Why is the EU trying to regulate outside it's jurisdiction?
Why doesn't the EU simply provide a 'core' set of servers, which they operate to a high degree of fidelity and robustness so that 'should something go wrong' ... then the EU still has these resilient services to reply upon?
I don't see how someone doing a public service should arbitrarily come under such scrutiny.
The proposed regulation – like many EU regulations – can also apply to non-EU entities. In this sense, the EU does try to exert extraterritorial jurisdiction.
However, this is constrained to the case where the non-EU entity targets people in the EU, so somehow participates in the EU market. The origins of this “targeting criterion” actually come from consumer protection cases, where it's easy to understand: if you advertise your goods or services to people in a particular country, you'll have to play by that country's rules.
I can make the analogy that public transport is a public service, but that doesn't mean people have to drive in old and unsafe busses and trains right?
It’s the nature of governments and bureaucracies to try and control as much as they can. The kinds of people who draft these regulations aren’t interested in limited legislation. The United States is particularly guilty of this - we frequently demand that other countries follow our regulatory rules, especially around banking and “anti-terrorism”.
> It’s the nature of governments and bureaucracies to try and control as much as they can. The kinds of people who draft these regulations aren’t interested in limited legislation
there is not really any other way to play the geopolitical game sadly.
Every goverment on earth is doing this to keep themselves stable, some are just far more succesfull then others.
Let's see... the past year the was a big scandal because apparently multiple non-profits were selling the .ORG top level domain name for $1B. They got these top level domain for free from the US government (or some institution thereof).
I would certainly like the EU to regulate more of the Internet instead of it being an US territory.
> I don't see how someone doing a public service should arbitrarily come under such scrutiny.
It doesn't seem arbitrary to me. The service provided exists in many EU countries, and therefore must eventually be harmonised. This is the prime directive of the project.
"and therefore must eventually be harmonised. This is the prime directive of the project"
That's not a very good prime directive.
Don't regulate things that don't need to be regulated, i.e. unless there is a very material benefit from it.
If the EU is concerned about WW3 level resiliency for these services, they can accomplish that themselves with a few cord, 'hardened' services that meet their criteria. For 'regular operations' it seems we're going quite well right now.
Unless there is a threat posed by these heretofore independent operators ... then I'm don't see any obvious material benefit here.
I'm wondering if somehow these entities could be compromised in a way that makes them a problem, more so than just 'going offline', in which case, maybe there are some benefits.
Umm idk if I put 1.1.1.1 as my DNS which root is it targeting? The one in China? Or if I put 0.0.0.0 (IP of EU run DNS server backed by EU run root) then is it still China?
There is a simpler solution rather than enforcing EU oversight over root DNSes.
Seems like it's the job of the 'EU citizen' to not use foreign services if they don't want to use services which are not consistent with their own regulatory standards.
It doesn't, really; see paragraph (65) in the document [0]. It states something along the lines of "if you're providing services stationed in the EU, or services directed people that live in the EU, then you must comply with these regulations". Basically, an import regulation for operators that do not have a presence in the EU (but do target the EU market), and an operating regulation for those that have a presence in the EU.
These are independent operators, NGOs etc, services being 'used by EU citizens' not really 'targeting Europeans'.
From a liability perspective, to the author's point these services I suppose would have to just filter out European sources?
Why would they publish a regulation so obviously vague, full well knowing the reality on the ground?
Why wouldn't they use language that unambiguously places NASA etc. firmly 'in our out' of the regulations or, some criteria which they would be one way or another?
The text in question does define more closely what it means to offer services in the EU. To lawyers (and to anyone who has experience with GDPR compliance) this is not a particularly vague statement. Admittedly, there's no unambiguous bright line definition, but there's a lot of jurisprudence on the matter.
In reality, the question is not whether EU citizens will use these services, but whether the operator of the service is targeting people in the EU, i.e. whether the operator intends or reasonably expects for EU people to use their service. A US service will most likely be fine if their reasoning goes something like this: (1) We primarily intend to serve connections from the US. (2) This expectation is reasonable based on our network topology. (3) But we don't care if someone else connects.
It would not be appropriate to exempt specific organizations since those organizations may change their targeting in the future. It already exempts most non-EU organizations, due to the criterion that they don't target the EU.
We had the same panicking in 2018 when the GDPR came into force and – quelle surprise – there are no fines for random international websites. The EU doesn't insert itself into your affairs if you don't insert yourself into the EU market.
I'm not sure where you got the word "target" from. In the context of GDPR what the EU does is they believe European people are their data subjects, they claim that personal data is things like IP addresses, and if you record information about these data subjects, like RIPE IPs in NGINX logs, then the EU feels that you are governed by them regardless of where you live or where your server is hosted. Which to me sounds like basically everyone who's plugged into the internet who hasn't configured their firewall to drop traffic from ips starting with 2, 5, 25, 31, 37, 46, 51, 53, 57, 62, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 109, 141, 145, 151, 176, 178, 185, 188, 193, 194, 195, 212, 213, or 217. In practice, the EU has explicitly exempted most of the operators who wouldn't be economical to fine, but it's pretty clear that the regulatory model is intended to operate like a whitelist, i.e. you're under their dominion unless they say you're not. What I found particularly amusing in the context of the DNS topic at hand. Is when people voiced concerns about normal people running DNS on a Linux router or something being impacted by the legislation, the EU's response in the document was like, no no trust us if you're doing something like running a DNS server on your "laptop" (yes they said laptop) then you're not going to be impacted. How reassuring!
I got the word "target" from the referenced section (65):
> In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary's website or of an emailaddress and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union.
If you want to look at it from that perspective: the same reason the US does it.
People also tend to forget that providing a service (in whatever fashion) doesn't exist in a vacuum, there are the services and then there are the consumers of those services and they might have certain freedoms and rights that the locality of the service in question might not honour. Take the right to control your data for example, the US isn't very good at providing that with the services they offer, and they'd rather not have that freedom and rather make those few percent more money.
Also, it makes sense in the broader EU strategy of becoming less reliant on the US.
The EU has a good amount of soft power, this is just testing testing it's waters in directing policy more directly. (other examples are the Iran deal after the US left, and Intervention in Africa)
Geopolitically, this makes a lot of sense, and i think the idea has good intentions, but the implementation of the law is where it falls short.
> The current version of the NIS 2 directive explicitly says the EU will regulate the root servers, and therefore NASA and the US Department of Defense in this way
Is the latter part of this your conclusion and interpretation? I haven't looked at the source material but are you sure they aren't just referring to root servers operating in the EU or by EU companies. I find it hard to believe they would consider DoD servers within their jusrisdiction.
>We barely develop any software here anymore. So even very European companies like like Nokia and Ericsson, that are now trying to tell us that they are building our European telecommunication infrastructure. They’re actually not, they’re getting that built by other people in other countries far away. Anything having to do with server and PC development and manufacturing, there’s nothing left of that in Europe anymore.
As far as I've been told, then there are R&Ds in e.g Cracow, Poland or Wroclaw (probably nor R&D) that actively recruit or even train people
My latest news (~2 yrs ago though) from friends working at Ericsson is that beside hardware they also started outsourcing software to far east entities. I don't have details, but over here they sack about 300 people every year, mostly developers. It might be different in Sweden though.
No idea, and Covid may have changed things, however pretty much every year he feared to be included in the list of people that had to go either directly or through a fake spin off, a common trick used by many corporations to lay off workers.
Ericsson has hired several thousand engineers per year in the past couple of years, globally.
You can see the history of their Wikipedia page for the nitty-gritty...
If by Far East you mean China, I’m not aware of any outsourcing there at all. Ericsson has big R&D centers there but I believe they are all in-house operations, owned and controlled directly by Ericsson.
Ericsson is very multinational. The core of its management is in Sweden, a lot of systems management and architecture are indeed controlled from there. There are development units in dozens of countries across all continents, albeit with a emphasis on Europe, the US and China. A lot of subcontractors from/in India are involved in product development, too, but mostly for systems operations and maintenance of “sunsetting” products.
All told, I am not aware of a single Ericsson product that is “led” from China or India, but I could certainly be wrong.
What is your expectation what a state actor like the EU should do to protect it's citizens infrastructure?
Rely on a third party like the US which has secret courts and gives a shit about EU citizen privacy, their property or their lifes?
Or give it in the hands of the industry? Which only has one motive: making money.
Or leave it unregulated with no safety for no one?
DNS is about trust. We need trust into this thing. And honestly: i would not trust DNS offered in China and most likely also not the US, or 99% of the carriers
Second that. The article lacks the good parts. It's clear that the rapporteur has not figured it out yet how to deal with the root DNS servers, but there is a broad consensus over the strategic autonomy goal [1].
One way or another, EU will force its way. Should it do it by e.g. empowering DIGIT to run root DNS servers?
They will for sure tender it off to a murky consortium, but at least there will be a positive political move.
I love the assumption that there is "a better model." This reeks of the quintessential "let's solve a problem that doesn't exist."
Here's an even better and more logical idea - for those who have concerns about the current DNS root server arrangements, what specifically are they? And what would you propose as solutions to their perceived deficiencies? Bonus points if you can raise actual technical arguments and not just feelings.
You are free to choose your DNS provider. On the other hand if we take your view and apply it in reverse: why should an American or Chinese person trust the EU to regulate the internet?
DNS roots have worked flawlessly. The EU can just create EU roots and be in control of them and regulate those. Nobody is opposed to that. You can even enforce vendors to only include EU roots when selling devices in the EU (I’m against this personally) or to ISPs (I’m more okay with this). But as a person who loves the EU I’m very much opposed to enforcing EU values and views to 3rd parties.
What value would regulation bring to a system that is currently working, has worked flawlessly for over 40 years and shows no need of imminent "improvement" from a law like this.
Exactly what problem would this law saw? So far all I am seeing are vaugue assurances and warm feelings but zero substance of how it would improve anything.
Indeed, if history is our guide any change is far more likely to hurt rather than help. Therefore it is incumbent on those seeking the change to defend it - how exactly will this law "improve" things. Please be specific and factual and leave feelings to the poets and philosophers.
You control the client. Don't ask my server if you don't want to. I'm not making you do it.
If you want to ask my server, send me information in the protocol that says that you want me to meet a certain standard and I'll blackhole the request if I can't meet it.
Any software that is used by EU citizens (downloaded from EU App Store or EU vendor website) should use EU DNS servers. (The user should be allowed to change the DNS on per device and per app lvl)
I’d be okay with that. And I think that solves your issue, my issue and EU’s issue.
Simply - no. Devices that are old enough which have no OS updates then... no. But any new device or already supported ones: yes why not. It's just an update from the manufacturer. You can even say: If the device is within EOL<1 year just update the DNS to the EU DNS. Other devices will need to have the option of choosing DNS addresses.
Another approach is what we do with cars: we don't ban ICE cars, we have different "tiers" (Euro5, Euro6) of emissions and phase them out. We can do the same thing. Any device manufactured after 2020 will need to implement this "feature". It will take a few years to propagate but it is a very feasible approach.
Don't most devices use just DHCP, which in turn in most cases just use the DNS settings of the Internet Provider (IP) that is being used (indirectly, as usually the local router is set like that) => if a local government asks the IPs to use specific root servers then the problem should be solved?
(or maybe I'm not understanding the core problem...)
> But as a person who loves the EU I’m very much opposed to enforcing EU values and views to 3rd parties.
I'm not quite clear how that's different from ICANN? Ostensibly they're now
"multistakeholder", but were under the United States Department of Commerce until 2016. And were infamously in denial about the GDPR impact to WHOIS.
To be clear, I'm not saying the EU proposal is in any way good, I have no idea. But this issue has been brewing for a while, and I don't think it's unreasonable to be critical of ICANN et al and preparing for eventualities. Even if it is the status quo, leaving a major part of the internet in the hands of some unaccountable NGO is a huge risk.
There is less and less choice over your DNS provider. With the classic DNS protocol, requests were routinely hijacked by ISPs. With new protocols like DOH, you now have to go manually configure every application and cross your fingers it does what you want. Not everything can be configured to a specific DOH gateway.
As it stands today, I can no longer reliably block hosts by domain name on my own network thanks to DOH.
> You can even enforce vendors to only include EU roots when selling devices in the EU
Please don't give them ideas. Not even the Kremlin has done that, although they did something similar with geolocation devices.
Otherwise I fully agree. If the EU wants to audit, they should establish their own root server infrastructure, pay for it and audit that. If I was a root server operator providing what is essentially a free service and this was enforced on me, I'd rather shut down or block EU netblocks than be bothered by EU cyber security auditors.
I mean if it’s done in the right way and actually hosted by universities with high reputation: Oxford/Cambridge/Southampton (obvs not in Europe anymore but it illustrates my point) then I think it might be okay. Nothing wrong with making sure dns works in Europe if all other dns roots fail.
The implementation part will be tricky but not impossible. Heck ipv6 is still not rolled out and we actually need it. Do you think they will be able to do this faster?
> I’m very much opposed to enforcing EU values and views to 3rd parties.
I’m not at all opposed to the EU trying to regulate companies providing services to their citizens.
If you only regulate providers in the EU it’s a pointless exercise from the start, even if you don’t have a lot of ways to actually enforce your regulations.
Really, recursive servers should be AXFRing the root zone on a regular basis and not making live queries unless the AXFRd data is sufficiently stale (or on cold start). Icann has some axfr servers setup for this [1].
Some other transfer mechanism for the zone could be used, and almost anything would do as the rate of change is slow and the overall size relatively small. If it's a regular transfer, there's less need to have servers as everywhere as possible as is current policy. Popular TLD servers will likely continue to try in as many places at once as they can be though.
The solution here seems simple: their buisness continuity plan is for traffic to fail over to other functioning servers.
As long as actually filing the paperwork is easy and the EU accepts the idea that the system is already designed to handle outages this sounds to me like a non-event.
As I understand it, the services are run by non-profits. A "bit of paperwork" (and truthfully, it's laughable to call any government mandate a "bit" of paperwork) can quickly turn into something that require legal hours which isn't free.
I agree about not underestimating the needed effort, but to be fair that service nowadays is absolutely crucial/important for a lot of stuff, private & commercial, involving $$$/lifes (maybe e.g. police etc... run some services over it)/whatever.
Probably the criticality/importance of the service must be balanced by appropriate controls/checks/procedures/etc... .
Maybe people's time could be spent better administering servers - i.e. doing useful work - than complying with busywork from bureaucrats intent on solving problems that don't exist.
Or even worse, bureaucrats making shit up to not only justify their existence but justify the expansion of their empires - which is exactly what this smells like.
There is nothing broken or in need of fixing with how the root servers have worked and work today.
The EU is an important enough market that most companies will want to serve EU customers, which means they have to abide.
GDPR has forced all companies to at least think about data security and personal data, and given rights to know what data is stored and to demand deletion.
Sure, there are annoying consent modals, enforcement is lacking, many companies don't actually follow the law properly, and I've lost access to some websites/apps that don't want to deal with it.
But this is a domain where standards are severely lacking, but necessary. No one will do it without being forced to.
The biggest downside (for me) is the extra regulatory burden for small companies, but this particular legislation won't affect small companies much anyway.
It's not totally clear they would really try to do this, but there is no world in which US military DNS servers submit to inspection, auditing, and regulation by the EU. This is nothing like regulating commercial service providers. Even where FVEY reciprocity agreements exist, it's only for products, not for equipment and processes. Even where the US government operates facilities in the UK, there are parts of those facilities non-US persons aren't allowed into. Since the UK left, no EU member state is even a part of FVEY.
Granted, DNS is not classified, so those specific restrictions do not apply, but you still can't just go up to the Pentagon unannounced with an EU regulator badge and expect to be let into the building.
Yet the US military wants to inspect the EU's stuff so it seems to be a bit of a one-way thing right now.
The US wants to do all sorts of shady stuff to the rest of the world, but as soon as someone wants to do some of that the other way around it suddenly is all sorts of bad.
The Californian defense minister doesn’t exist, and didn’t proclaim last November that “illusions of US strategic autonomy must come to an end” in response to criticism from the Texan president, citing sobering facts like “without the nuclear and conventional capabilities of the E.U., California and America cannot protect themselves.”
I would say "perfectly" is an exaggeration in terms of not every request being perfect, but as a system it has worked perfectly as designed.
Name another system that has delivered the sheer quantity of results compared to the number of faults. I can't even imagine how many answers have been given DNS servers.
I don't know a single one that wouldn't not only jump over networks, but borders too. People are getting angry as it is now. Many of them are leaving because of the failure to handle covid, also PSD2, the inability to access many pages due to GDPR, the encryption ban plans, the tracked digital money plans, etc.
The Ukrainians that were here for a decade or more are choosing to go back to Ukraine rather than stay in this, what an image of the EU.
My 70 y/o grandmother is literally the only reason I'm still here.
PSD2 has been great for EU citizens because it lets them use personal finance apps of choice instead of being locked in to their bank's own app.
GDPR has been good even for non-EU citizens because it prompted some companies to provide data controls for all users, not just EU citizens. I have only come across a few American local news sites that block EU visitors.
There are other reasons technologists may leave, such as higher salaries and larger capital markets in the US, but GDPR, PSD2 and Covid-19 would not be incentives for most.
I never cared about using third party apps for banking, it's useless - obviously only the most basic operations are supported; and I never wanted to use my "dumb" phone for banking at all, I wanted seamless internet payments - but now I am required to have Android/iOS phone connected to the internet on hand to even log in into online banking interface - great!
News sites aren't the only victim of GDPR, it's also SaaS apps and other services, especially financial services. I used to be able to have American brokerage accounts, now that's gone - great!
How about you stop talking about what's good for me? This is exactly the problem with EU, it feels like it knows perfectly what's good for all 450 million people - well it doesn't, and it's not the same for all.
From what I read in the proposal the core idea of it is solid. DNS is a vital piece of infrastructure, and we should take steps to ensure it keeps working. Putting together task forces to make sure it is secure therefore sounds like a very good idea.
Root servers might be out of scope to some degree for this however. Interestingly enough the root servers also aren't mentioned in the proposal itself, nor in the annex listing essential services. They're only mentioned in the lead up, which is the argument for why it's needed. It somewhat feels like they left it in accidentally, especially with the parliament immediately amending to scrap it from the lead up as well.
Yup. As well as the decentralization and diversity of the technical operations of each pool. Operational diversity can be as important or even more important than technical diversity since humans tend to be the weakest links in technical chains :p
It is impossible to build any website that cannot be taken down. The government could seize the physical servers if they wanted to. By your definition that means nothing is decentralized.
How? Even if you were to host a website on a satellite the government could launch a rocket and blow it up. If the website is hosted on Earth they could physically cut cables if they wanted to. There is no way to fully prevent the government from preventing access to a website. The internet is decentralized, but not fully immune from governments.
I mean, you can have more than one copy of the website. Maybe a government can send one satellite-destroying missile, but probably not thousands of them.
Think about how many people have the Linux kernel Git repo cloned on their workstation. It would be essentially impossible for any government to destroy all copies.
>It is impossible to build any website that cannot be taken down
This is becoming less true each day, especially with the advent of IPFS and Ethereum. Uniswap's website will never go down. uniswap.org might be seized but uniswap.eth cannot be altered by anyone.
In a few decades it will be normal for websites to be decentralized and permanent. It's actually quite needed for the robustness of critical internet architecture.
Taking down websites has nothing at all to do with the root servers. The root servers only distribute information about which nameserver is responsible for which TLD, and doesn't concern individual websites at all.
This ended with /s but DNS and other global namespace management systems are actually one of the problems blockchains solve perfectly. We all need to know what the value of some key->value pair is and have that information always available and easy to update. Blockchains handle data distribution natively, allow updates from authorized parties, and have 100% uptime. Transitioning DNS to something like ENS is something with lots of upsides and few downsides.
The single biggest thing keeping the root servers working is the very model this law would disrupt.
Indeed, you want ecosystem diversity. You don't want every operator of a pool of root servers doing everything the same way because if someone figures out how to disrupt those operations and if everyone is operating the same way then poof - they all fall down.
Top down planning/regulation has it's place, but it's hardly the solution - and brings zero value to this topic.
Indeed, in 40 years the model has worked just fine - surviving technical, political and legal challenges and no one was the wiser. There is zero in this law that would improve upon that record.
Devil's advocate here. The DNS root servers worked, but don't quite feel up to speed with regulations. AFAIU, the root servers still receive FQDN and IP, which is not GDPR-friendly and technically unnecessary.
Also, I'm not sure what happens if a crazy US president decided to disrupt .eu.
While regulating root DNS servers might be undesirable now, it sure feels like the right moment to start the conversation.
> AFAIU, the root servers still receive FQDN and IP, which is not GDPR-friendly and technically unnecessary.
This is only a problem for a tiny fraction of queries. The records served by the root servers can be cached (e.g. .com has a TTL of 2 days), so most queries don't even hit the root servers. It's a much bigger problem for the registry nameservers.
Here's a naïve question - why couldn't the institution that's supposed to do the planning/regulation be the one that's obligated to provide the necessary resources for the parties being regulated, if they lack them themselves?
> The non-profit root server operators might have to leave the EU and put up active measures so that no Europeans can use their root servers. They can’t afford to do all the paperwork for NIS 2.
For example, if a university cannot afford to file the necessary paperwork, why couldn't the EU be the ones that are obligated to send someone over to handle the legwork and help them out?
I know that something like that would never work for reasons that the lovely people here would hopefully point out (since i don't really deal with the legal stuff that often), but here's another example - i live in Latvia, and the government actually helps me to fill out and pay my taxes somewhat. Granted, it only handles the most common cases and calculations in the form of a self-service web app, but if a lot of paperwork is just forms anyways, why not apply it to other domains?
In contrast, telling a university that they'll need to invest significant time and resources into something that they simply cannot do on their own, knowing the implications of this, doesn't appear fair.
Having worked at a university, but not in this domain, my 2-cents is that what they're trying to say is that can't afford the paperwork in the context of the the associated internal political war that commonly comes along with trying to do anything like this in academia.
I have an even more naive question: if EU wants a secure and well-overseen root services operator, why don't they spin up their own one? They can do whatever they fancy for their own money.
> Putting together task forces to make sure it is secure therefore sounds like a very good idea.
the top comment on HN for topics like this frequently follows the format of your comment, saying something that sounds so reasonable, who could object?
But the way the internet works didn't come about magically, it was planned and modified through trial and error by experts who, working together, can be seen as nothing other than a task force. So you are looking for a new task force to interrupt and disturb a task force that already exists. This will inevitably lead to the need for yet another new task force to look into what this task force has done...
So, we take a system that has been working perfectly for 40 years, and throw some government “task forces” at it, and we hope this makes it work better?
The majority of the (long) tl;dr focuses on, and is under the assumption that non-EU RSOs will object and not comply with the NIS 2 directive and... have to shut down or block access to EU? Is there any substance to this actually happening? Is the NIS 2 directive an unreasonable burden on critical infrastructure such as those who run the root DNS?
I've never really heard of this "NIS 2 directive" but it seems completely reasonable, and it's even unclear whether non-EU folk like NASA would even be under scope. The only way I can see that being tested is if NASA (or whoever) seriously screw up and have a breach, and get attention on them. If that happens, then good! They deserve the scrutiny!
This reminds me a lot of the FUD (primarily) American's were spreading about GDPR which ended up being mostly empty.
- I doubt that the EU meant to directly investigate the pentagon, the opposite might have some history.
- The argument that there is redundancy and therefore it is safe is incomplete to say the least. For instance, how heterogeneous are operations, software, potential failures...?
I dunno. I am pretty sure CZ.NIC is going to be OK with this legislation, given they already comply with pretty stringent rules we have now and they even run the actual CERT from the NIS 1.
Why not? They already ruined the web browsing experience of hundreds of millions of europeans with their brain dead GDPR/cookie law/privacy note crapola.
And they are also busy ruining chat encryption in the name of our own safety, app stores in the name of anti-trust and online ad business in the name of… whatever.
The European Union - those who can’t innovate, regulate.
1. Yes. It is both putrid and inaccurate.
2. Is this law actually innovative? Yes. It is an example of novel EU overreach. If I am Japanese citizen operating a root DNS server in Kyoto, why am I suddenly subject to EU regulation and scrutiny? This is new.
EU regulators are innovative. I can think of a lot of other innovators like them.
- intra eu Banking which is decades ahead of the US[1]
- having universal driving licenses and ID cards valid throughout a continent and beyond[2]
3: High standards of food safety [3]
i could name a couple more, but i get you get the point.
>If I am Japanese citizen operating a root DNS server in Kyoto, why am I suddenly subject to EU regulation and scrutiny? This is new.
No it isn't. If Facebook targets EU citizens it's under EU law no matter where it is located. It's the same the other way around. The only difference is that US companies are used to do what ever they want.
If that's their goal (I don't think it is), they are hilariously incompetent at it, as the root servers do not have anything to do with invidiual domain names at all. They only map TLDs to nameservers.
The peer comments here aren't quite right. The query that goes to the root server, isn't "what's the name server for .com?". It's "what's the IP for abc.example.com?"
The root servers choose to send referrals back for the TLD.
They don't have to. They could answer the query directly, or send a bogus authority record for "example.com", etc.
So, technically, you could create some chaos in the way you're describing if you ran a root server. (Plus the wrinkle of DNSSEC).
> "The non-profit root server operators might have to leave the EU and put up active measures so that no Europeans can use their root servers. They can’t afford to do all the paperwork for NIS 2."
I think this is the point where the argument falters. The author is overstating the cost impact regulatory compliance has and understates the non-profit resources. Also, the idea that commercial providers will take over with their competitive edge in regulatory compliance doesn't work, since there is really no impact of such compliance skills on service quality. Everybody provides the same service, so if the operators can comply somehow (even if slow and badly), they are good
While I don't want to dismiss OP's concerns, I vicariously enjoy the turnaround of the US having to worry about someone else's extraterritorial decisions.
In practice, though, I don't think it would matter. It's not like (1) the EU is asking to be allowed to install arbitrary programs on root servers or (2) it will start bombing non-compliant servers.
Worst case, EU residents (or at least residents using PCs sold in the EU) will only be able to access EU root servers, which will still index 100% of the internet. I'm not super worried.
The US wouldn't worry, and would make their own internet with hookers, blackjack, zero privacy, taxes, inane regulations and pork, but it would be US controlled. This is how Americans work.
Edit: Downvote if you must but it is the mindset of many:
Alan Woodward seems to be the BBC's go-to person for scare quotes about the internet. In your article:
> "It's shocking," says Alan Woodward, a security expert based at the University of Surrey. "This is the Balkanisation of the internet happening in front of our eyes.
> "The US government has for a long time criticised other countries for controlling access to the internet… and now we see the Americans doing the same thing."
> Alan Woodward, a professor of computer science at Surrey University, said Signal was "one of the most secure, if not the most secure, messenger service publicly available".
> "Signal employs end-to-end encryption, but goes further than apps like WhatsApp by obscuring metadata - who talked to who when and for how long," he explained.
> "Cellebrite seem to have been able to recover the decryption key, which seems extraordinary as they are usually very well protected on modern mobile devices."
> He added that if this was indeed true, it was no surprise Cellebrite would have altered its blog.
> "I suspect someone in authority told them to, or they realised they may have provided enough detail to allow others - who don't just supply to law-enforcement agencies - to achieve the same result."
A good rule of thumb might be, if you see Alan Woodward quoted in support of the article, assume the author doesn't know any genuine experts.
Browsers could alternatively ship with support for Namecoin [1] or Unstoppable Domains [2]. Though, realistically, I'm suggesting Opera or Brave. Mozilla isn't functionally capable of thinking about doing something like that, and I don't think I have to suggest a reason why the other browser vendor wouldn't entertain the idea.
1- Having domain names be impossible to seize sounds like an anti-feature for most businesses. If somebody pwns my company or I have a disgruntled sysadmin I don’t want them to be able to indelibly transfer my domain name to themselves with no recourse. Alternatively, if I lose the cryptographic keys to my domain name, am I just completely hosed?
2- No renewal fees ever sounds like an anti-feature to everybody who isn’t a squatter.
> I love Europe, and I want to see the European Union succeed.
As a socialist (regardless of my more specific views), I really cannot understand how these two views can be held at once.
The EU is an anti-democratic mechanism for concentrating economic and political power in few hands within Europe. Many member states basically forced it onto their citizens despite mass objections and even votes against entrance (or rather, adoption of the Maastricht treaty). And the EU has brought mostly negative effects for most Europeans IMHO. It would have been much better for residents of the continent to bring countries, societies and economies closer without this kind of central control.
The proposed measure, of forcing good-will providers of root servers, to have to submit to EU inspections of premises, is a (admittedly rather minor) example of this aspect of the "spirit" of the EU.
As but one point: only one referendum rejected the Treaty of Maastricht, the Danish one, with a margin of 49:51. In response, some changes were adopted an the Danish people overwhelmingly voted for it in a second referendum, 68:42.
He says "name", then ads "website" in parenthesis so non-technical people can understand. Without name resolution, most internet services will indeed fail.
No, they are writing about DNS, which is in the core of how the Internet works. Including the Web, yes, but virtually nothing on the Internet would work without DNS.
But the article doesn’t conflate the web and the Internet. The DNS root servers are necessary for the operation of all the Internet, just like the article says. Not just for the Web.
also: even if there are some things which do not rely on DNS, but proportionally speaking majority of things do rely on DNS - web, email, file sharing, chats, calls, you name it. it already gets to significant majority of internet activities, so ... your point is not clear.
Anyone knows if EU supports these operators or not? Financially or different ways? The EU does support some vital infrastructure projects as far as I remember.
I wouldn't be worried about fines. I think the EU is very reasonable and flexible when it comes to enforcing these type of legislations.
"In addition, by downloading this file, every Internet service provider can run their own root server."
Any end user can do that as well.
The truth is, root servers are not nearly as "essential" as the major TLD servers, like .com, .net and .org
What is essential is the ability to download the root.zone file. At least if one wants to track any changes (seldom seen).
I always have a copy of the current root.zone file. If the public root servers all ceased operation I would not see any noticeable effects.
However if the .com servers went down, I would have to use a local copy of the com.zone which is a much larger file to download (via FTP, HN's favourite protocol to make fun of).
An easier alternative is to keep a custom zone file with all the domains that I use regularly. Does any single end user really need access to the entire www. How much of the www does anyone think they have really seen.
For example, I have zone files with every domain that is posted to HN, so I never have to worry about being able to read what gets posted here. I can read fast without making any remote DNS lookups.
I feel like this manifest seriously lacks the part where it should be playing devil's advocate. I don't have a say in this matter, and I don't know if the author is right anyway. But let's suppose that whoever pushes this agenda indeed is mistaken, and that he's not acting malevolently, and just doesn't see something that the author sees: I'm pretty sure he has some ideas why NIS 2 is necessary. If so, listing (quite speculative) counter-arguments without addressing why "pro-"arguments aren't necessarily correct isn't very convincing.
So: why the proponents of this proposal (supposedly) think it's necessary, and why they are mistaken and it actually isn't?
The linked amendments that thoroughly resolve this complaint have already been adopted by parliament. This article is therefore picking a fight with an old version of a working document.
> I love Europe, and I want to see the European Union succeed.
You have conflict of interest, then, and cannot be trusted.
This idiotic idea is leaving the end user just as exposed - if not more - than they are now.
Today you are just as unlikely to be cut off as you have always been.
But if you're Italy and want to leave the EU without paying back the 400-500 billion euros you owe and they decide to hang onto your DNS servers, you'd probably wish Cloudflare was in charge of DNS.
Very little worthwhile reading in this thread. It's mostly people complaining about something they don't understand. Read that article and move on is my advice.
191 comments
[ 3.9 ms ] story [ 239 ms ] threadWhy doesn't the EU simply provide a 'core' set of servers, which they operate to a high degree of fidelity and robustness so that 'should something go wrong' ... then the EU still has these resilient services to reply upon?
I don't see how someone doing a public service should arbitrarily come under such scrutiny.
My first question is are they or is this the authors view?
The proposed regulation – like many EU regulations – can also apply to non-EU entities. In this sense, the EU does try to exert extraterritorial jurisdiction.
However, this is constrained to the case where the non-EU entity targets people in the EU, so somehow participates in the EU market. The origins of this “targeting criterion” actually come from consumer protection cases, where it's easy to understand: if you advertise your goods or services to people in a particular country, you'll have to play by that country's rules.
there is not really any other way to play the geopolitical game sadly.
Every goverment on earth is doing this to keep themselves stable, some are just far more succesfull then others.
Let's see... the past year the was a big scandal because apparently multiple non-profits were selling the .ORG top level domain name for $1B. They got these top level domain for free from the US government (or some institution thereof).
I would certainly like the EU to regulate more of the Internet instead of it being an US territory.
They are completely separate entities.
If you dislike this go shout at ICANN. It’s was US organisation - now it’s a “private” one[1]
[1] https://www.icann.org/en/announcements/details/stewardship-o...
It doesn't seem arbitrary to me. The service provided exists in many EU countries, and therefore must eventually be harmonised. This is the prime directive of the project.
That's not a very good prime directive.
Don't regulate things that don't need to be regulated, i.e. unless there is a very material benefit from it.
If the EU is concerned about WW3 level resiliency for these services, they can accomplish that themselves with a few cord, 'hardened' services that meet their criteria. For 'regular operations' it seems we're going quite well right now.
Unless there is a threat posed by these heretofore independent operators ... then I'm don't see any obvious material benefit here.
I'm wondering if somehow these entities could be compromised in a way that makes them a problem, more so than just 'going offline', in which case, maybe there are some benefits.
There is a simpler solution rather than enforcing EU oversight over root DNSes.
https://blog.cloudflare.com/f-root/
[0] https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=72172
These are independent operators, NGOs etc, services being 'used by EU citizens' not really 'targeting Europeans'.
From a liability perspective, to the author's point these services I suppose would have to just filter out European sources?
Why would they publish a regulation so obviously vague, full well knowing the reality on the ground?
Why wouldn't they use language that unambiguously places NASA etc. firmly 'in our out' of the regulations or, some criteria which they would be one way or another?
Seems odd.
Regards NGOs: just because you do not make money does not make you a saint.
Regards vagueness: if you want to survive in an agile environment without rewriting every second day, vagueness is the way to go.
So if the US comes out with "GDPR- The Next Generation" with similar mandates towards the EU would that also be "good"?
Asking for a friend.
Or the Hague invasion act which is pretty much that case (US soldier are protected abroad against international treaties).
In reality, the question is not whether EU citizens will use these services, but whether the operator of the service is targeting people in the EU, i.e. whether the operator intends or reasonably expects for EU people to use their service. A US service will most likely be fine if their reasoning goes something like this: (1) We primarily intend to serve connections from the US. (2) This expectation is reasonable based on our network topology. (3) But we don't care if someone else connects.
It would not be appropriate to exempt specific organizations since those organizations may change their targeting in the future. It already exempts most non-EU organizations, due to the criterion that they don't target the EU.
We had the same panicking in 2018 when the GDPR came into force and – quelle surprise – there are no fines for random international websites. The EU doesn't insert itself into your affairs if you don't insert yourself into the EU market.
> In order to determine whether such an entity is offering services within the Union, it should be ascertained whether it is apparent that the entity is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the entity’s or an intermediary's website or of an emailaddress and of other contact details, or the use of a language generally used in the third country where the entity is established, is as such insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the entity is planning to offer services within the Union.
People also tend to forget that providing a service (in whatever fashion) doesn't exist in a vacuum, there are the services and then there are the consumers of those services and they might have certain freedoms and rights that the locality of the service in question might not honour. Take the right to control your data for example, the US isn't very good at providing that with the services they offer, and they'd rather not have that freedom and rather make those few percent more money.
The EU has a good amount of soft power, this is just testing testing it's waters in directing policy more directly. (other examples are the Iran deal after the US left, and Intervention in Africa)
Geopolitically, this makes a lot of sense, and i think the idea has good intentions, but the implementation of the law is where it falls short.
Is the latter part of this your conclusion and interpretation? I haven't looked at the source material but are you sure they aren't just referring to root servers operating in the EU or by EU companies. I find it hard to believe they would consider DoD servers within their jusrisdiction.
>https://berthub.eu/articles/posts/how-tech-loses-out/
You wrote
>We barely develop any software here anymore. So even very European companies like like Nokia and Ericsson, that are now trying to tell us that they are building our European telecommunication infrastructure. They’re actually not, they’re getting that built by other people in other countries far away. Anything having to do with server and PC development and manufacturing, there’s nothing left of that in Europe anymore.
As far as I've been told, then there are R&Ds in e.g Cracow, Poland or Wroclaw (probably nor R&D) that actively recruit or even train people
What are they doing then?
Now, India on the other hand...
Rely on a third party like the US which has secret courts and gives a shit about EU citizen privacy, their property or their lifes?
Or give it in the hands of the industry? Which only has one motive: making money.
Or leave it unregulated with no safety for no one?
DNS is about trust. We need trust into this thing. And honestly: i would not trust DNS offered in China and most likely also not the US, or 99% of the carriers
One way or another, EU will force its way. Should it do it by e.g. empowering DIGIT to run root DNS servers?
They will for sure tender it off to a murky consortium, but at least there will be a positive political move.
[1] https://en.wikipedia.org/wiki/Strategic_autonomy
Here's an even better and more logical idea - for those who have concerns about the current DNS root server arrangements, what specifically are they? And what would you propose as solutions to their perceived deficiencies? Bonus points if you can raise actual technical arguments and not just feelings.
DNS roots have worked flawlessly. The EU can just create EU roots and be in control of them and regulate those. Nobody is opposed to that. You can even enforce vendors to only include EU roots when selling devices in the EU (I’m against this personally) or to ISPs (I’m more okay with this). But as a person who loves the EU I’m very much opposed to enforcing EU values and views to 3rd parties.
Everyone should regulate and audit them. How we do with medical devices, and other stuff. The internet is no unicorn with special treatment.
The last paragraph is right until I think about my EU-WhatsApp trying to make connections in Singapore. They try to protect me as a citizen.
Exactly what problem would this law saw? So far all I am seeing are vaugue assurances and warm feelings but zero substance of how it would improve anything.
Indeed, if history is our guide any change is far more likely to hurt rather than help. Therefore it is incumbent on those seeking the change to defend it - how exactly will this law "improve" things. Please be specific and factual and leave feelings to the poets and philosophers.
Not every jurisdiction in the world is based on extreme fines (like the US) but many are build on strict regulations (like most European countries).
Personally, i cannot speak about the concrete law and nis 2 thingy.
If you want to ask my server, send me information in the protocol that says that you want me to meet a certain standard and I'll blackhole the request if I can't meet it.
This is how SSL/TLS works and it works well.
Any software that is used by EU citizens (downloaded from EU App Store or EU vendor website) should use EU DNS servers. (The user should be allowed to change the DNS on per device and per app lvl)
I’d be okay with that. And I think that solves your issue, my issue and EU’s issue.
Another approach is what we do with cars: we don't ban ICE cars, we have different "tiers" (Euro5, Euro6) of emissions and phase them out. We can do the same thing. Any device manufactured after 2020 will need to implement this "feature". It will take a few years to propagate but it is a very feasible approach.
(or maybe I'm not understanding the core problem...)
I'm not quite clear how that's different from ICANN? Ostensibly they're now "multistakeholder", but were under the United States Department of Commerce until 2016. And were infamously in denial about the GDPR impact to WHOIS.
To be clear, I'm not saying the EU proposal is in any way good, I have no idea. But this issue has been brewing for a while, and I don't think it's unreasonable to be critical of ICANN et al and preparing for eventualities. Even if it is the status quo, leaving a major part of the internet in the hands of some unaccountable NGO is a huge risk.
As it stands today, I can no longer reliably block hosts by domain name on my own network thanks to DOH.
You should be able to mitm all your own https traffic right? Not sure if that’s worth it though.
Please don't give them ideas. Not even the Kremlin has done that, although they did something similar with geolocation devices.
Otherwise I fully agree. If the EU wants to audit, they should establish their own root server infrastructure, pay for it and audit that. If I was a root server operator providing what is essentially a free service and this was enforced on me, I'd rather shut down or block EU netblocks than be bothered by EU cyber security auditors.
The implementation part will be tricky but not impossible. Heck ipv6 is still not rolled out and we actually need it. Do you think they will be able to do this faster?
I’m not at all opposed to the EU trying to regulate companies providing services to their citizens.
If you only regulate providers in the EU it’s a pointless exercise from the start, even if you don’t have a lot of ways to actually enforce your regulations.
it's a lot easier to move than say, banking customers
Some other transfer mechanism for the zone could be used, and almost anything would do as the rate of change is slow and the overall size relatively small. If it's a regular transfer, there's less need to have servers as everywhere as possible as is current policy. Popular TLD servers will likely continue to try in as many places at once as they can be though.
[1] https://www.dns.icann.org/services/axfr/
As long as actually filing the paperwork is easy and the EU accepts the idea that the system is already designed to handle outages this sounds to me like a non-event.
Probably the criticality/importance of the service must be balanced by appropriate controls/checks/procedures/etc... .
Or even worse, bureaucrats making shit up to not only justify their existence but justify the expansion of their empires - which is exactly what this smells like.
There is nothing broken or in need of fixing with how the root servers have worked and work today.
Brilliant value being added there. A true benefit to all mankind :p
Shrinking by whom? EU partisans or the technical world at large? Quite a difference about who's "shrinking" I couldn't care less about.
The person you replied seems to be Bert Hubert.
GDPR has forced all companies to at least think about data security and personal data, and given rights to know what data is stored and to demand deletion.
Sure, there are annoying consent modals, enforcement is lacking, many companies don't actually follow the law properly, and I've lost access to some websites/apps that don't want to deal with it.
But this is a domain where standards are severely lacking, but necessary. No one will do it without being forced to.
The biggest downside (for me) is the extra regulatory burden for small companies, but this particular legislation won't affect small companies much anyway.
Granted, DNS is not classified, so those specific restrictions do not apply, but you still can't just go up to the Pentagon unannounced with an EU regulator badge and expect to be let into the building.
The US wants to do all sorts of shady stuff to the rest of the world, but as soon as someone wants to do some of that the other way around it suddenly is all sorts of bad.
It is still a long way to go though.
The Californian defense minister doesn’t exist, and didn’t proclaim last November that “illusions of US strategic autonomy must come to an end” in response to criticism from the Texan president, citing sobering facts like “without the nuclear and conventional capabilities of the E.U., California and America cannot protect themselves.”
https://www.politico.eu/article/german-minister-to-macron-eu...
Source? DNS has worked perfectly for decades without out of touch politicians at the helm.
I know a few people that would disagree. In fact, Google maintains a list of such opinions on the topic at [1].
[1]: https://www.google.com/search?q=it%27s+always+DNS
Name another system that has delivered the sheer quantity of results compared to the number of faults. I can't even imagine how many answers have been given DNS servers.
The Ukrainians that were here for a decade or more are choosing to go back to Ukraine rather than stay in this, what an image of the EU.
My 70 y/o grandmother is literally the only reason I'm still here.
GDPR has been good even for non-EU citizens because it prompted some companies to provide data controls for all users, not just EU citizens. I have only come across a few American local news sites that block EU visitors.
There are other reasons technologists may leave, such as higher salaries and larger capital markets in the US, but GDPR, PSD2 and Covid-19 would not be incentives for most.
I never cared about using third party apps for banking, it's useless - obviously only the most basic operations are supported; and I never wanted to use my "dumb" phone for banking at all, I wanted seamless internet payments - but now I am required to have Android/iOS phone connected to the internet on hand to even log in into online banking interface - great!
News sites aren't the only victim of GDPR, it's also SaaS apps and other services, especially financial services. I used to be able to have American brokerage accounts, now that's gone - great!
How about you stop talking about what's good for me? This is exactly the problem with EU, it feels like it knows perfectly what's good for all 450 million people - well it doesn't, and it's not the same for all.
Tech especially is still drinking the kool-aid
The question why everyone ought to be forced to follow some made up rules.
Root servers might be out of scope to some degree for this however. Interestingly enough the root servers also aren't mentioned in the proposal itself, nor in the annex listing essential services. They're only mentioned in the lead up, which is the argument for why it's needed. It somewhat feels like they left it in accidentally, especially with the parliament immediately amending to scrap it from the lead up as well.
It is, and therefore it should be 100% decentralized, if only to keep it out of the grabby hands of governments, EU or otherwise.
It isn't.
Proof: the fact that US random three letter agencies can take down websites.
Think about how many people have the Linux kernel Git repo cloned on their workstation. It would be essentially impossible for any government to destroy all copies.
This is becoming less true each day, especially with the advent of IPFS and Ethereum. Uniswap's website will never go down. uniswap.org might be seized but uniswap.eth cannot be altered by anyone.
In a few decades it will be normal for websites to be decentralized and permanent. It's actually quite needed for the robustness of critical internet architecture.
/s
Take a look at https://ens.domains/about and https://handshake.org/
Think about it. Domain names are seizable. IP's aren't. You can't stop someone with an IP from existing.
Whenever someone talks about regulating DNS, it should translate to "We want to take control of Namespace management.
Indeed, you want ecosystem diversity. You don't want every operator of a pool of root servers doing everything the same way because if someone figures out how to disrupt those operations and if everyone is operating the same way then poof - they all fall down.
Top down planning/regulation has it's place, but it's hardly the solution - and brings zero value to this topic.
Indeed, in 40 years the model has worked just fine - surviving technical, political and legal challenges and no one was the wiser. There is zero in this law that would improve upon that record.
Also, I'm not sure what happens if a crazy US president decided to disrupt .eu.
While regulating root DNS servers might be undesirable now, it sure feels like the right moment to start the conversation.
This part is solved with qname minimisation.
This is only a problem for a tiny fraction of queries. The records served by the root servers can be cached (e.g. .com has a TTL of 2 days), so most queries don't even hit the root servers. It's a much bigger problem for the registry nameservers.
> The non-profit root server operators might have to leave the EU and put up active measures so that no Europeans can use their root servers. They can’t afford to do all the paperwork for NIS 2.
For example, if a university cannot afford to file the necessary paperwork, why couldn't the EU be the ones that are obligated to send someone over to handle the legwork and help them out?
I know that something like that would never work for reasons that the lovely people here would hopefully point out (since i don't really deal with the legal stuff that often), but here's another example - i live in Latvia, and the government actually helps me to fill out and pay my taxes somewhat. Granted, it only handles the most common cases and calculations in the form of a self-service web app, but if a lot of paperwork is just forms anyways, why not apply it to other domains?
In contrast, telling a university that they'll need to invest significant time and resources into something that they simply cannot do on their own, knowing the implications of this, doesn't appear fair.
the top comment on HN for topics like this frequently follows the format of your comment, saying something that sounds so reasonable, who could object?
But the way the internet works didn't come about magically, it was planned and modified through trial and error by experts who, working together, can be seen as nothing other than a task force. So you are looking for a new task force to interrupt and disturb a task force that already exists. This will inevitably lead to the need for yet another new task force to look into what this task force has done...
I've never really heard of this "NIS 2 directive" but it seems completely reasonable, and it's even unclear whether non-EU folk like NASA would even be under scope. The only way I can see that being tested is if NASA (or whoever) seriously screw up and have a breach, and get attention on them. If that happens, then good! They deserve the scrutiny!
This reminds me a lot of the FUD (primarily) American's were spreading about GDPR which ended up being mostly empty.
- I doubt that the EU meant to directly investigate the pentagon, the opposite might have some history.
- The argument that there is redundancy and therefore it is safe is incomplete to say the least. For instance, how heterogeneous are operations, software, potential failures...?
And they are also busy ruining chat encryption in the name of our own safety, app stores in the name of anti-trust and online ad business in the name of… whatever.
The European Union - those who can’t innovate, regulate.
What a putrid aphorism. Law is a field of innovation itself.
EU regulators are innovative. I can think of a lot of other innovators like them.
I haven't recalled any that I like. Can you?
- intra eu Banking which is decades ahead of the US[1] - having universal driving licenses and ID cards valid throughout a continent and beyond[2] 3: High standards of food safety [3]
i could name a couple more, but i get you get the point.
1: https://en.wikipedia.org/wiki/Single_Euro_Payments_Area 2: https://en.wikipedia.org/wiki/European_driving_licence 3: https://eur-lex.europa.eu/summary/chapter/30.html
No it isn't. If Facebook targets EU citizens it's under EU law no matter where it is located. It's the same the other way around. The only difference is that US companies are used to do what ever they want.
The root servers choose to send referrals back for the TLD.
They don't have to. They could answer the query directly, or send a bogus authority record for "example.com", etc.
So, technically, you could create some chaos in the way you're describing if you ran a root server. (Plus the wrinkle of DNSSEC).
I think this is the point where the argument falters. The author is overstating the cost impact regulatory compliance has and understates the non-profit resources. Also, the idea that commercial providers will take over with their competitive edge in regulatory compliance doesn't work, since there is really no impact of such compliance skills on service quality. Everybody provides the same service, so if the operators can comply somehow (even if slow and badly), they are good
In practice, though, I don't think it would matter. It's not like (1) the EU is asking to be allowed to install arbitrary programs on root servers or (2) it will start bombing non-compliant servers.
Worst case, EU residents (or at least residents using PCs sold in the EU) will only be able to access EU root servers, which will still index 100% of the internet. I'm not super worried.
No that's not true, for example sci-hub is not available on DNSs compliant with EU's laws.
In the document below they even cite Cloudflare as non-cooperative, as well as several Asian marketplace and some online pharmacies.
https://trade.ec.europa.eu/doclib/docs/2018/december/tradoc_...
What? Why not?
Edit: Downvote if you must but it is the mindset of many:
https://www.bbc.com/news/technology-53686390
> "It's shocking," says Alan Woodward, a security expert based at the University of Surrey. "This is the Balkanisation of the internet happening in front of our eyes.
> "The US government has for a long time criticised other countries for controlling access to the internet… and now we see the Americans doing the same thing."
Previously, I saw Woodward giving bad information and engaging in unfounded speculation in an article about Signal - https://www.bbc.com/news/amp/technology-55412230.
> Alan Woodward, a professor of computer science at Surrey University, said Signal was "one of the most secure, if not the most secure, messenger service publicly available".
> "Signal employs end-to-end encryption, but goes further than apps like WhatsApp by obscuring metadata - who talked to who when and for how long," he explained.
> "Cellebrite seem to have been able to recover the decryption key, which seems extraordinary as they are usually very well protected on modern mobile devices."
> He added that if this was indeed true, it was no surprise Cellebrite would have altered its blog.
> "I suspect someone in authority told them to, or they realised they may have provided enough detail to allow others - who don't just supply to law-enforcement agencies - to achieve the same result."
A good rule of thumb might be, if you see Alan Woodward quoted in support of the article, assume the author doesn't know any genuine experts.
https://www.cnbc.com/2019/02/04/the-splinternet-an-internet-...
https://www.reuters.com/article/us-usa-china-apps-pompeo-bre...
Or did want an older Democrat proposal:
https://www.nytimes.com/2011/11/16/opinion/firewall-law-coul...
http://leahy.senate.gov/imo/media/doc/BillText-PROTECTIPAct....
The idea of walling the internet is quite old.
https://news.ycombinator.com/newsguidelines.html
[1] https://www.namecoin.org/
[2] https://unstoppabledomains.com/
1- Having domain names be impossible to seize sounds like an anti-feature for most businesses. If somebody pwns my company or I have a disgruntled sysadmin I don’t want them to be able to indelibly transfer my domain name to themselves with no recourse. Alternatively, if I lose the cryptographic keys to my domain name, am I just completely hosed?
2- No renewal fees ever sounds like an anti-feature to everybody who isn’t a squatter.
As a socialist (regardless of my more specific views), I really cannot understand how these two views can be held at once.
The EU is an anti-democratic mechanism for concentrating economic and political power in few hands within Europe. Many member states basically forced it onto their citizens despite mass objections and even votes against entrance (or rather, adoption of the Maastricht treaty). And the EU has brought mostly negative effects for most Europeans IMHO. It would have been much better for residents of the continent to bring countries, societies and economies closer without this kind of central control.
The proposed measure, of forcing good-will providers of root servers, to have to submit to EU inspections of premises, is a (admittedly rather minor) example of this aspect of the "spirit" of the EU.
As but one point: only one referendum rejected the Treaty of Maastricht, the Danish one, with a margin of 49:51. In response, some changes were adopted an the Danish people overwhelmingly voted for it in a second referendum, 68:42.
That would be the Web. It is hard to take anything this person says seriously when right at the start they confuse the Internet and the Web.
I also think it isn't fair to nitpick the article for it.
also: even if there are some things which do not rely on DNS, but proportionally speaking majority of things do rely on DNS - web, email, file sharing, chats, calls, you name it. it already gets to significant majority of internet activities, so ... your point is not clear.
I wouldn't be worried about fines. I think the EU is very reasonable and flexible when it comes to enforcing these type of legislations.
Any end user can do that as well.
The truth is, root servers are not nearly as "essential" as the major TLD servers, like .com, .net and .org
What is essential is the ability to download the root.zone file. At least if one wants to track any changes (seldom seen).
I always have a copy of the current root.zone file. If the public root servers all ceased operation I would not see any noticeable effects.
However if the .com servers went down, I would have to use a local copy of the com.zone which is a much larger file to download (via FTP, HN's favourite protocol to make fun of).
An easier alternative is to keep a custom zone file with all the domains that I use regularly. Does any single end user really need access to the entire www. How much of the www does anyone think they have really seen.
For example, I have zone files with every domain that is posted to HN, so I never have to worry about being able to read what gets posted here. I can read fast without making any remote DNS lookups.
The DNS roots are probably not the biggest risk due to their nature (discussed in the post).
mhmm. Blacklist them.
So: why the proponents of this proposal (supposedly) think it's necessary, and why they are mistaken and it actually isn't?
The linked amendments that thoroughly resolve this complaint have already been adopted by parliament. This article is therefore picking a fight with an old version of a working document.
One of their root servers PDFs said
"Due to the critical role that root name servers play, combined with the fact that they are themselves often targets of DDoS attacks" [1]
That made me sad. Why mess with the internet which gives us such joy.
[1] https://root-servers.org/media/news/Statement_on_DNS_Encrypt...
You have conflict of interest, then, and cannot be trusted.
This idiotic idea is leaving the end user just as exposed - if not more - than they are now.
Today you are just as unlikely to be cut off as you have always been.
But if you're Italy and want to leave the EU without paying back the 400-500 billion euros you owe and they decide to hang onto your DNS servers, you'd probably wish Cloudflare was in charge of DNS.