DNS quo vadis – addressing challenges and the future functionality of the DNS – WS 04 2018
5 June 2018 | 16:45-18:15 | EVENT ROOM |
Consolidated programme 2018
The Domain Name System is a vital component of the internet infrastructure and required for both security and basic functionality. Recently, a variety of conflict points have emerged that include but are not limited to (geo)political shifts and disagreements, a lack of clarity over abuse fighting, and issues of architectural and technical nature. For example, while DNS Security Extensions have not been deployed across the board, the key rollover has been delayed. More generally, When such an essential infrastructure is evolving, it is an important question who is making the critical decisions, and also who will be left behind. Taking on board this host of challenges to the nature of the DNS, this session discusses if the system can continue to exist in its current form, and reviews scenarios of how it may develop in the future.
DNS, Domain Name System, DNS Abuse, Domains, ICANN, DNS Security, DNS Privacy.
The session will focus on discussing what works and does not work when it comes to the DNS at this point in time. There will be a focus on what should change technologically or in terms of policy to keep the DNS functioning in the future. For example:
- What technological and policy changes will we see in the near future?
- Who will shape those changed, and how will they impact on users?
- Could the DNS become an avenue to increase internet security?
- How will abuse-fighters identify criminal actors going forward?
- Will the DNS become more politicised, potentially even fracture?
The DNS is a key element of the internet infrastructurs and affects us all. Therefore, the session and the discussion will be interactive and inclusive. In addition to the roundtable participants who represent different stakeholder groups, the audience is meant to shape the discussion and provide thought-provoking input.
- The Moderator opens the session and provides the context for discussion (with audience contribution)
- Round table participants provide short opening statements
- Audience challenges round table participants
- Following initial discussions, moderator moves to interactive Q&A
- Towards the end, the round table participants provide final statements and the moderator wraps up the session
For participants who cannot attend the session in person, remote participation is available and greatly encouraged. All voices will heard.
Please provide name and institution for all people you list here.
- Jacqueline Eggenschwiler, EURALO Individuals’ Association
- Laurin Weissinger, University of Oxford
Organising Team (Org Team)
- Jacqueline Eggenschwiler, EURALO Individuals’ Association
- Laurin Weissinger, University of Oxford
- Ucha Seturi, Small and Medium Telecom Operator's Association of Georgia
- Peter Koch, DENIC
- Alexandra Kulikova, ICANN
- Grégory Mounier, Europol
- Fiona Asonga, TESPOK
- Peter Koch, DENIC
More speakers will be announced soon.
- Laurin Weissinger, University of Oxford
- Chris Buckridge, RIPE
- Jacqueline Eggenschwiler, EURALO Individuals’ Association
- Jana Misic
Current discussion, conference calls, schedules and minutes
Please join the mailing list for more information.
- The DNS system remains a vital component of the Internet infrastructure. The focus should be on enabling the resiliency of the DNS system, by finding a balance between adding new features and compromising its stability.
- Strengthening security measures and encryption is important, but it also poses challenges for the law enforcement agencies when dealing with DNS misuse. The key challenge is gradually reducing the rate of abuse, while preserving competition and DNS functionality.
- DNS services carry the same risks as other centralised services.
Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/resources/dns-quo-vadis-%E2%80%93-addressing-challenges-and-future-functionality-dns
Provided by: Caption First, Inc. P.O Box 3066. Monument, CO 80132, Phone: +001-877-825-5234, +001-719-481-9835, www.captionfirst.com
This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.
>> Can I ask you to speak a little bit, just to make sure?
>> Test, test, test.
>> Yes, we can hear you, thank you very much. Okay. Great. We are set, thank you very much. (pause)
>> So, okay, with slight delay, due to technical glitches and overrunning sessions before us, we would like to start the DNS Quo Vadis session. It is all about future functionality of DNS.
We have a lot of interesting speakers here, who will help us to have a great discussion. And these are spread all over the room. I hope I can find them all in time. We are starting with Alexandra Kulikova, working for ICANN. Fiona unfortunately, due to either voice-over IP issues or something, cannot join us. Gregory Mounier is not here. But he is joining us via Webex. He is working for Europol. And Peter over there works for DENIC and Internet society. DENIC by the way manages the --
(voice in background).
DENIC is in charge of the dot D. David, I'm not sure where he -- he is over is there, is from Georgia and works for the Georgia research and educational networking association. The moderators will be Chris from RIPE, Jackie who unfortunately isn't here, because she got stuck in Zurich, and will only arrive tomorrow, and myself, Laurin.
Okay. So this session is meant to be a very open discussion about, as it says in the title, what are the challenges and, you know, what will happen with the DNS going forward. We already see there is a lot of bits and bobs where things are working, sometimes they are not working. We are seeing potential challenges ahead in terms of geopolitics, in terms of technology, and also in terms of how we can deal with abuse, attacks and all that kind of stuff is becoming more common. And our idea to start this off was for every one of the key participants to give a short statement about what they see as the kind of key challenges here and how this might be resolved, which will be about three to four minutes per person. Then we will open up, speak to the audience, see what is going on. Unfortunately we have some trouble, I'm not sure we will be able to use MT.com later on. Alexandra, if you would like to start.
>> ALEXANDRA KULIKOVA: I think I'll start from really a parallel statement that probably the -- yeah, that works. Probably the Internet of today is the result of so-called network effects, and if you go to wikipedia, it will probably tell you that that means an increased effect, increased effect from the number of participants, of particular ecosystem. In our case, this effect encourages basically a infrastructure which normative and artifact applications and services are based. I can draw in the Internet as we know is specifically to facilitate and support the network effects which is based on names and numbers, which basically now allows us to connect a few billion people and we are still hoping that more will join.
However, this network effect has its own consequences. It means that we need a really low common denominator, which somewhat discourages autonomy or basically it promotes this dumb network which needs to be running, and sometimes the intelligence and innovation is actually on the edges. And it is facilitated by different actors which use the same dumb network so to speak.
This is what has brought us to the Internet of today. The benefits of such a structure, of such a design probably have still been compelling since we are still using the DNS, we are using the Internet as it is.
The question is, how strong the pressures on the system are, which might change it or not. If you think about DNS itself, at least as a protocol, because there are various ways how we can look at DNS, we can look at it as basis for different applications, as an area of registration. But if you look at the protocol itself it's old. It's over 30 years old. One of my colleagues didn't want me to bring this up, but I will say this, that in one of the reasons, idea of meetings, there was this question of brought up how resilient DNS can be given that it actually features an over 100, in 185RFCs. We keep patching it and patching and improving and building over building.
Since it was built so many years ago, it didn't think or those who created it didn't think much about security, about privacy and other matters which clearly from this event fill the room. That is how we have now working streams, working, looking at DNS over TLS, DNS issues of VS, etcetera, we find new applications for DNS as in one of the presentations earlier today was explained Oxford flood network or something like this, I think it was in Peter's presentation. The protocol evolves, clearly evolves. And at the same time, there are new identified systems. There are a new innovative ways of communication. At ICANN, we are looking and we are monitoring and those brand-new worlds coming up, those who attend ICANN meetings, we run a session on emerging identified systems. We have looked upon request from the community, we have looked at DOA, we have done research into blockchain. There are other things coming up. But keeping a eye on what is coming up and what is the next so called iPhone, which will break the paradigm, we are still responsible about what keeps the current Internet as we know it, and the core mission of the organisation or the majority of you know is the stability and resilience of the system as it is now.
I hope this hasn't sounded too overoptimistic, but I think that there is faith in the DNS, underlying protocol as it is now, but clearly there will be more and more challenges, not only technical but also legislative and we will probably have an opportunity to talk about this. I'll stop now.
>> LAURIN WEISSINGER: It would be nice if Gregory could maybe speak to the challenges from a law enforcement perspective. I hope it will work well, we can see you, Gregory. And I hope you can hear us as well. Excellent.
>> GREGORY MOUNIER: Hello, everyone. Good afternoon. My name is Gregory Mounier, I'm working at the Europol. In terms of a few remarks about how the law enforcement community sees the DNS, in general, we see that criminals and those who are into doing dirty business on-line are very frequently using the DNS as a protocol and in particular they are using DNS to carry out their activities. We see that a number of investigations we are working on have been facilitated by aspects such as many different malwares that are targeting either the end users or name servers or even the registrants, they are changing the DNS settings so that they can transfer the traffic to malicious servers.
We have also seen criminals using the DNS to hide their traces. If you think, for instance, about the fast flux techniques that was for instance used for the avalanche network, the criminal infrastructure was there for about nine years. We couldn't see it. It took us about four years to investigate it, take it down, because it was using the DNS to hide the IP addresses of the servers sustaining the infrastructure.
Also the DNS can be misused for more aggressive techniques such as launching attacks, there is known techniques called DNS amplification attacks. There are many ways of using the DNS and releases in DNS to carry out criminal activities on-line, spread malware, steal personal data and resist law enforcement intervention.
I think it's important to argue for strengthening of is this security measures around the DNS, DNS set is very good. It prevents domain hijacking, domain shadowing, there are aspects that are used a lot by criminals for malicious registrations of domains. But then of course we get into the issues such as DNS over TLS or DNS over https which is the new trend. If you go to ITF now most of the discussion on DNS are about these new protocols. These are great. But at the basis of such measures of course, you have got the encryption questions, and this is really a double-edged sword, because the privacy that DNS over TLS provides to users, also will be used by attackers to extract information that has been stolen from a network, for instance.
So there is no real definitive answers. But I wanted to stress that from the law enforcement perspective, yes, I agree with the previous speakers that DNS is a old protocol and there are many vulnerabilities being abused by criminals. But of course when we try to strengthen the protocol and make it more secure, then of course there is the issue of law enforcement becoming a little blind.
That is, I'm throwing this around for discussion and happy to continue the chat. Thank you.
>> LAURIN WEISSINGER: Thank you, Gregory. According to my list, it would be Peter next, with his introductory points. Thank you.
>> PETER KOCH: Thank you, Laurin. Good afternoon, everybody.
Let me continue maybe with some points that have already been raised. One is the theme of complexity. Indeed the protocol is kind of old, has been developed and evolved over time. But then at some point in time, engineers start to get into playing mode, and add features here and there and bells and whistles, which is okay, which we have survived with other protocols but the DNS is kind of suffering from its own success in this regard, because it is at the core, at the very core of the Internet infrastructure.
And like every good operator, I tend to have a conservative approach to this, like necessary changes, but not necessarily all the features that people envision. In that regard, we do have DNSSEC which adds important security aspect, now the ITF and people around there are working on privacy for the DNS, which is obviously necessary, because if anybody remembers this young man called Snowden, we learned from his revolutions that there is metadata being exploited out of the DNS. So the response in terms of privacy and encryption is interesting, although people should be aware that this is a long way to go, because the challenges as big, at least as big as deploying DNSSEC for the security, which adds to the complexity again and then also makes some people believe that the protocol isn't ready.
Now, in Germany, I'm pretty sure in other countries, we have these famous cathedrals, one of which is the Cologne Cathedral which is never ready and if it should be ready any time then sky will fall. So we keep building it and repairing it, so on and so forth, which is probably true for infrastructure elements in the Internet as well.
What we also see and that is slightly related to this topic, is that protocols like the DNS and we also have the core Internet protocol the IP protocol, protocols that are at the very core of the Internet are hard to upgrade in a way, so the move from V4 to V6 is not easily regulated. It cannot be demanded. As we don't have flag dates in the DNS, as in the Internet, as declaring tomorrow we will all switch to V6 or all deploy DNSSEC or privacy of the DNS, this is a big challenge.
The decision-making around this and ICANN colleagues have carefully avoided the topic of DNS key roll over for which if you don't recognize the acronym, forget about it immediately, but it is a interesting question on policy decisions. We are going to make changes to the core infrastructure. We know that we cannot reach out to a hundred percent of the population, so how many are we willing to lose a bit on the way and avoiding to say sacrifice because people won't be hurt, but there will be bumps in the road.
That is the question of how to make these decisions and how to get there is open and is unanswered or is going to be answered in flight, which is probably a challenge. The complexity topic I already mentioned. There is on a different angle, we do see a concentration on the side of the operations, which is slightly similar to another protocol that some people may remember, the protocol around E-mail, so called SMTP. In the early days of the Internet everybody was supposed to send E-mail to everybody by sending from their own server to somebody else's server, until so called E-mail providers popped up, and everybody was only talking to the E-mail providers and E-mail providers were talking to each other. You ended up at the end user.
We are seeing similar developments in the world of the DNS. We do have 2,000 odd TLDs, but far less than those 2,000 registries, and we have far less than 2,000 professional operators of DNS service. There is a concentration there, and on the other hand, we see emerging service that was taken for granted and everybody had it on their systems, so called resolving side, for those of you who attend the previous tutorial that is the part that gathers the information from all the named servers in the world and compiles responses.
People are adding services to that, and you know all the fancy numbers like 8888, 9999, 1111, you can continue that only works for the three for the moment but there are other upcoming, there are features added which adds to complexity. But again, there is a prearranged scenario, we have now dedicated providers of resolving service and other services, so not everybody is necessarily talking to everybody else anymore.
That changes the game as it did change the game in the E-mail world, because in today's world if you start running in the E-mail server on your own, you soon find out that you can't reach everybody else anymore. This is not really end-to-end fully transparent Internet. We need to be aware of that and take that as a challenge.
Then of course, there is regulation, and regulation isn't necessarily bad, isn't necessarily good. But it should be well-informed from the technical and operational perspective, as well as long term consequences and architectural influence and architectural consequences of maybe small changes that are implied. I think that is enough for a introductory statement, maybe more than that. Thank you.
>> LAURIN WEISSINGER: Thank you very much, Peter. Now it would be David's turn, who is also I think mostly in the engine room from what I've understood. (chuckles).
>> First of all, thank you. Good afternoon, everybody. First of all, thank you for inviting me. Well, I think that the biggest challenges for DNS future and stability are still the security, which we are talking about DNSSEC which is still not implemented everywhere today. I think about changes to the privacy, collecting data and so on. Government control, for example, you know the case that for example, Russia is thinking to preventing or I don't know, creating alternative domain name system or alternative Internet, I don't know how they call, and what they will decide about this.
Well, we all know that DNS was invented quite a time ago, more than 30 years, I think, yeah? And still it works very good. And it's quite a good protocol. But there are still the problems, and what I want to mention, I have the impression that it's like a bit forgotten. So it's not paying much attention in terms of development of this protocol. And it became that alternatively other developments in terms of alternative DNS services, there are talks about blockchain, how DNS can be, can work with the blockchain technology.
But still, I think for me, I think the most biggest challenges is DNSSEC which is also presented quite a big time ago, but it is still not implemented. And I don't know why. Many countries, it's still under question why it is not operational and so on.
So, yeah, I think this is the most challenges I think about the DNS.
>> LAURIN WEISSINGER: Okay, thank you all. I think that was a good round up from our speakers. It gives a good introduction to the topic here.
Basically the rest of the session we are planning to have more of a open discussion. So responding to what has been said so far, and I'm sure coming up with some other questions and other topics, so I want to throw, well, maybe first to see if there is others in the audience who have not spoken who have questions that they would like to throw in, and I'm looking at our remote moderator here as well. No, nothing? Okay. Not seeing anyone throw their hands up, I would throw back to our speakers. Do any of you have responses to what you have heard from your fellow panelists here?
>> ALEXANDRA KULIKOVA: Yes, I have a couple follow-ups on what my colleagues have come up with.
Regarding KSK role, this is a interesting point, and there is no intention to hide anything here. Actually I'm sure Peter is aware that there was a certain percentage at the beginning which was expected to fail the rollover. But then we didn't roll in the end. For those who are not quite aware of the story, in simple terms, we didn't do it as planned last year, 11th of October, because due to new data obtained through research. The data that was not available before that, we realize that this percentage might be more than expected. It was decided to hold on and spend a bit more time on research and on communication with the community actually. The new plan has gone through public consultation, which hasn't happened before for a process, for a project like that.
It has been a truly, it is not just a ICANN org project, it's truly a community project from the very beginning because signing the route was a community effort. And then the comment that we collected basically clearly said, go. Or at least that was the majority. So we are going. It's again planned for the 11th of October, 2018. Yes, we do know that there will be fall out, there will be certain failures. But that is the risk we take.
I guess one of the aspects of this project is actually to go through the mitigation efforts and that is what the team is doing together with the community.
On the other issue of other internets, that is actually a interesting one. Indeed, there are, there have been reports on Russia setting up its own DNS/Internet because the reports have been really confusing, and then another way of discussing this story was to talk about bricks Internet. Regardless on whether these are speculations or a actual ongoing project, the best way to address this, I guess, is basically what I said from the very beginning. It's all about network effect.
As soon as what we are using right now is not useful for the majority, people will go. At this point, what DNS offers is a service which is preferred by the majority. As soon as it's not good enough as a service, then I guess we will be switching to projects XYZ which would be a replace. But for now it's about excellence and fitting the goal.
>> LAURIN WEISSINGER: Yeah, Peter.
>> PETER KOCH: Let me quickly respond to clarify that of course, I don't mean to say that ICANN did anything wrong about this problem regarding the KSK rollover. The multitude of attempts to get feedback from the community is appreciated, and you can only live with comments you receive which is hard to get, because emojis are much more interesting than DNS keys and everybody has a opinion about that which actually is reinforcing my point more or less, that the technical necessities for innovation in the infrastructure are really strange topic, right? There is lots of people to be affected, and only a fraction interested and another fraction would overlap deep in the technical and other details.
I think that was the meta issue that we might not see this only within the DNS, but also in other protocols, as long as they are buried in the infrastructure, hidden, and you said nobody notices like it's taken for granted, and this for the innovation point.
If I may, I was going to go to another point. Also to bring Greg back into the discussion, you said that there are so many vulnerabilities in the DNS, and that took me like a shock almost. Maybe we can discuss this a bit further, where these vulnerabilities are. I mean I feel safe in using the DNS, and all the servers and the infrastructure we provide, many of us are providing critical infrastructures in the national regulatory environment. But I'm also sure that you didn't really mean that the vulnerabilities are at the technical level, are you?
>> GREGORY MOUNIER: No, exactly, Peter, what I meant is really there are many steps in the DNS resolving process which can be influenced by criminal and malicious actors. That is what we see regularly in our investigations.
>> LAURIN WEISSINGER: Okay. A question I might have for the whole group in talking about all the protocol that either hasn't had much attention in technical terms or development terms, or has but then also looking at the policy developing around it, and as Alexandra mentioned perhaps legislative challenges here, would you, well, would all of you different individuals see a priority in terms of DNS going forward in terms of what needs to be, what is going to be the challenge and what needs to be fixed as a technological challenge? Or more in the policy space?
So do we need to, is the DNS itself going to have to be further developed, further improved, further fixed? Or is it more about further improving the processes that we as a community and as Internet community have around how we use the DNS? Anyone, any thoughts? Please.
>> Yes. I know a little bit, my hope is train, and in order to change software on a train, it takes you about two years until you get the new feature. And you will never, ever get an emoji on the screen. It is not needed feature. We are critical infrastructure in the meantime, and we need to change our thinking and what we do with it. No features anymore.
>> You were going into the territory I was thinking, I would like to rephrase your question a tiny bit. If there is a problem, the problem people express with DNS is that it's really the protocol or is that the content inside the protocol?
>> I would even extend the question a bit further than that.
>> At some point we are going to have to answer (chuckles).
>> Yes, there is enough space in the room. It is probably not even the content in the protocol. It is the content beyond the protocol which is like the use at some point in time, I would say abuse of the identifier system to do content regulation which is the elephant in the room. The elephant doesn't have much space though. But that is something we might want to put on the table. I think that there are technical challenges, we can go back to the complexity topic, which is definitely a interesting question, because the stability and the ability to operate systems in that heavily distributed environment, including maintaining change and being able to maintain the protocol over time are dependent on some stability of the technical layer.
That is not at danger in the moment, but we have had in the ITF, and this is of course very blunt engineers talking about big problems when there is a single bit that they can't agree on, which is okay in that space but should be carefully translated in a sphere like this, so nothing to see here, to move on. No, but seriously, there is a technical complexity challenge at some point in time, but that from my point of view doesn't really influence or challenge the stability now or in the foreseeable future.
The regulatory influence and demands that go in the direction of the domain name system and players around that, as in content regulation or access regulation by the DNS, are making me much more nervous.
>> I think we need to be careful when you talk about complexity, because we need to disassociate complexity of a protocol, complexity of your operation of a protocol, and the complexity of the software that is used to deploy this technology. One of the issues is that a lot of software has been public domain software, open source, that has been developed by places that have under funding for many years and that has necessarily led to quality of software may not always be what we like it to be.
Sometimes we talk about the camelback and breaking things by adding more features and area calls for no more features, when actually it's more of a problem of a software that is not developed according to most modern technologies. That may be where we want to focus the attention, by that I mean putting money on the table to solve that very problem, because we cannot deploy critical infrastructure on underfunded piece of software.
>> Any response?
>> Not quite on that point, but something you mentioned earlier come up here, the centralization of things. The number of servers going down is not quite as bad as you say. I'm one who run E-mail server and DNS server at my home. It still works, it is doable, but has become more difficult over time. Yes. The question is, does the centralization, people starting to use more and more Google for their resolver, cause a problem in itself, that we are dependent on just a few companies and just a few software solutions. My DNS servers run, to have different software to avoid a fatal bug in one but all the centralization, put all your eggs in one basket in a sense. You see this as a problem?
>> I think Mark has a comment. That is a interesting comment, given some other discussions that have been going on at the recent meeting, Internet architecture board is doing on consolidation more in the industry than on necessarily specific tools. But I think that there is that question of greater risk because of heavier reliance on few protocols, or few tools or few companies rather than the diversity that we always try to talk about, as sort of a strength of the Internet. That is a interesting parallel there.
>> I think you raise a good point in terms of cost and you made a comment like it works. And I think that that is important to understand, that for a lot of people outside, they just type in a URL, and it works. They don't see the DNS. They don't experience the DNS. There was interesting research done in the Netherlands looking at DNSSEC, why isn't DNSSEC being picked up. They looked at it. A lot of providers felt it is a very premium service, the price is between DNSSEC secure domain and regular DNS domain went sort of like double. We are trying to encourage people to use DNSSEC because we can use it as a building block for other technologies. But at the same time, you are trying to explain people to spend money on stuff they don't really see. I think that is also part of the problem with the software in general, we are asking people to spend money on stuff they don't see. Am I right?
>> I'd like to pick up on that. It is more generic problem. We have got a, no such thing as free, somebody has to pay for it. In the case we see DNS as mostly free for the community, but somebody else has to pick up the tab. It is not going to be solved by advertisement.
>> Https has gone up dramatically, make it free basically, I'm not sure if I can think of anything comparable for DNSSEC but might be worth thinking.
>> There was this initiative by the Dutch domain registry to give a small discount to people if they signed their DNSSEC, incentive to large ISPs to assign all their customer domains. I'm not sure how far you can take that beyond that.
>> There is one thing that just flashes to my mind, you said you type in a domain name and you get to that, get to that domain. Actually, this is not always the case. We have also even in the past when macroKs when this was not working, and that's given, that is because there are some creative ways that whoever is in between the user and the DNS interprets their right to twist the DNS.
I'm thinking for instance, when macro-ks was the wild card that was introduced by VeriSign a few years ago that generated such a big events that basically the security and stability advisory committee was, started having a role exactly for this.
But I'm also thinking now when you are in a browser, you type a domain name, you are fairly often, the browser does not interpret that as a domain name, but as a thing to push to Google, so that let Google guess what you really wanted instead of that domain name.
I think that this is, at least from my point of view of a user of the Internet, this is a serious problem. So I don't know how to frame this problem. But I would say the creative way in which somebody that is in between believes that they know better than the user what the user wants.
>> Greg, I saw you, are you interested in diving in there? No?
>> GREGORY MOUNIER: No, sorry, absolutely. No.
>> PETER KOCH: The question you ask about the concentration and whether or not that is a problem, maybe not immediate, but the question is of course together with all the other centers of gravity that we see, which also interestingly address the ability to upgrade or change infrastructure or change parameters at scale, like if you have your hands on a operating system, that is run by say a billion or two devices on the planet, you can apply changes quicker than ever before and quicker than anybody else.
If you control not only the end device but also control the other side, that puts interesting challenges to all players in the technical governance sphere and also in standardization. So from that angle, I think that is maybe not a problem, but something to very carefully look at.
>> I remind everyone in the room, we are open for others, those around the table to dive in here.
One sort of taking it more high level and open question that I have, a theme here seems to be the idea of this is in flight and we have to repair it while it's in flight. It is not something that is ever going to be easy or straightforward to do and that situation becomes more extreme, the more our society relies on the Internet and DNS elements of the Internet there.
The question I guess then is, are those structures that we have in place, and I'm certainly not just meaning ICANN, the ITF, but I'm sure there are others, and there are certainly others involved there as well, are they sufficient? Or are there improvements that are sort of understood as would be useful, or that people can come up with now or think of? Where do we go sort of in terms of how we actually manage what needs to be done to maintain the DNS and help us move forward? I've killed the conversation, excellent, that is why I'm the moderator. Back to Laurin.
>> LAURIN WEISSINGER: Okay. So with that question not really working out, let's try another one. So we have been talking a lot about the technical side of things, like how do we fix the stuff in flight, how do we deal with protocols, is it still fit for purpose in some ways, etcetera, etcetera. Maybe it would be interesting to talk about that the issues we kind of mentioned in the beginning, so what is the role of the DNS when it comes to abuse? What can be done there to potentially make things work better in the future. We all know there are ways, we did hear about how it's being abused at the moment. Maybe that would be a interesting thing we can think about, how can the DNS be more supportive and stopping abuse.
>> ALEXANDRA KULIKOVA: This might sound counterintuitive a little bit, but from practice .... I just realized that from the practice of working in the region, from the engagement point of view, I think it's interesting how the problem of DNS misuse and abuse actually gives a vehicle and a platform for explaining how the system works. To those who are not necessarily trained to deal with the problem and I'm sure Greg is more aware of this than anybody else, that there are many people whose job is to fight cyber-crime, to actually deal with DNS abuse, they are not equipped technically or sometimes policy-wise to perform that job.
The problem itself becomes an opportunity to teach about DNS, about other protocols, about how the Internet works, and that in itself, hopefully increases general overall awareness about what challenges are on the table. It gives an opportunity to show a bigger picture which goes beyond the Internet regulation and commerce of a given country, and shows how that fits into a bigger picture of the global Internet Governance, who the players are, what their roles are, how can we be more efficient, etcetera, etcetera.
It's sort of a backwards logic maybe. But it serves a purpose, which is essentially more knowledge, more understanding, especially for those who need that knowledge for their day-to-day job.
>> If I can jump in.
>> I always try to find another image for the same problem. One is, what if DNS is like money? It's a needed thing. Money is used by legitimate users, and it's used by criminals. There is no way of getting rid of it. It's basic infrastructure, it's there. It's neutral. DNS is basically infrastructure, it's there, it's neutral. It can be used by whoever it is. Why should that system be responsible for this? I don't understand that.
>> I think Greg tried to jump in. But can you try again, Greg?
>> GREGORY MOUNIER: Yes. That is a very interesting point, Alex raised, and I think and even the previous speakers, in the sense that yes, this is an infrastructure, and it's neutral. It's there for everyone to use. But on the other hand, there are some policy and regulatory aspects that can be draped around the whole system to try to reduce abuse. Of course, when we are talking about fast flux or DNS hijacking, it's more difficult to prevent. But when we are talking about domain hijacking or simply domain registration abuse, then I think there are policies that can be pushed that would essentially reduce the rate of abuse.
One of the main problems we have within the public safety working group of ICANN so this group of law enforcement and public safety representatives trying to engage with the ICANN community, one of the main challenge we have is to push for more monitoring tools of abuse. Nowadays the technology is there. The data is there. ICANN has established DAR where you can almost in realtime measure the rate of abuse of some domains and some registrars and registries. I think these tools are essential, because in our investigations, so you translate that in the normal world, then you see that very often domain names, registration abuse is one of the enablers of cyber-crime. It is just one of the techniques that is used all the time. Most of the .nets nowadays are using DGAs, and they generate random domains, and yes, registrar keep on letting those people to register those domains.
I think there are tricks that we can impose on the system, so that it really gradually reduces the rate of abuse, without stiffening too much competitions and the DNS keep on working fine. But yes, I agree with the previous speaker, it's difficult to impose technical, major technical changes to prevent, for instance, data corruptions or abuse of routers, firmwares, for instance, due to DNS hijacking. But in terms of domain names registrations, I think we have got a huge margin of maneuver to try to reduce abuse. Thank you.
>> LAURIN WEISSINGER: Thank you very much, Greg. I think Peter indicated he wanted to say something?
>> PETER KOCH: Yeah, probably. I'm still struggling with this term, and I'm a bit in line with what was just said. What is happening, we see criminal activity, malicious activity and we see attacks and other kinds of bad activity on the Internet. It is packets that are moved back and forth. It is people behind that.
Singling out the DNS is probably taking away the attention from the responsible parties. We do have and Greg mentioned in his introductory statement clearly, and you are right there is DNS reflection attacks and so on which is instrumenting the DNS to attack other systems, in a different way than what you mentioned in your latest comment though.
We see the same happening alas with the time protocol and the management protocols, still nobody is talking about time abuse and management abuse and so on and so forth.
We do know what the issues behind this are, and again, the issues are the core technical features of the Internet, that, essentially a source address of an Internet packet like the sender of a postcard can give false information about who sent the postcard, because what is interesting is the addressee, the destination, that this is how it works.
There are measures under way to mitigate this freedom and if more people would more, operators and a critical mass of operators, so in vaccination and epidemics, there is the hurt community that is important, and we do have the same thing here, like if, in most of the countries people and operators are either encouraged or even regulated to make sure that their customers don't inject wrong source addresses, it would still not be sufficient because there could be other actors, and only if we reach a certain critical amount, a figure I cannot present but it will be far more than 90 percent, then we mitigate this issue independent of whether it's the DNS, the time protocol or others. It's a Internet problem, the reflection is a Internet problem and DNS the protocol can be instrumented in that way is a technical question. That also has found a couple of technical responses that can be addressed.
I think we can take that for dealt with. The other one is the registrations and looking at this and Greg mentioned the DAR project which I guess you would, I would encourage you to elaborate on, and after you have done that, I will talk about reputation and fact-based versus rumor-based decision-making.
>> Thank you, Peter. We have two projects at ICANN that aims at essentially measuring the health of the system.
So one is the DAR, domain abuse monitoring system, and one is the Internet technology health indicators. We use part of a DAR data in Internet health indicator project. The idea is, we cannot really talk about the problem if we cannot size the problem. We have to find a way to measure it.
The value that we have today, yes, may be interesting but it was more interesting is the trend, is the problem going down or going up? It's not about simply having a metric measure one time, but over time, over maybe five years, ten years, seeing what the trend is going to be.
The DAR projects in particular is looking at registration in other gTLDs and looking also at abuse that have been reported on anti-abuse list, commercial anti-abuse list, reputation list, and trying to see per 10,000 registration how many create problems. Essentially this is a percentage. What is a percentage in the particular top level domain gTLD that have problems.
We see overall the vast majority of the top level domains have a very low score over, it's below 1 percent, almost not visible on the map. But some of them are much higher up. We have some graphs and bubbles that I can show you if you are interested. It shows that there is a concentration of some of the problems in some particular top level domains. This could be used as input to people setting up policies, saying, well, maybe you want to do something about that.
So this becomes beyond the realm of ICANN from an organisation perspective, with perspective to measure this and moving into more of a ICANN community policy development process to decide what to do with this.
So all this is, Peter, a good summary to answer the point that you raised.
>> LAURIN WEISSINGER: Thank you very much. I guess we often see this problem when it comes to abuse and criminal behavior more generally, that the number of actual threat actors for example is actually very low. But they still cause a lot of trouble. However, it would be good if we could go back to Greg for the law enforcement perspective.
>> GREGORY MOUNIER: Yeah, what I'd like to say with regard to DAR and even the study that was commissioned by ICANN recently to compare the rate of abuse with the legacy gTLDs and new gTLD, like the previous speaker said, the conclusion was that abuse was very much centralized or really on a few registrars and registries. In particular there was one in China and one in -- sorry, southwest Europe, I forgot, but anyway, what was striking is that ICANN could not suspend both registrar which had been proved to be really systematic abuser, and the only one which was suspended was generate 2017, and the reason for suspending it was not because of abusive practices but because it didn't pay the ICANN fee.
From a public policy perspective, I think there is a case to be made for ICANN to get a bit more power from the community to fight abuse more proactively, and have the right legal base to suspend rogue registrars.
>> LAURIN WEISSINGER: Thank you very much again for the law enforcement perspective. Maybe as we discuss this now, and I'm looking at the time, and obviously we want to finish roughly, you know, on time for the buses, maybe we could kind of come back to the issue of geopolitics which is the other big one we kind of touched upon quite a bit in terms of like infrastructures breaking up, people going off doing their own thing.
What I think would be interesting here, beyond what Alexandra is saying about the network effects, as soon as too many people stop using something, it will just disappear, the question is, what are the implications for the DNS, but also as Peter kind of mentioned before, what is actually behind it. So how might this work out if it actually came to be. I'm not sure who would like to comment. I wanted to joke that Chris had a go at breaking the discussion, now I had one as well. So what I was wondering about is essentially, if we would really see say a country breaking off the DNS doing their own system in addition as a replacement, how do you think would that work out, do you think the population would follow this, how would that have to work in that state to work? We have someone in the audience. I'll give you a microphone.
>> My answer will be very simple, do not mix up what media says on RT or CNN. There is no technology alternative to DNS for a simple reason. It must be supported all over the world. Otherwise, there is no use. I mean, this is not a political thing. This is a usability thing. I mean that's it. Simple.
>> That simple issue can be circumvented, one country decides they don't want DNS to be used. They can set up a local relay that accept DNS and filter as they like and provide similar service inside the country for their people.
(voice in the background).
The reason why somebody might want to do that is for censoring or filtering or for other purposes that they show the piece of the DNS space they want to show. I'm not sure it is sensible way to do it, but it is technically doable.
>> Actually if they want to do that, they don't need to change the protocol. They just have to put filters in place. That is what they are already doing.
>> Remember the story of the alternate route movement in the early '90s. If you have five billion users, then it could work. But it takes a lot of time to get five billion users.
>> How about one billion in China?
>> I don't know the initiative, DNS works and that's it.
>> Here comes maybe an additional response to your question about how the, what consequences this concentration might have, because in a world of centralized resolver services, it's more or less the resolver operator who decides which top level domains are important and which are not. That is a interesting shift in power. We don't see that for the first time. We see this in the world of web browsers, where essentially the vendor of the web browser decides which certificate of authority you trust. We see this or could see this, I need to phrase this carefully now, we could see that the operating system vendor makes decisions about which zone to use, because it's while ICANN is important and we have the multistakeholder community around it, discussing the content of the route zone, translated into what is a top level domain and what isn't, if a larger population walks away or is walked away into a different territory, then they vote with their feet or somebody else votes with their feet.
>> Thank you very much. I didn't see you but go ahead.
>> With what Peter says that is probably also call to vendors, even browsers who ignore all the systems and do their own resolving to their own systems, it would be wise to create more transparency on the point that either stick with the system defaults or make clear to the user you are ignoring system defaults.
>> Actually, this where we see application bypassing the system, bypassing the default configuration and the public DNS, essentially using their own Internet infrastructure to do all this, and it's another potential shift in power as Peter was mentioning before, where we see more concentration in the system that is walled off by application vendors or platform vendors.
>> We have an additional remote comment from Olivia.
>> Alternative DNS routers have been proposed ever since we moved from ARPA to DNS in the last '80s. Today there are still many alternative routes, there is link given in this message. Yes, none of them appear to be particularly successful. The route server system as it currently is, is based on trust, that route operators have from ISP S, and end users.
Some alternative route server proposals have bordered on the downright bizarre. And there is link given.
>> LAURIN WEISSINGER: I'm watching the time, making sure you get to the social event later on. I would like to open the floor for like two more questions maybe, if there are any.
>> I want to make a different comment because somebody mentioned one as a development could be bypassing the system. And I think that there is the so-called handle system which is managed by the Dona foundation in Geneva, you know, has the potential to, you know, probably on top of the DNS or next to the DNS, to introduce another identifier system. So far I do not see any progress since five years. But let's wait and see. And what will happen, there is something always possible, so we should not take it for granted this will continue for the next 50 years. To have a eye on these developments makes absolute sense and I encourage to continue the discussion after this session, because this remains an issue. Thank you.
>> We have one more comment.
>> So that is actually the reason why we have the sessions at ICANN meetings, and identifiers and DOA was one of the sessions that we discuss. One other thing that came out in the study that I made on the technology is, really deployment challenge, where you try to get browsers to adopt their interface to DOA resolvers and we didn't get much traction.
As a result, they are doing, recommending to do DOA resolution using a proxy using web and DNS. So this hinders deployment. Other technologies we looked at like Blockchains and some of them have either scaling issues or they have the same bootstrapping problem, so I think you are absolutely right. We need to keep an eye on those things, because sometimes maybe something new will happen, so it's important to look at it.
But right now everyone, every single one that we have looked at have run into bootstrapping problem, and couldn't find convincing solution to it.
>> LAURIN WEISSINGER: Okay, I haven't forgotten, Gregory wanted to add something on the alternative DNS and as he has got trouble kind of speaking up, I am handing over to him.
>> GREGORY MOUNIER: Very quickly, just to say that from the law enforcement perspective, we also are very worried about potential alternative DNS. We have seen over the last two, three years a number of malware family that were developed exclusively on domains in the bit for instance and we really are studying carefully the development of that new trends, because we have got no idea on how to take down those domains. If they are developing malware family at some point it will probably be in the mainstream DNS.
>> LAURIN WEISSINGER: Thank you very much, Greg.
>> Back to Wolfgang and careful choice of words there, that indeed bootstrapping problem, the system that is proposed as a alternative to DNS currently completely relies on the DNS for to do its work. So I don't see how we are going to break that system. But yeah, it may be something will change somewhere in 20 years or so. But for now, it looks very much depending on DNS. It's going to be a tough challenge to replace it.
>> LAURIN WEISSINGER: Okay. Do we have any other comments? People raising their hands I'm not seeing? Yes, Peter.
>> PETER KOCH: Chance of getting the final words. I was going to say that we have talked about lots of problems and potential issues and alternatives and so on and so forth. What we should have in mind though is that this system has been in place for 35 plus years, is highly distributed, is highly scalable with no alternative in sight and has a very distributed inclusive, or a number of I should say, a number of different policymaking processes and fora like ICANN for the gTLDs and various fora for the respective fora for the CCTLDs. And a multitude of operators, despite the fact that there might be a or is a trend towards concentration, and highly cooperative and is working so that we are discussing from these say luxury of a working system, just to avoid bad headlines. Thank you.
>> I've been allowed back on the microphone. I think we are, as Laurin has mentioned, nearing time. What would be useful to do is maybe have some quick words from, last words from each of the panelists we have had here, and then we will also hear from Yana who has been taking key messages, notes from the session, if we read those out before the end, make sure no one has any strong objections or changes to make there.
Alex, I guess. Maybe kick off with you.
>> ALEXANDRA KULIKOVA: I think actually Peter summed it up really nicely. What I want to say is that the system is really complex. The system of DNS governance I would say including all the players who have a word in this field, but it will, simply, it will work as long as it makes sense. As soon as it doesn't make sense for the majority or the overwhelming majority of the users, which could make that switch, it will happen. That's it.
I'm taking advantage of this moment, probably will do this little plug, it occurred to me that we have a specific event, looking at this very issue of what is the future of DNS in July, called ICANN DNS symposium IDS, 13 of July. Some of you might want to listen on-line, unless you are going to ITF, because it will look at what actually has happened to DNS 35 years plus, and what is out there. It's a technical event. That might be interesting to follow. It's fairly academic. So it would be good to see what the insights are there.
But otherwise, in DNS, we trust.
>> Okay, Greg, final words and plugs.
>> GREGORY MOUNIER: Yes, very quickly. Again I think that DNS is a ecosystem that works very well, as Peter said it has been there for 35 years. It is working fine. It has been amended in a incremental manner by the community. That is great. But we should spend more effort to study not the technical abilities but ways of which the technical specs can be misused by criminals, and try to develop other technical solutions like DNSSEC to try to plug in these holes in the system. That is on the technical aspect.
Then on the policy side, I repeat, I still think that there is room to increase the NT abuse, best practices from the registry and registrar side. I think everyone will be safer if we were to have a more I genic registration type of policy which would prevent a little bit the abuse. Thank you.
>> Peter. You done? David, did you have final words?
>> Yeah. I'm happy that we have more or less common ideas how should DNS work in future. But I think, I mean that we all agree that we don't need any alternatives of the DNS, it's difficult to imagine any alternative which can work as good as DNS works today. And it works for more than 30 years. It's difficult to. And still, there is the challenge of the security aspects concerning DNS and I think this is connected with awareness of this, and yeah, I think the security is, improving security of DNS and DNS abuse is the important thing in future.
>> LAURIN WEISSINGER: Thank you all. I think Yana has some key messages, maybe drafted.
>> Okay. Is it on? Yeah. Okay. So, it was a lot was being said and I was trying combine all of it. But I'm sorry, I don't think it will be really good already.
But I tried to, so there were three main themes today, complexity, stability in flight and security. So even though the DNS system is old, it remains a vital component of the Internet infrastructure. The question is how to keep the DNS system resilient, and find a balance between adding new features and compromising the existing stability.
Yes? No? Okay-ish. The second point was on the security aspect, encryption and strengthening security measures are important, but we need to be aware of the double-edged sword. Once security also poses challenges for the law enforcement and preventing abuse, DNS abuse. The keys to find how to gradually reduce the rate of abuse but not stifle competition and DNS functionality. And the third one I didn't really -- yeah, a beneficial next step would be to find how to measure the problem over time, in order to recognize the overall trend in abusing the TLDs and to use this as an input for potential policymaking.
>> LAURIN WEISSINGER: Thank you very much. Looking around the room, I haven't seen any objections, and to me those sound like --
>> Or if something was missed.
>> LAURIN WEISSINGER: Or if something was missed.
>> I would like to highlight the centralization issue as well.
>> LAURIN WEISSINGER: Can we perhaps leave that with Yana to integrate.
>> It was my fourth point, but I didn't manage to make it into a full line. Yes.
>> I think we can assume it will make it into the final version then. Okay.
>> Laurin, to close it.
>> It seems we have no further comments. No. Excellent. Okay.
>> We manage not to talk about GPR.
>> Yes (chuckles).
>> LAURIN WEISSINGER: I think no one said the word who is, I believe. So that is also an achievement.
So thank you all very much for coming. In particular, obviously, to our key participants who accepted our invitation to speak, so this was Alexandra, Greg, Peter and David, and we would also like to thank the kind of organizing committee that helped us kind of putting all of this together in a lot of very interesting calls.
Thank you very much for coming. Now you can all get ready, because we will be expected elsewhere very soon.
(end of session 6:12 p.m.)
This text is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text is not to be distributed or used in any way that may violate copyright law.