundancy, even if such a design could cope with one of the two servers failing]. This is all a subset of a general theory which states that "when Internet users became so numerous that someone gave up trying to publish an annual list of them all in a paperback book, lots of stuff changed". {Was it 1994 - I have that book, bought in 1995... http://www.amazon.co.uk/The-Internet-White-Pages-1994/dp/1568843003 } The best thing we as a WG can do is try to acknowledge that such changes *have* happened, that we have 2 Billion users, and when we are giving advice to Governments and Regulators it should be appropriate for a World with 2 billion users, not the 100 thousand trusted users that many clearly wish it still was. That boat sailed in 1995. -- Roland Perry
Roland, you seem to be going off at a tangent. If you want to continue a discussion of what a "clueful" DNS user or robust DNS service means please take it to the DNS Working Group. Any definitions that emerge there can be fed into this WG. Assuming both WGs survive the heat death of the universe. :-) In the context of the document we're discussing here -- DNS blocking for government and regulatory people -- the point that should be made is that DNS service for some domain does not necessarily rest with a single entity. ie all the authoritative name servers for a domain might not be under the same administrative and operational control: SLAs, reporting and incident response procedures, legal jurisdictions, contracts, T&Cs, etc. Sent from a wee shiny thing with no keyboard that creates typos
In message <F92C6547-D30D-438C-9A07-808C796A86BA@rfc1035.com>, at 15:54:35 on Sat, 25 Jan 2014, Jim Reid <jim@rfc1035.com> writes
Roland, you seem to be going off at a tangent. If you want to continue a discussion of what a "clueful" DNS user or robust DNS service means please take it to the DNS Working Group.
There's no need, the extra resilience that redundant NS brings to the table is well understood. The question remains, however, as to whether individual website owners are expected to understand the hosting products to that degree of technical detail, or should they expect the services they are buying (from people who ought to be familiar with Best Practice) to be delivered to a reasonable standard. In other words, isn't it the industry who should be clueful, on the users' behalf? Although not immediately applicable to this document, it is however a question for governments and regulators with their "consumer protection" hats on.
In the context of the document we're discussing here -- DNS blocking for government and regulatory people -- the point that should be made is that DNS service for some domain does not necessarily rest with a single entity.
A simple tool for extracting this information from the DNS would be quite helpful for non-technical readers. -- Roland Perry
On 26 Jan 2014, at 10:23, Roland Perry <roland@internetpolicyagency.com> wrote:
In other words, isn't it the industry who should be clueful, on the users' behalf? Although not immediately applicable to this document, it is however a question for governments and regulators with their "consumer protection" hats on.
I'm not sure it is Roland. In a regulatory/government context, DNS concerns will mainly be about "core infrastructure": ie are the root and TLD name servers operated robustly and responsibly; how do I know that; what contingency measures are needed if there's a catastrophic failure; and who do I call when there's a problem. For the general public, I'd expect most governments and regulators would look to market forces to solve the issues around DNS robustness, just like they tend to rely on market forces to deal with the good and bad ISPs/hosting companies/registrars/etc. Some punters will pay a premium to get a better, more robust service. Others won't. Some domains must have bulletproof DNS service, other's don't. That's how it should be. There might be some second-order effects that do raise consumer protection issues and possibly others such as data protection, national sovereignty, etc. [For instance, ISPs who do NXDOMAIN rewriting => present barriers to DNSSEC roll-out. Or the use of overseas resolving services.] However these are not about the provision of clueful or clueless DNS service per se.
In message <64D1E31C-E56C-4ECE-8198-EE607AC216E9@rfc1035.com>, at 12:51:14 on Tue, 28 Jan 2014, Jim Reid <jim@rfc1035.com> writes
For the general public, I'd expect most governments and regulators would look to market forces to solve the issues around DNS robustness, just like they tend to rely on market forces to deal with the good and bad ISPs/hosting companies/registrars/etc. Some punters will pay a premium to get a better, more robust service. Others won't.
I agree that many governments and regulators don't currently address the issue of deficient service from telecoms providers. The first step is for there to be an acknowledgement that such a thing as deficient service exists (for example is a provision of one non-redundant NS in any sense "fit for purpose", let alone "complying with industry best practice"). If we can agree (here on this list) that there are many telecoms providers who either lack clue because they've cut costs by employing clueless staff, or have taken a commercial decision to deliver a clueless service, then that's one small step on our long journey. I imagine that such deficiencies are as frustrating to conscientious service providers as they are to the public, as it tends to create a "race to the bottom". -- Roland Perry
On 25 jan 2014, at 03:10, Michele Neylon - Blacknight <michele@blacknight.com> wrote:
I'm a bit confused by your assertions with respect to authoritative DNS.
Can you please provide examples of domains where the situation you described could exist?
Eg: "target domain name. In fact, for the sake of redundancy, a domain name may have many
authoritative servers, spread around the world and also operated by different companies."
I can't see how that could work technically, but maybe I'm missing something - an example would be helpful
Let me take a step back here, because I think the confusion is a terminology issue. Using DNS-speak, an authoritative server is a name server that have the zone file. Either by having it "edited locally" (primary) or fetched using zone transfer (secondary). Both of these classes of name servers are authoritative. The alternative are caching servers, that do not store the resource record sets given back longer than the TTL on the RR-Set that is received when a query is sent either to an authoritative server or to a caching server (recursive resolver). A special set of authoritative servers are the ones NS records (in the parent zone) refer to. So, Michele, it is in fact quite normal to have more than one authoritative server. All domain names that have more than one NS record referring to it has more than one. Because of this, I do not think we disagree on functionality. We just disagree on words(*). Patrik (*) Frank Zappa on Crossfire about "words" <https://www.youtube.com/watch?v=8ISil7IHzxc>
participants (5)
-
Jim Reid -
Michele Neylon - Blacknight -
Patrik Fältström -
Pier Carlo Chiodi -
Roland Perry