Ondřej Caletka - 17-05-2021 14:30:32
Hi everyone, I'm Ondřej Caletka from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Please note that all chat transcripts will be archived and made available to the public on https://ripe82.ripe.net/.
Desiree Miloshevic Evans - 17-05-2021 14:32:54
Wasn't it the other way round? DNS relying on numbers? ;)
Patrik Fältström - 17-05-2021 14:36:24
Hurray for Scandinavia!
Shane Kerr - 17-05-2021 14:36:44
China, Spain, UK? Not an odd collection? ;-)
Blake Willis - 17-05-2021 14:36:47
hooray for congo brazaville!
Donald Neal - 17-05-2021 14:36:50
Hurray for New Zealand!
Farzaneh Badiei - 17-05-2021 14:36:50
Saudi Arabia ... interesting.
Patrik Fältström - 17-05-2021 14:37:20
Farzaneh, one ISP, they do validation. 100% done. ;-)
Shane Kerr - 17-05-2021 14:37:22
I assume that Saudi Arabia is due to Sander?
Jan Žorž - 17-05-2021 14:37:23
Jan Žorž - 17-05-2021 14:37:29
I've been there :)
Farzaneh Badiei - 17-05-2021 14:37:51
you see Patrik. Monopoly works so well :))
Peter Magnusson - 17-05-2021 14:38:17
how come dubbleclick on on the presentation doesnt hide the participant list and instead gives a dragbar of the presentation window? it works sometimes, right no it doesnt.. help?
Patrik Fältström - 17-05-2021 14:38:23
Very bad reception in Sweden....ahjsgdiuuyu2e8912098ooqwi....can not hear what you are saying Farzaneh....
Andrew Campling - 17-05-2021 14:38:45
Geoff's insights are always worth listening to (as it the excellent quality material on the APNIC blog). It's all the ore impressive that he's this lucid when you consider that he's usually calling in from Canberra!
Gert Doering - 17-05-2021 14:38:59
Saudi Arabia has more than one ISP with international license
Farzaneh Badiei - 17-05-2021 14:39:21
Who had come up with DNSSEC? Patrik? Is it your fault?
Cynthia Revström - 17-05-2021 14:39:35
wouldn't surprise me
Patrik Fältström - 17-05-2021 14:39:47
Many things might be my fault, but not DNSSEC. I am pushing it because I like DNSSEC, and see use of it ;-)
Cynthia Revström - 17-05-2021 14:40:44
I mean... patrick works for the entity responsible for the I-root, so I feel like it is appropriate for him to be excited about it
Cynthia Revström - 17-05-2021 14:40:50
Olaf Kolkman - 17-05-2021 14:41:24
As Paul Vixie said the other day (paraphrasing): DNSSEC is a massive failure, but I'd do it again.
Farzaneh Badiei - 17-05-2021 14:42:08
I have heard it's hard to implement. ISOC was following the adoption for awhile. did they give up?
Stephen Farrell - 17-05-2021 14:42:08
I'd love to see more DNSSEC deployment, but if doing it now, it'd be a lot different I'd bet
Daniel Karrenberg - 17-05-2021 14:42:11
.... and again and again and again .
Olaf Kolkman - 17-05-2021 14:42:26
Daniel Karrenberg - 17-05-2021 14:43:24
And I remember DNSSEC being on course for an even bigger failure and I remember Olaf helping with a course correction. Thamks again!
Marco d'Itri - 17-05-2021 14:43:59
I'd love to have a business case to justify the complexity of signing my customers' zones. The best I can do is validate.
Olaf Kolkman - 17-05-2021 14:44:15
Shane Kerr - 17-05-2021 14:45:05
Is there ever a business case for security?
Shane Kerr - 17-05-2021 14:45:16
If you do it right, nothing happens....
Blake Willis - 17-05-2021 14:45:19
ask the pipeline people
Marco Hogewoning - 17-05-2021 14:45:28
@marco do'Itri: how many .nl domainas have you registered four your customer base? (it yields a small discount, but it adds up for some providers)
Ruben van Staveren - 17-05-2021 14:45:29
ask the ransomware people
Alex Le Heux - 17-05-2021 14:45:53
Marco Hogewoning - 17-05-2021 14:46:17
@Shane: ask Maersk, save a penny, lose a few millions euros
Marco d'Itri - 17-05-2021 14:46:35
@mh: zero, I think. and yes, I proposed long ago to the .it people to do the same but they really need every bit of money for unrelated reasons
Gert Doering - 17-05-2021 14:47:25
.it is an interesting case anyway as I discovered... close to zero IPv6 deployed
Marco Hogewoning - 17-05-2021 14:48:16
that might be all together a different root cause
Marco d'Itri - 17-05-2021 14:48:20
gert: indeed. as I was saying in spatialchat before, even the new ISPs (and we had a lot recently) prefer buying IPv4 addresses. only Sky did a good IPv6-first deployment
Elmar K. Bins - 17-05-2021 14:48:21
The closer you get to Munich inside .it, the better v6 supply is.
Olaf Kolkman - 17-05-2021 14:48:26
Elmar K. Bins - 17-05-2021 14:48:27
I wonder why ;-)
Stephen Farrell - 17-05-2021 14:48:28
HTTPSSVC and ESNI are no longer fashionable terms - now HTTPS and ECH instead;-)
Patrik Fältström - 17-05-2021 14:48:47
My no.1 usage scenario for DNSSEC is to have your own zone signed, and your own devices using domain names and local resolvers that do validation. No.2 are all "services on DNS" like letsencrypt, TLS- and email-related DNS stuff.
Stephen Farrell - 17-05-2021 14:49:49
@patrik: I tend to agree and think that highlights a design-flaw of DNSSEC - it aimed to "secure" the entire DNS and not just the bits a query source cares about
Petra Zeidler - 17-05-2021 14:50:12
any of you doing DANE?
Simon Stridsberg - 17-05-2021 14:50:20
yes, for mail
Stephen Farrell - 17-05-2021 14:50:22
yep, for mail
Gert Doering - 17-05-2021 14:50:25
yes, for mail
Jelte Jansen - 17-05-2021 14:50:33
for mail, yes
Gert Doering - 17-05-2021 14:50:47
SSFHP is another good use case for local DNSSEC
Thomas Schäfer - 17-05-2021 14:50:49
here you can pay 5Euro extra per month for a unique Ipv4 address - or just use the provided DS-lite
Marco d'Itri - 17-05-2021 14:50:57
I would if I had DNSSEC, but it's not a good enough reason to risk signing
Desiree Miloshevic Evans - 17-05-2021 14:51:10
a North American registrar ask some 500 dollars to get a domain DNSSEC signed - as it's done manually - well you can do what @patrik says
Thomas Schäfer - 17-05-2021 14:51:15
sorry, chat went further
Marco Hogewoning - 17-05-2021 14:51:15
@thomas where is "here" and which ISP?
Thomas Schäfer - 17-05-2021 14:51:36
it was about munich (m-net)
Thomas Schäfer - 17-05-2021 14:52:50
recently the last major mobile ISP enabled IPv6 in Germany, that changes a lot
Marco Hogewoning - 17-05-2021 14:53:13
ack - recently had a discussion with somebody, looking into it it seems most parties which charge for IPv4 roughly charge the market rate for an address divided by 2 years; as in, the monthly fee is roughly 1/24th of what an address would cost on the market
Daniel Karrenberg - 17-05-2021 14:53:32
yep, on karrenberg.net
Shane Kerr - 17-05-2021 14:54:02
I agree with Geoff. Just like TLS, DNSSEC will never happen. Oh, wait...
Thomas Schäfer - 17-05-2021 14:54:06
www.karrenberg.net not found
Marco Hogewoning - 17-05-2021 14:54:08
that ballpark seems to hold for large cloud as well as smaller hosters
Daniel Karrenberg - 17-05-2021 14:54:59
@thomas, there is nothing there. but there is dane on the services that *are* there
Andrew Campling - 17-05-2021 14:55:40
If you're involved in DNS, you may find www.EuropeanResolverPolicy.com of interest.
Olaf Kolkman - 17-05-2021 14:56:08
Brian Trammell - 17-05-2021 14:56:56
"shim shell" say that three times fast :)
Petra Zeidler - 17-05-2021 14:56:58
DoH as a privacy measure does not match who is offering these services (at present)
Ruben van Staveren - 17-05-2021 14:57:00
I configured DANE for the common ports where my personal Let's Encrypt certificates might be used. I hope that the automatic renewal of those records is more solid now
Marco d'Itri - 17-05-2021 14:58:00
@shane TLS happened because Google started penalizing non-TLS in search and the browser. persuade them to do the same for non-DNSSEC and we are set!
Peter van Dijk - 17-05-2021 14:58:23
Andrew, in your question (2) you said 'authoritative resolvers' - did you mean authoritatives? or resolvers?
Kurt Kayser - 17-05-2021 14:58:32
Yeah, more root-Servers and TLDs!
Peter Koch - 17-05-2021 14:58:32
RFC 2826 to be moved to Historic, indeed
Shane Kerr - 17-05-2021 14:58:45
TLS wouldn't have happened without LetsEncrypt also, IMHO.
Niall O'Reilly - 17-05-2021 14:58:52
@Ruben: certainly more solid now, but not without the odd glitch
Marco d'Itri - 17-05-2021 14:59:27
agreed, but LE did not create the customers demand, it only made deployment easier (no small feat, but by itself it would not have moved so much the marked)
Peter Hessler - 17-05-2021 15:00:26
the demand was already there, LE solved the a) price problem, b) ease of use, and c) no more expiry problems
Marco Hogewoning - 17-05-2021 15:00:47
only today? :D
Patrik Fältström - 17-05-2021 15:00:49
@shane: +1 That said, I think LE could be "improved" by making DANE easier to implement by defaulting to reuse of the same key so the DANE RR does not have to be changed when renewing.
Peter Hessler - 17-05-2021 15:01:14
from the perspective of a small auth server or a domain, dnssec is an utter mess with b
Marco d'Itri - 17-05-2021 15:01:47
@peter you were already motivated to use TLS, but customers could not care less until the browsers started displaying the broken lock
Peter Hessler - 17-05-2021 15:02:35
sure, but even from the admin perspective the old world of TLS was an utter mess
Peter Hessler - 17-05-2021 15:02:57
good luck getting the renew cert purchase order approved in time ;)
Denesh Bhabuta - 17-05-2021 15:03:06
Thanks for the DNS-OARC shoutout @Geoff :-)
Shane Kerr - 17-05-2021 15:03:19
I think the scaling issue of TCP vs UDP is complicated, because everyone overbuilds DNS servers because UDP allows spoofing. This overbuild is less for TCP-based services (like TLS).
Andrew Campling - 17-05-2021 15:04:29
@Peter van Dijk You're right of course, I did indeed mean authoritatives.
Peter van Dijk - 17-05-2021 15:04:50
ack - Geoff interpreted it as such :)
Alex Le Heux - 17-05-2021 15:05:45
we can blow up the name space no problem, www.google.com will take its place
Kurt Kayser - 17-05-2021 15:05:49
Remember to "alt-root" DNS?
Peter van Dijk - 17-05-2021 15:05:59
Kurt, OpenNIC is still out there and just refuses to die
Peter van Dijk - 17-05-2021 15:06:24
And apparently 'browser plugins for this blockchain DNS' is coming in vogue again
Kurt Kayser - 17-05-2021 15:06:52
similar to *.onion.. and the like for dubios content folx
Franziska Lichtblau - 17-05-2021 15:07:09
what an uplifting presentation ;) thanks geoff!
Kurt Kayser - 17-05-2021 15:07:31
:wave: well done, Geoff!
Brian Trammell - 17-05-2021 15:07:34
TBF that's only the third most depressing Geoff presentation I can remember so things are looking up :D
Franziska Lichtblau - 17-05-2021 15:07:50
Brian, you should publish that list ;)
Daniel Karrenberg - 17-05-2021 15:08:13
As Brian said: Geoff has predicted doom before, it is one of his favourite and most entertaining vehicles.
Kurt Kayser - 17-05-2021 15:08:32
DNS = doomed network service?
Franziska Lichtblau - 17-05-2021 15:08:39
@Daniel I am aware :)
Brian Trammell - 17-05-2021 15:09:18
o/ yay, ipfix
Franziska Lichtblau - 17-05-2021 15:09:27
Franziska Lichtblau - 17-05-2021 15:09:47
for me it was usually "eeeeeks ipfix" but I'm getting over that state
Petra Zeidler - 17-05-2021 15:10:42
I remember "we" did netflow at DeCIX and got suspiciously low traffic numbers; the flow was faster than the flow catcher's PCI bus could cope with.
Wolfgang Tremmel - 17-05-2021 15:10:51
it really works - I tested it. You can setup elasticsearch and stuff in docker containers and have it up and running in 10 minutes.
Wolfgang Tremmel - 17-05-2021 15:14:30
guess who wrote the webinar... :-)
Brian Trammell - 17-05-2021 15:14:35
Brian Trammell - 17-05-2021 15:14:40
cool stuff. :)
Brian Trammell - 17-05-2021 15:14:55
Petra Zeidler - 17-05-2021 15:15:58
heh, my comment was about the 1990s
Franziska Lichtblau - 17-05-2021 15:16:04
that was a long time ago :)
Franziska Lichtblau - 17-05-2021 15:16:06
Petra Zeidler - 17-05-2021 15:16:09
stuff has evolved :)
Franziska Lichtblau - 17-05-2021 15:16:23
the 2020s have grown their own bugs now
Milad Afshari - 17-05-2021 15:16:36
Kurt Kayser - 17-05-2021 15:16:43
Franziska Lichtblau - 17-05-2021 15:16:46
Thanks Daniel! :)
Tom Hill - 17-05-2021 15:22:18
Thanks all. :)
Jinguk Kwon - 17-05-2021 15:22:26
Ondřej Caletka - 17-05-2021 15:23:39
This session has now ended. The next session is Plenary and it will start at 16:00 UTC+2. More info on the RIPE 82 meeting plan: https://ripe82.ripe.net/programme/meeting-plan/