Re: Allow DNSMON services to monitor ENUM domains
Ondrej, I raised a number of issues about this proposal when you first presented this to the ENUM WG. To the best of my knowledge these have still not been resolved. Wearing no hats, my concerns are as follows: 1 DNS Monitoring is not a core NCC service. It should not be doing this IMO. It's OK for the NCC to monitor its own name servers, but that's all. 2 By offering a commercial DNS Monitoring service, the NCC is distorting the market. Its presence presents other organisations from offering similar services because the barrier to entry has been artificially increased. And on top of that the NCC has cherry-picked the best customers. 3 The costs of the NCC's DNS monitoring service are not clear. Which raises the prospect of complaints about monopoly membership fees cross-subsidising non-core commercial activities. This is a particular worry of mine given that the NCC's initial investment in name server monitoring was met from its membership fees. 4 If any monitoring of ENUM delegations was to be done by the NCC, it must only be at the request of the Administration concerned. This avoids issues about national sovereignty. I accept this is unlikely to be a concern for many countries. But that will not be the case in the parts of the world that are hostile to Internet governance in its broadest sense being outside an international treaty organisation. It would not be wise IMO to open another window for those sorts of complaints and attacks. Issues 1-3 have parallels with the historical situation of the NCC providing DNS service for ccTLDs. That situation is beginning to get untangled. And for the same reasons outlined above: non-core service, competition concerns, cross-subsidy, etc. It seems unwise to be opening up the same can of worms all over again just as an earlier one is starting to get cleared up.
On 4 Oct 2007, at 14:34, Jim Reid wrote:
1 DNS Monitoring is not a core NCC service. It should not be doing this IMO. It's OK for the NCC to monitor its own name servers, but that's all.
Disagree - the NCC is community led, and provides infrastructure services (including, but not limited to numbering resources) to the community. I strongly value the quality of independent data I receive as a stakeholder from services like DNSMON, but also TTM and RIS. Although my LIR could realistically have done everything it 'needed to' from a resource point of view with ripe through another LIR, we joined because we value the work of the NCC in areas away from numbering resources.
2 By offering a commercial DNS Monitoring service, the NCC is distorting the market. Its presence presents other organisations from offering similar services because the barrier to entry has been artificially increased. And on top of that the NCC has cherry- picked the best customers.
I think DNSMON is used for something completely different to real commercial monitoring services like alertsite.com and similar. Furthermore, can I get information about the availability/quality of root servers from the commercial guys ? For free ? I use this data from time to time, as do many more people in the community at large, and if RIPE didn't do it, someone else would. RIPE do it extremely well, and have the historical data - please let them continue.
3 The costs of the NCC's DNS monitoring service are not clear. Which raises the prospect of complaints about monopoly membership fees cross-subsidising non-core commercial activities. This is a particular worry of mine given that the NCC's initial investment in name server monitoring was met from its membership fees.
I don't have data to comment on this - but see my reply to (1) - we joined because we wanted to support the RIPE community work, as well as needing access to numbering resources. Best wishes, Andy Davidson
ncc-services-wg-admin@ripe.net wrote on 06/10/2007 10:43:55:
On 4 Oct 2007, at 14:34, Jim Reid wrote:
2 By offering a commercial DNS Monitoring service, the NCC is distorting the market. Its presence presents other organisations from offering similar services because the barrier to entry has been artificially increased. And on top of that the NCC has cherry- picked the best customers.
I think DNSMON is used for something completely different to real commercial monitoring services like alertsite.com and similar. Furthermore, can I get information about the availability/quality of root servers from the commercial guys ? For free ? I use this data from time to time, as do many more people in the community at large, and if RIPE didn't do it, someone else would. RIPE do it extremely well, and have the historical data - please let them continue.
I just wanted to add my voice to the discussion. We rely on the data provided by DNSMON to monitor the global reachability of the .uk nameservers. The tool is used to assess our performance against KPIs and as a diagnostic tool. Given its usefulness I would certainly want to extend it to monitor ENUM nameservers. I can see the concern that Jim has, but the fact remains: If the service is not provided by RIPE, who would provide it? Who else has the traffic measurement boxes so well distributed? Not to mention the professional resources and experience. Regards, Ian
On Oct 8, 2007, at 11:16, Ian Meikle wrote:
If the service is not provided by RIPE, who would provide it? Who else has the traffic measurement boxes so well distributed? Not to mention the professional resources and experience.
I believe Verisign uses its global DNS infrastructure to monitor the root servers, as do some of the other root service operators. [Besides the NCC. :-)] UltraDNS/Neustar monitor their global DNS platform. And I expect Afilias would be in a position to offer this service once their anycast infrastructure is fully deployed. Presumably these organisations would be prime candidates to offer a DNS monitoring service if there was a level playing field. CAIDA has monitoring boxes deployed all over the place, though they may be unable to get involved in commercial activities or deliver "service". Another possibility could be for CENTR to offer this service to its members. Maybe ICANN/IANA could do this? Shouldn't they be gathering statistics on the health of the DNS and keeping track of critical DNS infrastructure? Your remarks about "professional resources and experience" are particularly troubling for me Ian. It can (and may well be argued) that the NCC's presence in this emerging market is stifling others from offering DNS monitoring services and creates an artificial barrier to entry. That makes it harder for a competitor to pay for equipment, staff and gain operational experience. And meanwhile the NCC has cherry-picked the best (and probably the richest) customers. This is why I drew parallels with the NCC's DNS hosting service. In the early days of the net, it made sense for the NCC to host TLDs. Now it doesn't. So the NCC is gracefully exiting that "business". Entering the DNS monitoring business -- and watch the mission creep that's happened here! -- looks to be a repeat of those earlier well- meaning but misplaced intentions.
ncc-services-wg-admin@ripe.net wrote on 08/10/2007 11:59:22:
On Oct 8, 2007, at 11:16, Ian Meikle wrote:
If the service is not provided by RIPE, who would provide it? Who else has the traffic measurement boxes so well distributed? Not to mention the professional resources and experience.
I believe Verisign uses its global DNS infrastructure to monitor the root servers, as do some of the other root service operators. [Besides the NCC. :-)] UltraDNS/Neustar monitor their global DNS platform. And I expect Afilias would be in a position to offer this service once their anycast infrastructure is fully deployed. Presumably these organisations would be prime candidates to offer a DNS monitoring service if there was a level playing field. CAIDA has monitoring boxes deployed all over the place, though they may be unable to get involved in commercial activities or deliver "service". Another possibility could be for CENTR to offer this service to its members. Maybe ICANN/IANA could do this? Shouldn't they be gathering statistics on the health of the DNS and keeping track of critical DNS infrastructure?
Are these commercial offerings? We are a customer of UltraDNS/Neustar for DNS provision and it has never been suggested that we use their monitoring services. Any new service from Centr or ICANN/IANA would (a) take too long to set up, and (b) be subject to the same arguments you are making against DNSMON.
Your remarks about "professional resources and experience" are particularly troubling for me Ian. It can (and may well be argued) that the NCC's presence in this emerging market is stifling others from offering DNS monitoring services and creates an artificial barrier to entry. That makes it harder for a competitor to pay for equipment, staff and gain operational experience. And meanwhile the NCC has cherry-picked the best (and probably the richest) customers.
Sorry to worry you Jim ;-) What I was trying to point out was that this is already an established service, widely used by the RIPE LIR community and beyond. If we prevent it being extended to ENUM then we are left without a viable way of monitoring those nameservers.
This is why I drew parallels with the NCC's DNS hosting service. In the early days of the net, it made sense for the NCC to host TLDs. Now it doesn't. So the NCC is gracefully exiting that "business". Entering the DNS monitoring business -- and watch the mission creep that's happened here! -- looks to be a repeat of those earlier well- meaning but misplaced intentions.
I see a difference here. DNS hosting is an established field in which there are numerous providers. I am not aware of any other providers of a service similar to DNSMON. It may be that the market is not mature enough yet. In that case, if RIPE is the only place we can go to for this then let us use it. Ian
Are these commercial offerings? We are a customer of UltraDNS/ Neustar for DNS provision and it has never been suggested that we use their monitoring services.
Has anyone asked for a quote?
Any new service from Centr or ICANN/IANA would (a) take too long to set up, and (b) be subject to the same arguments you are making against DNSMON.
I don't agree the same arguments could be made. But even if they were, that would be a problem for the organisation concerned. It wouldn't be the NCC's problem. :-)
Sorry to worry you Jim ;-) What I was trying to point out was that this is already an established service, widely used by the RIPE LIR community and beyond. If we prevent it being extended to ENUM then we are left without a viable way of monitoring those nameservers.
REALLY?!?! Are you seriously telling me that Nominet cannot monitor the UK's ENUM servers without buying DNSMON? I very much hope not.... What did Nominet do to keep an eye on the .uk name servers before DNSMON came along? Besides, whether DNSMON is widely used or not is beside the point. It's not a core NCC activity. If the NCC spins off DNSMON into an independent, self-funded entity, that's fine. But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees.... We can see where that is headed. And that's before we consider the competition aspects.
I see a difference here. DNS hosting is an established field in which there are numerous providers. I am not aware of any other providers of a service similar to DNSMON. It may be that the market is not mature enough yet. In that case, if RIPE is the only place we can go to for this then let us use it.
I've suggested a number of other possibilities. Perhaps they could be approached? There might be a stronger case for DNSMON if it could be shown that nobody else was willing or able to provide the service at a reasonable price. Your comments about the market not being mature are very true Ian. This is all the more reason for the NCC to keep out. Its presence deters others from coming forward and prevents a free, competitive market from being established. Your argument is a bit like saying everybody should support Manchester United because they're the biggest and most successful team with the best players. Which I know will annoy you Ian as your football affiliations rest elsewhere... :-)
ncc-services-wg-admin@ripe.net wrote on 08/10/2007 13:00:03:
Are these commercial offerings? We are a customer of UltraDNS/ Neustar for DNS provision and it has never been suggested that we use their monitoring services.
Has anyone asked for a quote?
I didn't know there was a service there, so I'm unlikely to ask for a quote.
Any new service from Centr or ICANN/IANA would (a) take too long to set up, and (b) be subject to the same arguments you are making against DNSMON.
I don't agree the same arguments could be made. But even if they were, that would be a problem for the organisation concerned. It wouldn't be the NCC's problem. :-)
Sorry to worry you Jim ;-) What I was trying to point out was that this is already an established service, widely used by the RIPE LIR community and beyond. If we prevent it being extended to ENUM then we are left without a viable way of monitoring those nameservers.
REALLY?!?! Are you seriously telling me that Nominet cannot monitor the UK's ENUM servers without buying DNSMON? I very much hope not.... What did Nominet do to keep an eye on the .uk name servers before DNSMON came along?
You are wilfully misunderstanding me here. We can and do monitor our nameservers. What we can't get is the global picture that DNSMON provides, and this allows us to determine the scope of any incident affecting them. Anyway, the argument here is not whether a service to monitor nameservers is required, but who provides it.
Besides, whether DNSMON is widely used or not is beside the point. It's not a core NCC activity. If the NCC spins off DNSMON into an independent, self-funded entity, that's fine. But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees.... We can see where that is headed. And that's before we consider the competition aspects.
We are approaching this from different angles. As the operator of a major DNS infrastructure I want to use whatever systems are available to ensure I have the best view of that infrastructure. I also want to be able to extend those systems to monitoring my new DNS infrastructure. I presume you are speaking as a RIPE NCC board member, and I think it is valuable to raise the point of a potential monopoly. But still, DNSMON exists and nothing else comes close. If we aren't able to extend it to cover new services then they will (potentially) be poorer as a result.
I see a difference here. DNS hosting is an established field in which there are numerous providers. I am not aware of any other providers of a service similar to DNSMON. It may be that the market is not mature enough yet. In that case, if RIPE is the only place we can go to for this then let us use it.
I've suggested a number of other possibilities. Perhaps they could be approached? There might be a stronger case for DNSMON if it could be shown that nobody else was willing or able to provide the service at a reasonable price.
I'm willing to consider other providers. But even if there were other services I would continue to use DNSMON.
Your comments about the market not being mature are very true Ian. This is all the more reason for the NCC to keep out. Its presence deters others from coming forward and prevents a free, competitive market from being established.
Your argument is a bit like saying everybody should support Manchester United because they're the biggest and most successful team with the best players. Which I know will annoy you Ian as your football affiliations rest elsewhere... :-)
Notts County (http://en.wikipedia.org/wiki/Notts_County) are the oldest professional football club in the world. They are not the biggest today by quite some way. I don't want to take the football analogy too far, but it shows that things change. It may be that someone can provide a better service and DNSMON will be eclipsed. Until then I want to be able to use it.
On Oct 8, 2007, at 13:57, Ian Meikle wrote:
I presume you are speaking as a RIPE NCC board member
Nope. I am speaking as a concerned member of the public. As someone who's had the NCC literally each my lunch by offering "free" DNSSEC training courses. And as a former employee of an LIR who saw their membership fees being used by the NCC to nurture DNS software that undermined that company's products. If the NCC continues to dabble in these sorts of non-core activities, it will eventually attract unwanted attention from regulators and competition authorities. Extending the scope of DNSMON is the thin edge of a very, very big wedge. BTW, there was a time 4-5 years ago when I considered setting up a DNS monitoring business. I didn't pursue this as the numbers didn't add up for me. The risks were too great and the rewards didn't justify taking them: too much capital outlay and not enough revenue. [Which begs the question about the NCC's sums for DNSMON.] I'm glad I didn't set up that business as the NCC's later entrance into that market would have bankrupted me. And no, this is not sour grapes because someone else has established such a business. Although the board has discussed DNSMON from time to time, it would be quite wrong to suggest that I am speaking for the board on this matter or speaking as a member of the board. If I was, that would be very clearly signalled.
On 8 Oct 2007, at 14:33, Jim Reid wrote:
On Oct 8, 2007, at 13:57, Ian Meikle wrote:
I presume you are speaking as a RIPE NCC board member Nope. I am speaking as a concerned member of the public.
We're all well aware of the objections you have as an individual, but each time this topic arises, you see that we don't agree. Perhaps, as an individual, you should take note of this. Your arguments have no support here. Perhaps it's time to accept that? You're also an NCC board member, and as such were elected to represent the views of the membership. Those views are apparant from the messages sent in response to your perpetual opposition, and by consistently protesting, you are failing to represent those views. We've heard the same arguments from you time and time again, and the community rebuff your stance each time. We really appreciate you sharing your opinions with us. We don't agree. You have our collective/community opinion, and it is this which matters :-) Warm wishes, Andy Davidson
I am reluctant to send this so Andy can again criticise me for disagreeing. :-) On Oct 8, 2007, at 16:56, Andy Davidson wrote:
You're also an NCC board member, and as such were elected to represent the views of the membership.
Of course Andy. But I would expect the membership elects its board members to do a lot more than just that. For example by exercising their independent judgement in the best interests of the NCC as a whole.
Those views are apparant from the messages sent in response to your perpetual opposition, and by consistently protesting, you are failing to represent those views.
If the WG declares consensus for the "community view" on this subject, or anything else for that matter, I will of course as a board member do my best to represent those views as far as I am able to. It's not clear we're at that point yet. However I am very disappointed that you seem to be saying I should just shut up and not be entitled to voice my opinions because they happen to disagree with yours. Or that a board member, even when speaking in a personal capacity, cannot contribute to a WG's discussions or policy-making proposals. There's a valid debate to be had on this subject and its wider implications. This WG would be remiss if it did not allow a reasoned, open exchange of views from all sides. I hope we can at least agree on that. :-)
On 8 Oct 2007, at 18:44, Jim Reid wrote:
However I am very disappointed that you seem to be saying I should just shut up and not be entitled to voice my opinions because they happen to disagree with yours. Or that a board member, even when speaking in a personal capacity, cannot contribute to a WG's discussions or policy-making proposals.
It's hard to differentiate between Jim wearing his jewel encrusted NCC board crown and Jim wearing his tasteful Lochcarron beret tam - can you really offer a truly impartial viewpoint on a matter which has caused you both personal and professional angst, and in which you have an NCC board interest ? While I realise you are making valid points, I genuinely think you're damaging your professional integrity by pushing this argument which has a waft of sour grapes to it. I'm truly surprised that your board colleagues allow this to continue unchecked - you hurt them and yourself.
There's a valid debate to be had on this subject and its wider implications. This WG would be remiss if it did not allow a reasoned, open exchange of views from all sides. I hope we can at least agree on that. :-)
Reasoned debate is welcome, but difficult to conduct when dominated by the extreme views of one individual. This DNSMON/ENUM proposal is well supported, and looks likely to be approved. While the discussion surrounding it might look like a good conduit for you to air your viewpoints, you can't effect the change you desire unless you bring forward your own proposal. These rounds of ceaseless rhetoric are a waste of time because they do not relate to the proposal at hand. Bring *your* proposal, and then we can have *your* discussion With best regards, Andy Davidson
Hi, On Tue, Oct 09, 2007 at 03:22:12PM +0100, Andy Davidson wrote:
This DNSMON/ENUM proposal is well supported, and looks likely to be approved.
Following the discussion, I see three voices of support and one voice of doubt (plus other voices that go into technicalities without expressing a clear voice in either direction). I'm not sure whether I see this as "well supported". Just because you have a different opinion from Jim doesn't mean his points are invalid or he is doing a bad job as board member. Personally, I can see both sides of the debate, and my suggestion would be "have those that use DNSMON pay a fair price for it" ("those" would be "owners/operators of DNS servers that are monitored"). I do think that the RIPE NCC is uniquely qualified to run the job - due to its proven neutrality and competence - but indeed, there is a certain danger of distorting the market, so this should not be "for free". Gert Doering -- APWG chair, but speaking as "net user" -- Total number of prefixes smaller than registry allocations: 122119 SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
On Oct 9, 2007, at 15:22, Andy Davidson wrote:
It's hard to differentiate between Jim wearing his jewel encrusted NCC board crown and Jim wearing his tasteful Lochcarron beret tam
I have already stated that if I am ever speaking as a board member or on behalf of the board, that would be made perfectly clear. I am happy to repeat that.
can you really offer a truly impartial viewpoint on a matter which has caused you both personal and professional angst, and in which you have an NCC board interest ?
Yes. I work as a freelance consultant. So I have plenty of practice at putting my personal and professional feelings to one side in order to act in the best interests of my clients. I use those skills on the boards that I serve. From that perspective, the NCC is just another client. Can I suggest that if you want to continue this discussion, we do so in private? This is no longer appropriate for the list.
On 9 Oct 2007, at 15:40, Jim Reid wrote:
Can I suggest that if you want to continue this discussion, we do so in private? This is no longer appropriate for the list.
Jim - I am happy to talk to you in private, and I agree we have strayed offtopic. As I see it, there remains one pertinent issue at hand :- I support Ondrej Sury's proposal, "Allow DNSMON services to monitor ENUM domains". As for Jim's concerns - I will wait for him to submit his proposal. Regards, Andy Davidson.
On Oct 9, 2007, at 15:57, Andy Davidson wrote:
As for Jim's concerns - I will wait for him to submit his proposal.
I thought I already had... :-) Here it is again, perhaps more explicitly than before. There a number of other organisations who are monitoring DNS servers, some of whom may be willing to offer this as a commercial service. IMO those advocating the NCC is the only provider of DNS monitoring servers should demonstrate that that is the case, or that alternative offerings are tainted in some way and cannot be as impartial as the NCC's would be. If there really is no alternative, then the justification for extending the scope of the NCC offering is on stronger foundations. My earlier concerns still stand -- unless contradictory evidence emerges. Those concerns would diminish, but not go away, if it does turn out that there is no viable alternative and that fact is clearly documented.
ncc-services-wg-admin@ripe.net wrote on 09/10/2007 16:35:21:
On Oct 9, 2007, at 15:57, Andy Davidson wrote:
As for Jim's concerns - I will wait for him to submit his proposal.
I thought I already had... :-)
Here it is again, perhaps more explicitly than before.
There a number of other organisations who are monitoring DNS servers, some of whom may be willing to offer this as a commercial service. IMO those advocating the NCC is the only provider of DNS monitoring servers should demonstrate that that is the case, or that alternative offerings are tainted in some way and cannot be as impartial as the NCC's would be. If there really is no alternative, then the justification for extending the scope of the NCC offering is on stronger foundations. My earlier concerns still stand -- unless contradictory evidence emerges. Those concerns would diminish, but not go away, if it does turn out that there is no viable alternative and that fact is clearly documented.
I think there is a contradiction here. You say there are organisations that provide this service, but then also say that other organisations are prevented from offering this service because RIPE do. I am not aware of any other services. At the risk of advertising, can you send specific details of alternative services to the list? If you do then I for one will look at them. Ian
Hi Jim, all I wear too many hats to even remember which is which so I'll just put on my "I operate some DNS stuff hat". Firstly I don't believe that adding e164.arpa zones to the monitoring will make a withdrawal from offering DNSMON services in the future any harder than it is today. The initial proposal is about extending the space monitored. Jim's underlying premise, correct me if I'm wrong Jim, is that the NCC should not be offering the DNSMON service at all. I don't think anyone is advocating that the NCC is the only operator of such a service. I just don't see anyone offering anything remotely close to what DNSMON offers. As a operator DNSMON is "one of" the tools that I use to monitor my systems, I value it as a neutral addition to the pool of tools I have at my disposal. I've always seen DNSMON more as a service to the community rather than to me as operator of one of the servers monitored. RIPE NCC was set up to help enable the collaboration that was RIPE. It did become the RIR and is funded by the NCC members rather than all of RIPE but one of the underlying principles has always been to support the community and to offer services that add value to that community. The check and balance mechanism has always been the membership (and of course the board). If the members believe that this is a valid service for the NCC to offer, or in this case the extension of the service, then so be it. You are correct, there is some risk that operating services like these can distort the market. It is something that during my time at the NCC we were very aware of and I am quite positive that this awareness has not lessened over the years. However without the RIPE NCC taking such projects on, I believe that we would not have things like the Test Traffic Measurement work RIPE NCC did, RIS or DNSMON and that would ,IMHO, be a bad thing. I personally think that at this moment the benefits of DNSMON still outweigh the risks. John Crain On 9 Oct 2007, at 08:35, Jim Reid wrote:
On Oct 9, 2007, at 15:57, Andy Davidson wrote:
As for Jim's concerns - I will wait for him to submit his proposal.
I thought I already had... :-)
Here it is again, perhaps more explicitly than before.
There a number of other organisations who are monitoring DNS servers, some of whom may be willing to offer this as a commercial service. IMO those advocating the NCC is the only provider of DNS monitoring servers should demonstrate that that is the case, or that alternative offerings are tainted in some way and cannot be as impartial as the NCC's would be. If there really is no alternative, then the justification for extending the scope of the NCC offering is on stronger foundations. My earlier concerns still stand -- unless contradictory evidence emerges. Those concerns would diminish, but not go away, if it does turn out that there is no viable alternative and that fact is clearly documented.
On 9 Oct 2007, at 16:35, Jim Reid wrote:
IMO those advocating the NCC is the only provider of DNS monitoring servers should [...]
Perhaps I missed something. Is anyone advocating that ? If not, why suggest that they should [...] ? /Niall
You're also an NCC board member, and as such were elected to represent the views of the membership.
< americal business cultural perspective > board members have a fiduciary duty to the health and direction of the organization, not the interests of a segment of the membership. randy
On 8 Oct 2007, at 13:00, Jim Reid wrote:
But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees....
Is that so? I was given to understand that the costs of the Test Traffic service (of which DNSMON is an optional part) were borne by the subscribers to that service, and not subsidised by membership fees. It is possible either that my recollection is faulty, or that I just misunderstood. /Niall
On Oct 8, 2007, at 15:02, Niall O'Reilly wrote:
But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees....
Is that so?
Well it certainly smells that way to anyone that's outside the RIPE goldfish bowl.
I was given to understand that the costs of the Test Traffic service (of which DNSMON is an optional part) were borne by the subscribers to that service, and not subsidised by membership fees.
<Board Hat On>I don't know. But I can find out.<Board Hat Off> It may be hard to identify all of these costs: eg what percentage of the heating and electricity bills can be exclusively attributed to Test Traffic activities?
On 8 Oct 2007, at 15:32, Jim Reid wrote:
On Oct 8, 2007, at 15:02, Niall O'Reilly wrote:
But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees....
Is that so?
Well it certainly smells that way to anyone that's outside the RIPE goldfish bowl.
I see a communication issue there, not a reason to avoid offering (or extending) a service.
I was given to understand that the costs of the Test Traffic service (of which DNSMON is an optional part) were borne by the subscribers to that service, and not subsidised by membership fees.
<Board Hat On>I don't know. But I can find out.<Board Hat Off>
That's one approach. Maybe someone who knows will take the hint, and save you the trouble. Point taken about attribution of overhead costs. With appropriate clarity of accounting and communication, this should not be a reason to avoid [... as above ...] either. /Niall
Replying to no-body in particular. The discussion has been framed in terms of a service for particular TLDs or operators. I think that one argument has not been articulated. The DNSMON service has been used in the past to debunk a number of myths about the stability of the the DNS system as a whole. Those myths regularly reappear and may have (global) layer 9 implications. Therefor I think it is important that the data is provided by a monitoring service is ran by a technically competent and neutral party. In that context this task fits in the "the support of the stable operation of the Internet" and I would argue that it is a core activity of the NCC (given that that quote is from Article 3, objectives, of articles of association ;-) ) Since I can imagine that for ENUM there will be myths to be debunked I think that extending the service in that direction (tier 0 and 1 level zones) makes sense. hatless, --Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
ncc-services-wg-admin@ripe.net wrote on 08/10/2007 16:36:16:
Replying to no-body in particular.
The discussion has been framed in terms of a service for particular TLDs or operators. I think that one argument has not been articulated.
The DNSMON service has been used in the past to debunk a number of myths about the stability of the the DNS system as a whole. Those myths regularly reappear and may have (global) layer 9 implications. Therefor I think it is important that the data is provided by a monitoring service is ran by a technically competent and neutral party.
In that context this task fits in the "the support of the stable operation of the Internet" and I would argue that it is a core activity of the NCC (given that that quote is from Article 3, objectives, of articles of association ;-) )
Since I can imagine that for ENUM there will be myths to be debunked I think that extending the service in that direction (tier 0 and 1 level zones) makes sense.
The point I take from this is that the DNSMON service is transparent. We pay for our service to be monitored, but everyone can see the results of that monitoring, and that motivates us to ensure good service. For us to act in that way we have to have total trust in the impartiality of the organisation providing that service. All the commercial organisations suggested in a previous email (Verisign, Neustar, Afilias) as potential suppliers are also potential commercial rivals to us as a TLD registry. I have no reason to doubt they would act scrupulously, but I would have reservations about using them all the same. The other potential suppliers (Centr, IANA, Caida) would be a closer fit, but none have shown an inclination to offer such a service. Ian
Niall O'Reilly wrote:
On 8 Oct 2007, at 13:00, Jim Reid wrote:
But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees....
Is that so?
I was given to understand that the costs of the Test Traffic service (of which DNSMON is an optional part) were borne by the subscribers to that service, and not subsidised by membership fees.
I definitely clear an annual *additional* (to the LIR cost) invoice for the TT-Service and the care-and-feeding of our TTM Box :-)
It is possible either that my recollection is faulty, or that I just misunderstood.
I definitely know that the NCC has spent quite some effort to drastically reduce or eliminate those cross-subsidising things. That's one of the reasons why the att. fees for RIPE Meetings have gone up considerably over the years, and new LIRs get a (2?) voucher/s as part of their sign-up fees.
/Niall
I presume this stuff is never perfect or completely done, but IMHO the NCC is fully aware of these issues. Wilfried.
On 08.10 13:00, Jim Reid wrote:
... Besides, whether DNSMON is widely used or not is beside the point. It's not a core NCC activity. If the NCC spins off DNSMON into an independent, self-funded entity, that's fine. But when DNSMON is part of a monopoly RIR and (partly?) funded from that monopoly's membership fees....
Full disclosure: I am a long standing member of the (European) Internet community and speak as such. But be informed of these other things: My personal view is that the RIPE NCC needs to be much more than a number "factory". I am on record with this view consistently over time and from far before the NCC was actually established. [Ref: RIPE meeting minutes, ripe-019, ...] I am the founding CEO of the RIPE NCC and currently serve it in the role of Chief Scientist. I am the inventor of DNSMON and I implemented most of the first version of it; Marc Santcroos designed and implemented the probing software on the test boxes. Facts: DNSMON is a public service in the sense that we publish the measurements to the world without any reservation. DNSMON serves the RIPE community by providing hard data about the quality and stability of the DNS by a professional, neutral and widely trusted organisation. In particular DNSMON serves the RIPE NCC membership because ISPs tend to depend on a stable DNS for the success of their business. This enables the RIPE members to assure themselves, and those guarding the public interest, that things are in hand. DNSMON serves the TLD operators both by providing a useful operational monitoring service for them, but also by publishing professional, neutral and widely trusted data about TLD DNS service quality. This enables the TLD operators to point to a neutral "audit" of their DNS service quality. Since DNSMON serves both the RIPE NCC membership *and* the TLD operators, both the RIPE NCC membership and the TLD operators fund the operation of the DNSMON service. Both the RIPE community and the RIPE NCC membership agree with this arrangement which was widely discussed and is documented in ripe-271. The operational details on how TLD operators fund the DNSMON service can be found in ripe-342. Opinions: Providing services such as DNSMON positions the RIPE NCC as a professional, neutral and above all *trusted* source of hard data and factual information about the operation of the Internet in our service region and beyond. This is invaluable when it comes to defend industry self regulation, fight inappropriate govenrment regulation and maintain a stable environment in which the Internet can flourish and the businessesof the RIPE membership can be successful. If the RIPE NCC were to reduce itself to a "number factory" this kind of neutrally provided hard data would not be available. It has been pointed out on this list that there are very few organisations that enjoy the level of trust that we have built over more than 15 years. If the RIPE NCC were to reduce itself to a "number factory" it would be much more susceptible to hostile takeover. If the RIPE NCC were to reduce itself to a "number factory" it could not even do this job well, because it would forego the very data that links the "number factory" to the real world. The governance of the RIPE NCC is extremely open, transparent and accessible. As long as this governance process supports what the RIPE NCC is doing, the "monopoly" arguments are irrelevant. Those who provide the funds are fully represented in the RIPE NCC governance and can influence what the RIPE NCC does directly. Others can provide input via RIPE which is always taken very seriously. Divesting RIPE NCC measurement services into a separate organisation is not necessary as long as the RIPE NCC membershp agrees to the RIPE NCC providing those services under the framewaork of ripe-271. This whole discussion is destructive rather than constructive. A need to monitor ENUM "TLDs" is raised. DNSMON exists and can do it. A mechanism for ENUM "TLD" operators to contribute to the funding of the service exists. No other trusted service exists. So unless another trusted service either exists or is about to exist this remains destructive. Daniel
Jim, Jim Reid wrote:
[...] Another possibility could be for CENTR to offer this service to its members. [...]
I would be surprised if CENTR all of a sudden would add technical operations to its business. But I guess you used CENTR as a mere placeholder for your example, right? :-) Best, Carsten
Jim Reid píše v Čt 04. 10. 2007 v 14:34 +0100:
Ondrej, I raised a number of issues about this proposal when you first presented this to the ENUM WG. To the best of my knowledge these have still not been resolved.
Wearing no hats, my concerns are as follows:
1 DNS Monitoring is not a core NCC service. It should not be doing this IMO. It's OK for the NCC to monitor its own name servers, but that's all.
2 By offering a commercial DNS Monitoring service, the NCC is distorting the market. Its presence presents other organisations from offering similar services because the barrier to entry has been artificially increased. And on top of that the NCC has cherry-picked the best customers.
3 The costs of the NCC's DNS monitoring service are not clear. Which raises the prospect of complaints about monopoly membership fees cross-subsidising non-core commercial activities. This is a particular worry of mine given that the NCC's initial investment in name server monitoring was met from its membership fees.
I understand your concerns in Issue 1-3, but it seems to me, that you are arguing with DNSMON service itself and not with my proposal which is meant to broaden scope of DNSMON service.
4 If any monitoring of ENUM delegations was to be done by the NCC, it must only be at the request of the Administration concerned. This avoids issues about national sovereignty. I accept this is unlikely to be a concern for many countries. But that will not be the case in the parts of the world that are hostile to Internet governance in its broadest sense being outside an international treaty organisation. It would not be wise IMO to open another window for those sorts of complaints and attacks.
Can you please clarify what do you mean by "at the request of the Administration concerned"? Who is Administration? Tier-1 operator?
Issues 1-3 have parallels with the historical situation of the NCC providing DNS service for ccTLDs. That situation is beginning to get untangled. And for the same reasons outlined above: non-core service, competition concerns, cross-subsidy, etc. It seems unwise to be opening up the same can of worms all over again just as an earlier one is starting to get cleared up.
Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
On Oct 8, 2007, at 10:29, Ondřej Surý wrote:
I understand your concerns in Issue 1-3, but it seems to me, that you are arguing with DNSMON service itself and not with my proposal which is meant to broaden scope of DNSMON service.
That's absolutely correct Ondřej. However the two things are linked. It will be harder and more expensive for the NCC to exit the DNS monitoring business -- as it will surely have to do eventually -- if the DNSMON service has strayed even further from its initial purpose. Which, IIRC, was to monitor the NCC's own DNS infrastructure.
Can you please clarify what do you mean by "at the request of the Administration concerned"? Who is Administration? Tier-1 operator?
I was deliberately vague here. :-) It could be the Tier-1 operator. Or it might be the government/regulator. It depends on the national circumstances. <CC>.e164.arpa is a National Resource, just like a country's territory and air space. Nobody should be poking around in <CC>.e164.arpa without proper authority. Just like we usually have to show passports when crossing borders.
Jim Reid píše v Po 08. 10. 2007 v 12:14 +0100:
On Oct 8, 2007, at 10:29, Ondřej Surý wrote:
I understand your concerns in Issue 1-3, but it seems to me, that you are arguing with DNSMON service itself and not with my proposal which is meant to broaden scope of DNSMON service.
That's absolutely correct Ondřej. However the two things are linked. It will be harder and more expensive for the NCC to exit the DNS monitoring business
Here I don't agree with you. How does adding some ENUM domains make it harder than adding more TLD domains? Anyway: 3.4.e164.arpa (AT), 1.3.e164.arpa (NL) and 0.2.4.e164.arpa (CZ) is already monitored by DNSMON. So in a way my proposal just formalizes current state of things.
as it will surely have to do eventually -- if the DNSMON service has strayed even further from its initial purpose. Which, IIRC, was to monitor the NCC's own DNS infrastructure.
Can you please clarify what do you mean by "at the request of the Administration concerned"? Who is Administration? Tier-1 operator?
I was deliberately vague here. :-) It could be the Tier-1 operator. Or it might be the government/regulator. It depends on the national circumstances. <CC>.e164.arpa is a National Resource, just like a country's territory and air space. Nobody should be poking around in <CC>.e164.arpa without proper authority. Just like we usually have to show passports when crossing borders.
Ok, understood (probably :-)). Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ sip:ondrej.sury@nic.cz tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 -----------------------------------------
On 08.10 12:14, Jim Reid wrote:
... I was deliberately vague here. :-) It could be the Tier-1 operator. Or it might be the government/regulator. It depends on the national circumstances. <CC>.e164.arpa is a National Resource, just like a country's territory and air space. Nobody should be poking around in <CC>.e164.arpa without proper authority. Just like we usually have to show passports when crossing borders.
I have never understood this argument really. The DNS can be viewed as a mechanism to publish information to the Internet at large. Why would it be improper to query the published information as long as such querying does not degrade the service, e.g. constitute a DoS attack? So imagine the following hypothetical future situation: ENUM is widely used in -say- Germany and hence the DNS service of 9.4.in-addr.arpa. has become operationally important to ISPs in the RIPE region; SKYPE is a thing of the past, etc.. Now suddenly customers of ISPs are having difficulties getting their calls connected. A quick analysis suggests that the DNS service for 9.4.in-adr.arpa. is not always reachable. The ISPs ask the RIPE NCC both as RIPE participants and as RIPE NCC members to monitor the quality of this DNS service which is critical to their business. The NCC complies. Next Merkel calls Pawlik and says: "Dear Axel, you are poking around in my people's ENUM servers, please stop that". What should Axel's answer be: 1) "Dear Angela, I am so sorry that I poked into your national assets. It was the members that made me do it; but of course I will stop if you take offense." 2) "Dear Angela, our member's have some problems that may have been caused by data about your national assets not being available as it should be. Our members really have a need to know at any time if this is the reason for their customers complaining to them. Hence we will continue to monitor. By the way: we are generally regarded as a highly professional and neutral source of such operational measurements." I would expect that most of the RIPE NCC members and RIPE participants would choose 2. I am also quite sure that the call would never happen becuase noone publishing something on the Internet really assumes that they can stop it from being accessed and monitored. Otherwise Merkel would have to call Google many times a day. Tounge in-cheeckly your's Daniel
On Oct 16, 2007, at 15:08, Daniel Karrenberg wrote:
I have never understood this argument really. The DNS can be viewed as a mechanism to publish information to the Internet at large. Why would it be improper to query the published information as long as such querying does not degrade the service, e.g. constitute a DoS attack?
Daniel, there are many parts of the world that have a very different view of the DNS than you and I have. We both know that the odd query for health checking makes no operational difference. But that's not the issue. Some governments and regulators view their ccTLD (and by implication their ENUM Tier-1) name servers as "theirs". It's nobody else's business how those servers are set up and operated. If the name servers are dead or broken, so be it. Third parties (especially foreign third parties) must not interfere in what these states consider is a National Matter.
Jim, all - Jim Reid wrote:
Daniel, there are many parts of the world that have a very different view of the DNS than you and I have. We both know that the odd query for health checking makes no operational difference. But that's not the issue. Some governments and regulators view their ccTLD (and by implication their ENUM Tier-1) name servers as "theirs". It's nobody else's business how those servers are set up and operated. If the name servers are dead or broken, so be it. Third parties (especially foreign third parties) must not interfere in what these states consider is a National Matter.
would your worries really apply here? My understanding so far was that the RIPE NCC would not unilaterally start to monitor ENUM zones, eg. 9.4.e164.arpa. Rather it would only do so at the active and explicit request of the respective ENUM Tier 1 registry - which turns your argument upside-down IMHO. Best, Carsten
On Oct 17, 2007, at 10:59, Carsten Schiefner wrote:
My understanding so far was that the RIPE NCC would not unilaterally start to monitor ENUM zones, eg. 9.4.e164.arpa.
I would very much hope that was the case Carsten. But Daniel's recent posting -- which can be paraphrased as "why should anyone care if we send a few DNS queries and publish the results?" -- suggests there is some ambiguity or scope for confusion here. ie To the NCC, it doesn't look like unilateral action. But to the sorts of Administrations I referred to, they would see this as unilateral action and interference in a National Matter. Some clarity is needed here so that everyone knows what the operating conditions are: ie a statement which makes it clear that there are no grounds for these sorts of complaints.
Rather it would only do so at the active and explicit request of the respective ENUM Tier 1 registry - which turns your argument upside-down IMHO.
Er, it was me who was recommending that any monitoring would only be done at the request of the Administration concerned. For some vague definition of "Administration" which could include the Tier1 registry. BTW, I've parked the wider discussion of DNS monitoring as far as this thread is concerned. My views on that have not softened or changed. Even if I am a lone voice crying in the wilderness. :-) Crying being the operative word... :-)
On 18 Oct 2007, at 08:50, Jim Reid wrote:
[Carsten Schiefner wrote]
Rather it would only do so at the active and explicit request of the respective ENUM Tier 1 registry - which turns your argument upside-down IMHO.
Er, it was me who was recommending that any monitoring would only be done at the request of the Administration concerned. For some vague definition of "Administration" which could include the Tier1 registry.
From all of this discussion, I suggest the following three points as a basis for agreement. (1) Clarity on the "service envelope" for DNSMON is desirable; (2) Tier-1 ENUM zones are eligible for monitoring by DNSMON; (3) A request for DNSMON monitoring of a Tier-1 ENUM zone will be accepted from a "responsible party" ("Administration", Tier-1 operator, National Regulator, ...) relevant to the zone in question. I hope this helps. /Niall
On 18.10 10:45, Niall O'Reilly wrote:
On 18 Oct 2007, at 08:50, Jim Reid wrote:
[Carsten Schiefner wrote]
Rather it would only do so at the active and explicit request of the respective ENUM Tier 1 registry - which turns your argument upside-down IMHO.
Er, it was me who was recommending that any monitoring would only be done at the request of the Administration concerned. For some vague definition of "Administration" which could include the Tier1 registry.
From all of this discussion, I suggest the following three points as a basis for agreement.
(1) Clarity on the "service envelope" for DNSMON is desirable; (2) Tier-1 ENUM zones are eligible for monitoring by DNSMON; (3) A request for DNSMON monitoring of a Tier-1 ENUM zone will be accepted from a "responsible party" ("Administration", Tier-1 operator, National Regulator, ...) relevant to the zone in question.
Full disclosure: speaking as ripe citoyen, but also: ncc staffer, inventor of dnsmon, proponent of the NCC as more than a number factory Opinion: This may be all that is needed in practise. However it may be dangerous to limit ourslves this way. As alluded to in my recent attempt at humour: there may very well be a situation where the RIPE community may want a certain service monitored because their customers depend on it. At the same time the service provider may have a strong interest to hide the deficiencies of their service. From the point of the RIPE NCC, which interest should prevail? Fact: In the case of dnsmon, there has indeed been more than one occasion where such deficiencies were quite obvious and the server operators have indeed tried to get us to discontinue monitoring. So far we have stood firm on the side of telling the truth and providing a useful service to the RIPE community and the Internet community at large. In all the cases I can recall the service was improved after a while. In some instances I have been told personally that the monitoring results helped to get the necessary resources allocated. In one case this concerned an important server directly operated by an agency of a nation state. Opinion: So as fas as I am concerned there is a definite benefit for the RIPE community and the RIPE membership in retaining the authority to determine what we monitor. Daniel
On Thu, Oct 18, 2007 at 10:45:57AM +0100, Niall O'Reilly wrote:
(3) A request for DNSMON monitoring of a Tier-1 ENUM zone will be accepted from a "responsible party" ("Administration", Tier-1 operator, National Regulator, ...) relevant to the zone in question.
so this suggests an asymmetric treatment of Tier-1 ENUM zones and TLDs? -Peter
On 18 Oct 2007, at 17:18, Peter Koch wrote:
so this suggests an asymmetric treatment of Tier-1 ENUM zones and TLDs?
You may be right; I'm not sure. If so, is it a problem, as long as we have clarity? /Niall
On 18 Oct 2007, at 08:50, Jim Reid wrote:
I would very much hope that was the case Carsten. But Daniel's recent posting -- which can be paraphrased as "why should anyone care if we send a few DNS queries and publish the results?" -- suggests there is some ambiguity or scope for confusion here.
As I read Daniel's posting, a more accurate (but still very rough) paraphrase would be "why should anyone care if we send a few DNS queries to look up already published data?" /Niall
Hi Jim, Jim Reid wrote:
[...] Some clarity is needed here so that everyone knows what the operating conditions are: ie a statement which makes it clear that there are no grounds for these sorts of complaints.
I guess such constrains could very well go into the DNSMON policy (RIPE-342). I further believe it is defacto handled already this way for the monitored TLDs.
Er, it was me who was recommending that any monitoring would only be done at the request of the Administration concerned. For some vague definition of "Administration" which could include the Tier1 registry.
I would only see the Tier 1 registry as the requesting entity as it is supposed to act with the consent of the "Administration" anyways. Best, Carsten
participants (14)
-
Andy Davidson -
Carsten Schiefner -
Daniel Karrenberg -
Gert Doering -
Ian Meikle -
Ian Meikle
-
Jim Reid -
John Crain -
Niall O'Reilly -
Olaf M. Kolkman -
Ondřej Surý -
Peter Koch -
Randy Bush -
Wilfried Woeber, UniVie/ACOnet