I've noted various comments about the EU's DNS4EU initiative on the list over the last week or so. If anyone is interested in more detail and missed the related discussion on our weekly call a few weeks back, you can find the recording at https://419.consulting/encrypted-dns/f/dns4eu.
On 17 Dec 2021, at 11:21, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Fri, Dec 17, 2021 at 01:43:12AM +0000, Geoff Huston <gih@apnic.net> wrote a message of 67 lines which said:
The problem for everyone else is the incursion of a US private entity into the heart of the Internet?s name resolution infrastructure.
Over the past 16 months the number of EU users who pass queries to Google?s Public DNS has risen from a little over 15% to touching 30%
If you are working in the EC and you see yet another piece of the Internet?s digital communications infrastructure being aggregated and centralized by a gigantic US entity, then wouldn?t you be a little bit disconcerted?
I think we all understand the starting point, and the concern of the EC. The problem is that they apparently don't provide a detailed problem analysis. Observing that the market share of US public resolvers increases is one thing, understanding why is another thing, and which is very important to solve the problem. Was there are survey about the reasons for this switch to these resolvers?
For instance, an important reason (may be the main one) why users use US public resolvers is because they don't implement censorship (SciHub, football events, music and film sharing). The DNS4EU project is silent about whether or not they will have censorship (a problematic silence!) but I note that they claim DNS4EU is a lying resolver. Even if lies are initially limited to malware and C&C, I have no doubt that the IP people (IP not being the Internet Protocol) will, as soon as they discover DNS4EU, ask for censorship and they are a very powerful lobby. If DNS4EU yields to their requirments, then the project is doomed.
The use of the pejorative term "lying" resolver is unhelpful in this context. It is important to acknowledge that the vast majority of Internet users are not experts; indeed most are unaware of either the purpose or the existence of DNS. They are however exposed to vast amounts of malicious content and, in my opinion, any mass-market resolver that does not block access to such content by default is not fit for purpose. In addition, for citizens of countries covered by GDPR, accessing a resolver located in the same jurisdiction is beneficial as it doesn't then export personal data elsewhere - US-based resolvers have the disadvantage of falling under the US CLOUD Act and FISA 702. As far as protection of intellectual property is concerned, it seems reasonable to me that Internet companies comply with court orders in the same way that other companies have to do so: despite the assertions of cyberlibertarians, the Internet is not a separate place beyond the reach of national legislation. This is just as well, otherwise we'd still be prey to the whims of surveillance capitalists and not protected by GDPR etc.
So I think this is not really about the quality of the alternatives available for European users (and ISPs) in the DNS resolution market.
I don't think that many people switched to Google or Cloudflare because of DNSSEC validation (unfortunately) but may be they switched because of technical malfunctions. Each time there is a big breakage of the resolver of an IAP, everybody on the social networks advise "use 8.8.8.8" and people don't come back after that. So, even if DNSSEC doesn't matter, robustness does.
I know that one of the drivers of the DNS4EU project was to improve the resilience of Internet infrastructure given the way that increased centralisation has weakened this over the last few years. Providing an alternative open resolver is just one of several approaches being taken in this regard. An additional benefit of a European resolver is the opportunity to extract localised cybersecurity intelligence, something that I know the similar Canadian Shield project has already acknowledged has been an outcome of its operation. Many of the commercial threat feeds are US-centric whereas DNS4EU provides the ability to draw insight from what may be a significant European user base. Andrew