Robert Kisteleki - 19-05-2022 10:59:42
Hi everyone, I'm Robert Kisteleki from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Please note that all chat transcripts will be archived and made available to the public on https://ripe84.ripe.net/.
The RIPE Code of Conduct: https://www.ripe.net/publications/docs/ripe-766.
Vladimír Čunát - 19-05-2022 11:01:44
I can see the slides.
Vladimír Čunát - 19-05-2022 11:01:55
(oh, on meetecho, yes)
Peter van Dijk - 19-05-2022 11:01:57
the slides work in meetecho, but apparently not in the room in Berlin
Peter van Dijk - 19-05-2022 11:02:09
does not seem like a Sara problem :)
Peter van Dijk - 19-05-2022 11:02:33
I see slides in Meetecho, again
Anders Mundt Due - 19-05-2022 11:02:46
a Sara Solution!
Peter van Dijk - 19-05-2022 11:07:28
audio slowly breaking down for anybody else?
Vladimír Čunát - 19-05-2022 11:07:29
Uh, choppy audio?
Shane Kerr - 19-05-2022 11:07:36
We have it here too.
Wolfgang Tremmel - 19-05-2022 11:07:37
audio is bad
Anders Mundt Due - 19-05-2022 11:07:43
Adam Burns - 19-05-2022 11:07:50
perhaps too much gain?
Adam Burns - 19-05-2022 11:07:57
Robert Kisteleki - 19-05-2022 11:07:59
yes, we're looking into it
Peter van Dijk - 19-05-2022 11:08:04
Moritz sounds fine
Vladimír Čunát - 19-05-2022 11:08:17
Martin Stanislav - 19-05-2022 11:08:24
Adam Burns - 19-05-2022 11:08:33
Martin Stanislav - 19-05-2022 11:08:33
Peter van Dijk - 19-05-2022 11:08:34
Anders Mundt Due - 19-05-2022 11:08:35
Vladimír Čunát - 19-05-2022 11:09:04
Adam Burns - 19-05-2022 11:14:30
audio degraded again ...
Wolfgang Tremmel - 19-05-2022 11:14:32
and audio again
Taras Heichenko - 19-05-2022 11:14:40
Marco d'Itri - 19-05-2022 11:17:17
I do not have much faith in widespread QUIC support until the openssl people will wake up and allow third parties to implement QUIC on top of it instead of failing to do everything themselves :-(
Peter van Dijk - 19-05-2022 11:17:24
DOQ lends itself to it the same way that *DOT* does
Vladimír Čunát - 19-05-2022 11:17:40
Shane Kerr - 19-05-2022 11:18:54
Yeah I think people are scared enough of implementing their own crypto that they'll mostly use libraries...
Vladimír Čunát - 19-05-2022 11:19:23
A really nice talk. As usual from Sara.
Peter van Dijk - 19-05-2022 11:19:34
Marco d'Itri - 19-05-2022 11:20:16
@Shane it's not just that: implementing QUIC is huge work, and while some libraries are available they are still not well integrated in the rest of the ecosystem due to the OpenSSL mess :-(
Marco d'Itri - 19-05-2022 11:20:33
(this from a Linux vendor perspective)
Vladimír Čunát - 19-05-2022 11:23:17
I do have feedback that integrating support into a DNS server isn't trivial.
Shane Kerr - 19-05-2022 11:24:29
Vladimir: That's genuinely disappointing. :(
Vladimír Čunát - 19-05-2022 11:25:13
I hope it's mainly because quic is still relatively new.
Georg Kahest - 19-05-2022 11:25:31
lol @ zones meme
Keith Mitchell - 19-05-2022 11:38:43
https://chat.dns-oarc.net/community/channels/catalog-zones is chatroom Petr mentioned
Peter van Dijk - 19-05-2022 11:39:09
PTR is a pointer to a name. While commonly used in reverse zones up till now, it's not actually overloading here.
Vladimír Čunát - 19-05-2022 11:41:46
So the history is related to RPZ?
Shane Kerr - 19-05-2022 11:43:00
No, Paul Vixie had something called "meta-zones" decades ago. I don't think he ever released the code or tried to standerize it though.
Peter van Dijk - 19-05-2022 11:43:40
Vladimír Čunát - 19-05-2022 11:44:23
Though the final link is dead.
Brett Carr - 19-05-2022 11:45:02
@Shane yes but very similar I think (could be my awful memory though), he gave me a version of this to try when I was at the NCC
Vladimír Čunát - 19-05-2022 11:45:09
(I'm not really interested in reading it anyway.)
Peter van Dijk - 19-05-2022 11:45:42
ah, I also linked to an old version of our draft - anyway, "vixie metazones" in Google gives a few hits if anybody does want to see
Brett Carr - 19-05-2022 11:46:16
I'd like to use catalog zones but I do want to keep control over what the primary can suddenly send me, bit of a potential for an accidental DOS
Victoria Risk - 19-05-2022 11:46:36
I found Vixie's implementation in an old file at ISC years ago, but the version 1 implementation was done by someone who had never seen it. I think it was just a logical idea...
Vladimír Čunát - 19-05-2022 11:47:03
I'm not sure if that DoS potential is that much different from *XFR of non-catalog zones.
Peter van Dijk - 19-05-2022 11:47:11
Brett, that sounds like something that could be handled in an implementation dependent way, of course.
Matthijs Mekking - 19-05-2022 11:47:22
BIND does implement coo, the catalog zones change of ownership property, but there is no mitigation if you already trust the primary, to rate limit the number of zones one primary can add to the secondary. Since catalog zones stores its data inside a zone, I don't see a way to encode a ratelimit inside catalog zones, so it sounds that it perhaps requires some configuration option at the secondary.
Vladimír Čunát - 19-05-2022 11:47:26
Manually approved XFR?
Vladimír Čunát - 19-05-2022 11:47:43
(on the catz)
Vladimír Čunát - 19-05-2022 11:49:40
Like the workflow of git's pull/merge requests :slightly_smiling_face:
Peter van Dijk - 19-05-2022 11:56:23
The questions raised in this talk are excellent.
Marco d'Itri - 19-05-2022 11:57:23
well. the actual question is: why are consumers using non-ISP-provided resolvers (which have downsides, like bad mapping from CDNs)? My non scientific guess is that this happens because their ISP's resolvlers are a) censored, b) provide unwanted ads (i.e., lie to queries), c) unreliable
Robert Kisteleki - 19-05-2022 11:58:29
Marco, would you like to turn that into a question and add it to the Q&A queue?
Victoria Risk - 19-05-2022 11:58:31
I think this is a great idea, but would not limit this to open resolver operators
Peter van Dijk - 19-05-2022 11:58:39
in my (.nl, limited) historical experience the reason is 99% (c), even though our ISPs have been doing very well the last 5-10 years - but configuration sticks around
Vladimír Čunát - 19-05-2022 11:59:30
Yes. I often heard that occasionally ISP's DNS breaks, so people input 126.96.36.199 into their config and then they... just don't have motivation to ever touch that settings again.
Marco d'Itri - 19-05-2022 11:59:56
(sorry, I have to leave NOW)
Sara Dickinson - 19-05-2022 12:00:44
Or it could be applications doing DNS directly to a chosen resolver (although no browsers do that by default in the EU yet)
Brett Carr - 19-05-2022 12:01:07
Didnt Andrew Campling float the idea of a set of ops practices for Resolvers operators to the WG a few months ago, and I think it got a bit of a lukewarm reception. I think it's a good ides though.
Geoff Huston - 19-05-2022 12:01:13
Adam Burns - 19-05-2022 12:01:41
Thank you so much for underlining the issues and providing real life data to comment on this EU initiative, overloaded as it is with issues such as member state "policy compliance" issues and potentially unnecessary "re-centralisation" as a control mechanism.
Geoff Huston - 19-05-2022 12:02:35
Apple using Cloudflare with egress in SIngapore - seems to have been turned on in May : https://stats.labs.apnic.net/rvrs/SG?hc=SG&hl=1&hs=2&ht=0&hx=4&w=1&t=0&s=0
Victoria Risk - 19-05-2022 12:06:13
I think the issue is, how can the end user have visibility into whether their resolver operator is monetizing their query data? Having a BCP that clarifies this - that an end user can say, are you following X or not? might help.
Victoria Risk - 19-05-2022 12:07:03
There is a big difference between having a BCP and having consumer demand for that as a privacy standard, but you won't get the latter without the former.
Adam Burns - 19-05-2022 12:08:29
a useful tool for checking internet consistency in general, but dns consistency in particular is ooni https://ooni.org
Vladimír Čunát - 19-05-2022 12:09:34
I'm not sure if BCP will help much without some legislation.
Vladimír Čunát - 19-05-2022 12:10:19
I mean, what would motivate ISPs to publish the fact that they monetize data of their users?
Shane Kerr - 19-05-2022 12:11:48
Better to have legislation point to an industry-originated BCP rather than having Brussels invent their own rules though!
Sara Dickinson - 19-05-2022 12:14:00
Vladimír Čunát - 19-05-2022 12:14:11
Yes, though in the EU the monetization isn't allowed AFAIK, at least for ISP DNS.
Vladimír Čunát - 19-05-2022 12:14:29
(meant for Shane)
Shane Kerr - 19-05-2022 12:15:12
Vladimír Čunát - 19-05-2022 12:15:14
For DNS4EU it's certainly explicitly forbidden.
Shane Kerr - 19-05-2022 12:16:34
Well, that actually confuses me about DNS4EU. IIRC the grant was supposed to cover half of the cost... and they can't monetize the queries... so... ¯_(ツ)_/¯
Vladimír Čunát - 19-05-2022 12:17:03
Yes, no money for operations and no monetization.
Vladimír Čunát - 19-05-2022 12:17:41
So I'm quite curious how that plan works out over long term.
Sara Dickinson - 19-05-2022 12:17:57
Found the link: https://europeanresolverpolicy.com
Brett Carr - 19-05-2022 12:18:54
@Sarah yes thats what I was referring to earlier, I think Andrew presented this at a WG meeting a few months ago, perhaps worth having another meeting to chat about it
Vladimír Čunát - 19-05-2022 12:19:32
Within EDDI perhaps, as they've been doing this kind of things a lot.
Sara Dickinson - 19-05-2022 12:19:38
Moritz Müller - 19-05-2022 12:21:38
Unfortunately due to time, we cannot take any questions
Georg Kahest - 19-05-2022 12:29:48
long live the dns
Brett Carr - 19-05-2022 12:29:58
Happy birthday dns-wg (I feel old now)
Sebastian Wiesinger - 19-05-2022 12:29:59
:birthday: Happy Birthday DNS WG
Vladimír Čunát - 19-05-2022 12:30:00
Victoria Risk - 19-05-2022 12:30:02
Hoàn Vũ - 19-05-2022 12:37:41
How is the DNSMON (RIPENCC) system deployed?
- Model, scope
- Supervisory criteria