Fwd: [cooperation-wg] Update on NIS 2: Proposed amendments by the Parliament alter scope on (root) DNS
Dear colleagues, Please see below. This might also be interesting to the DNS WG. Kind regards, Mirjam -------- Forwarded Message -------- Subject: [cooperation-wg] Update on NIS 2: Proposed amendments by the Parliament alter scope on (root) DNS Date: Fri, 7 May 2021 12:12:06 +0200 From: Marco Hogewoning <marcoh@ripe.net> Reply-To: Marco Hogewoning <marcoh@ripe.net> To: cooperation-wg <cooperation-wg@ripe.net> Dear colleagues, We'd like to inform you that some changes have been proposed to NIS 2 that would accommodate some of the concerns raised by the RIPE NCC and the RIPE community. As a quick recap: the European Commission proposed an update to the Network and Information Security Directive, commonly referred to as NIS 2, which would bring the DNS root servers into scope of the directive, resulting in regulatory oversight of the DNS root server operators. Following our response on the NIS 2 proposal in the public feedback process, we reached out to a number of parties involved in the legislative process, including some members of the European Parliament, drawing attention to our concerns. The ITRE committee, which is leading this dossier in the European Parliament, yesterday published its initial report listing a number of proposed amendments. We are happy to see that it has taken on board the concerns we and other community members have raised. In particular, the committee proposes amending the scope of the directive to include: "authoritative domain name resolution services as a service procurable by third-party entities”. We realise this leaves a substantial part of the DNS in scope; however, this change would address the concerns we raised in our response by removing from scope: - DNS root operations - Small and non-commercial operators, such as people running their own DNS servers We are pleased to see these amendments and appreciate the rapporteur, MEP Groothuis, addressing our concerns. The full report is available at: https://www.europarl.europa.eu/doceo/document/ITRE-PR-692602_EN.pdf (The relevant changes are on pages 6, 27 and 57.) As a next step, the ITRE committee is provisionally scheduled to discuss this report on 27 May. We will continue to track the legislative process and keep you informed about the progress. Regards, Marco Hogewoning Manager, Public Policy and Internet Governance RIPE NCC
marco (proxied my mirjam:),
In particular, the committee proposes amending the scope of the directive to include:
"authoritative domain name resolution services as a service procurable by third-party entities”.
for those of nor steeped in european commission speak, could you please describe in internet terms the dns operators and users included in and excluded from this set? randy
Randy The original language would have put All DNS servers in scope - so if you setup a server and shoved cPanel / Plesk / $software on it you'd probably end up with your own nameservers And now you'd suddenly be on the hook for a load of headaches The revised language means that hobbyists and small business who are NOT selling DNS and related services to 3rd parties are out of scope Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 On 07/05/2021, 16:28, "dns-wg on behalf of Randy Bush" <dns-wg-bounces@ripe.net on behalf of randy@psg.com> wrote: marco (proxied my mirjam:), > In particular, the committee proposes amending the scope of the > directive to include: > > "authoritative domain name resolution services as a service procurable > by third-party entities”. for those of nor steeped in european commission speak, could you please describe in internet terms the dns operators and users included in and excluded from this set? randy
hi michele, IANAL and i try not to play one on the net. but ...
The original language would have put All DNS servers in scope - so if you setup a server and shoved cPanel / Plesk / $software on it you'd probably end up with your own nameservers And now you'd suddenly be on the hook for a load of headaches
The revised language means that hobbyists and small business who are NOT selling DNS and related services to 3rd parties are out of scope
oh, i understand you and marco saying that. what i do not understand is how
"authoritative domain name resolution services as a service procurable by third-party entities”.
clearly delineates a set. my confusion mostly hangs on "procurable" and who "third parties" are. if i use 77.88.8.1, which is free, am i procuring services? there is no financial transaction, which i colloquially take to be procuring. if that is procuring yandex's service, then how is that different from pointing my client resolver at my isp's cache? in fact, the latter may be construed as a paid service, i.e. more of a procurement. i can see that yandex is providing the service and i am consuming it. where the heck is a third party and are they bringing dessert? what subset of these [sic] three parties must be in the EU to be covered by this? randy, known to be easily confused --- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header butchery
On 7 May 2021, at 17:27, Randy Bush <randy@psg.com> wrote:
In particular, the committee proposes amending the scope of the directive to include:
"authoritative domain name resolution services as a service procurable by third-party entities”.
for those of nor steeped in european commission speak, could you please describe in internet terms the dns operators and users included in and excluded from this set?
Hey Randy, Just realised I had not responded yet, noticed a few others already gave their interpretation. As with your other response, I am also not al lawyer and I certainly recommend peopler to seek proper legal advise on these, especially of you think that your business or income might depend on the outcome. In that case also please make sure to take the whole of proposal into consideration, DNS is only a small subset of services and operators that would be in scope. Agree it is not the most beautiful piece of prose ever written, but it does the trick. The way I, as a layman, have understood this sentence to work is that if you put a sign up the door saying "host your DNS zones with me, only X money" you are likely to fall within this definition: you are allowing other people to buy (procure) this service of you and you would be running authoritative DNS servers for that service. This in contrast to somebody who registers a domain and points the NS and glue records to a server they would operate for their own benefit and sell this as a service to others. Now of course that would leave some providers in scope, but those operators might find that other parts of the proposal would also bring them into scope, regardless of whether they are defined as a DNS service provider. As a purely hypothetical example, but if you are a larger-than-life hosting provider and find that 30% of a country's webshops run on your platform, there might be other parts that could define you as critical or essential. As to the other point you and few others seem to raise: recursive resolvers. These are not addressed by this specific clause, but are defined in the sentence above, which is not changed from the original proposal. Again, taking into account the bigger picture, I'd assume that many of the access providers who operate such a service for their users, will be in scope for other reasons than running a DNS service. On the contentious point of how to interpret the resolver/forwarder that comes as part of the CPE. There are discussions elsewhere on whether your modem forms part of the "internet access" product or not. You can probably argue that it would trickle down from the access provider, especially in cases where the CPE is under their management. But again, I am not an expert in this area and are happy to refer you to those who are and ask them for a proper legal analysis. Regards, MarcoH
participants (4)
-
Marco Hogewoning -
Michele Neylon - Blacknight -
Mirjam Kuehne -
Randy Bush