Michela Galante - 19-05-2021 14:30:11
Hi everyone, I'm Michela from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Please note that all chat transcripts will be archived and made available to the public on https://ripe82.ripe.net/.
Kurt Kayser - 19-05-2021 14:30:15
Marcos Sanz - 19-05-2021 14:30:16
Peter Hessler - 19-05-2021 14:30:59
hello party people
Denesh Bhabuta - 19-05-2021 14:31:06
Dave Knight on a treadmill desk?
João Luis Silva Damas - 19-05-2021 14:31:19
yes, he is
Denesh Bhabuta - 19-05-2021 14:31:30
João Luis Silva Damas - 19-05-2021 14:31:30
i try to pretend i am in berlin
Rob Evans - 19-05-2021 14:31:42
I'd spotted the t-shirt. :)
Kurt Kayser - 19-05-2021 14:31:54
Denesh Bhabuta - 19-05-2021 14:31:55
I've given up on pretending to be elsewhere.. my body clock has given up.
Jelte Jansen - 19-05-2021 14:32:42
i hardly ever know where i am anyway
Peter Hessler - 19-05-2021 14:32:50
I am pretending to be in berlin, but I am also actually in berlin :)
Donald Neal - 19-05-2021 14:33:59
The location is fictional, the jet lag is real enough.
Farzaneh Badiei - 19-05-2021 14:35:27
This is a very good paper on DNS resolver consolidation by Dr. Roxana Radu. Her method is interesting as well: https://www.tandfonline.com/doi/full/10.1080/23738871.2020.1722191
João Luis Silva Damas - 19-05-2021 14:35:42
if you have questions dueing the talk both geoff and I are here to answer stuff
Éric Vyncke - 19-05-2021 14:36:23
Andrew Campling - 19-05-2021 14:42:52
If you have an interest in DNS, take a look at www.EuropeanResolverPolicy.com. Feel free to get in touch using the enquiry form on the website or via an email to Enquiry [at] EuropeanResolverPolicy [dot] Com.
João Luis Silva Damas - 19-05-2021 14:46:05
that's ~300K queries for the same exact name
Alex Le Heux - 19-05-2021 14:46:19
It's a miracle the internet works at all
Éric Vyncke - 19-05-2021 14:46:25
Will Goeff give some explanation ?
Éric Vyncke - 19-05-2021 14:46:29
or guess ?
Jelte Jansen - 19-05-2021 14:46:59
"That's... amazing, I'm not even mad."
Florian Streibelt - 19-05-2021 14:47:00
Quoting Randy: "This is a measurement study, not an answer study" ;p
Lars Prehn - 19-05-2021 14:47:02
Any idea how many of these multi-resolver queries are just researchers playing around? I mean even I---not doing much with DNS in general---have played with simultaneous edns queries against various resolvers at once
João Luis Silva Damas - 19-05-2021 14:47:10
it's hard to know why that ISP behaved that way. We can see they query from a a few of their /24 or /48s
Éric Vyncke - 19-05-2021 14:47:22
More seriously, this centralization of DNS is scary for resiliency
João Luis Silva Damas - 19-05-2021 14:47:26
and it does seem very strange that anyone woild build a resolver farm that big
Florian Streibelt - 19-05-2021 14:47:43
@Lars I think he is still using his google ads approach, so these names should not be visible to too many resea4chers
João Luis Silva Damas - 19-05-2021 14:47:54
not many, no.
Florian Streibelt - 19-05-2021 14:48:00
But indeed I think some could be echos of dns packet dumps being replayed :)
João Luis Silva Damas - 19-05-2021 14:48:13
and each experiment instance gets its own unique name
João Luis Silva Damas - 19-05-2021 14:48:33
we see echos of replays on a larger time scale
Éric Vyncke - 19-05-2021 14:48:35
'instance' == per displayed AD ? so one per browser ?
Geoff Huston - 19-05-2021 14:48:39
I have no explanation of the query explosion that we observed - thankfully its rare - that particular incident occurred once in a 24 hour interval
João Luis Silva Damas - 19-05-2021 14:48:45
not within the first 30sec of the original query
Florian Streibelt - 19-05-2021 14:49:03
A right, Geoff can answer while being on stage :D
Éric Vyncke - 19-05-2021 14:49:03
@geoff VERY interesting ! Congrats !
João Luis Silva Damas - 19-05-2021 14:49:28
Blake Willis - 19-05-2021 14:49:50
countries that block their users...
Alexander Isavnin - 19-05-2021 14:50:00
North Korea using Google!
Florian Streibelt - 19-05-2021 14:50:03
@geoff could broken cpes be an explanation? any insights on the dns infra on that? (I have seen many interesting failure modes on CPEs)
Geoff Huston - 19-05-2021 14:50:26
yes - true. North Korean users were seens to use Google's DNS service
Kurt Kayser - 19-05-2021 14:50:36
isn't Quad-8 default on all Android-based phones?
Peter van Dijk - 19-05-2021 14:50:43
Kurt, it is not
João Luis Silva Damas - 19-05-2021 14:50:52
no, but donl't give htem ideas
Kurt Kayser - 19-05-2021 14:50:53
within Chome for sure
Kurt Kayser - 19-05-2021 14:50:57
Peter van Dijk - 19-05-2021 14:51:20
Geoff Huston - 19-05-2021 14:51:36
The query explosion is not likely to be busted CPEs - there was just a single ad presentation that caused this, and I don;t think CPE's cross-communicate DNS queries
João Luis Silva Damas - 19-05-2021 14:51:47
Éric Vyncke - 19-05-2021 14:51:56
Slide 29: 'major ISP' == end hosts of this ISP ?
Robert Kisteleki - 19-05-2021 14:52:00
it is a fallback in chorme (or chromium based browsers in general?). ie. if the browser doesn't get an address, it tries 8888/8844. this behaviour may be significant for these experiments
Florian Streibelt - 19-05-2021 14:52:00
@geoff thx! makes sense.
Kurt Kayser - 19-05-2021 14:53:16
@Peter it certainly was on my last 3 phones. Hm, strange.
Blake Willis - 19-05-2021 14:53:17
or "the ISP" means "default settings on their Android build"
João Luis Silva Damas - 19-05-2021 14:53:20
@éric: yes, hosts inside that ISP. Sometimes the ISP just sends configuration pointing its users to use Google or similar
João Luis Silva Damas - 19-05-2021 14:53:58
the more common behaviour seems to be "google does this, so I don't have to do it myself and can save the money"
Lars Prehn - 19-05-2021 14:54:02
@Geoff, when you say 'that particular incident occurred once in a 24 hour interval', does that mean it was roughly at the same time each day?
Kurt Kayser - 19-05-2021 14:54:17
less and less ISPs tend to run their "own" DNS Servers. They simply use others..
João Luis Silva Damas - 19-05-2021 14:54:19
it only occurred once
Emile Aben - 19-05-2021 14:54:36
Current view from RIPE Atlas: https://dnsthought.nlnetlabs.nl/#top_auth_asns (this was the result of a DNS hackathon we organised, with special kudos to Willem Toorop for keeping this interface running)
Andrew Campling - 19-05-2021 14:54:58
@Geoff On your point "not that much to worry about", there is the small point of potential exploitation of personal data
Éric Vyncke - 19-05-2021 14:55:00
Shane Kerr - 19-05-2021 14:55:03
Denesh Bhabuta - 19-05-2021 14:55:07
Geoff Huston - 19-05-2021 14:55:09
@Lars - no to generate data for this talk I looked at data form the 14th May and I saw this explosion just once to that extreme volu,me
Matt Parker - 19-05-2021 14:55:12
Carsten Schiefner - 19-05-2021 14:55:13
Kurt Kayser - 19-05-2021 14:55:17
Interesting. Thanks, Geoff!
Lars Prehn - 19-05-2021 14:55:29
@Geoff, I see, thanks!
Sebastian Becker - 19-05-2021 14:55:33
Great insight, many thanks, Geoff!
Farzaneh Badiei - 19-05-2021 14:55:34
I wonder if transition to DoH automatically directs DNS functions into application layer. I think it's more of a hypothesis.
Carsten Schiefner - 19-05-2021 14:56:19
As, always, Geoff: excellent topic excellently presented! :-)
Michael Richardson - 19-05-2021 14:56:28
so, the queries have a source IP from the user, or from the minimal recursive proxy?
Blake Willis - 19-05-2021 14:56:32
great talk, very sueful
Blake Willis - 19-05-2021 14:56:43
useful (sueful was in Connect)
Michela Galante - 19-05-2021 14:56:51
Just a reminder, if you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Falk von Bornstaedt - 19-05-2021 14:57:07
Thanks for this presentation, Geoff!
Peter Hessler - 19-05-2021 14:57:10
@michael richardson I've seen both in the wild. both dhcp giving me quad8 or quad1, and sample resolver configs that forward the queries to quad8 or quad1.
Michael Richardson - 19-05-2021 14:57:31
@peter, but when it is forwarded, what's the source IP?
Éric Vyncke - 19-05-2021 14:57:44
@peter H:: was it in WiFi hotspot ?
Peter Hessler - 19-05-2021 14:57:54
in the first case, the client, in the second the resolver
Kurt Kayser - 19-05-2021 14:58:58
faster lookup , may the only incentive for ISPs, otherwise it's just an extra cost for an "anyway present service".
Peter Hessler - 19-05-2021 14:59:08
@eric I'm sure I saw it on a hotspot at least once, but I'm I've seen it on actual ISPs, and on smaller wifi installs (like restaurants, conferences, etc)
Farzaneh Badiei - 19-05-2021 14:59:16
I am not so sure about the economic incentives analysis here. Again, it's too absolute
Peter Thomassen - 19-05-2021 14:59:29
@Geoff Resolvers can sure lie in spite of DNSSEC, as they are usually doing the validation for the client who sent the query. End-user devices don't usually validate (unless they run their own resolver)
Michael Richardson - 19-05-2021 14:59:48
many configure 18.104.22.168 as the second resolver, and then the first (ISP hosted) resolver fails, and nobody notices.
Éric Vyncke - 19-05-2021 14:59:52
'centrality' is a data point / fact , I prefer to use 'centralization', whch is more political ;-)
Peter Hessler - 19-05-2021 15:01:06
I've certainly configured my own personal network resolver with 127.0.0.1 and 22.214.171.124, so dns works on that host while I'm fiddling with my resolver. I do deliver only the resolver's IP to the hosts on my network, though
Shane Kerr - 19-05-2021 15:05:22
Nice to see actual usage of CDS updates.
Carsten Schiefner - 19-05-2021 15:05:38
Congrats to the NCC for this deployment, Anand & Co.! :-D
Olivier Benghozi - 19-05-2021 15:06:35
K-root ! :carrot::carrot:
Ondřej Caletka - 19-05-2021 15:07:01
I'm glad there are actual users of CDS already.
Shane Kerr - 19-05-2021 15:10:35
Algorithm 8 being SHA256 and algorithm 13 being ECDSA.
Denesh Bhabuta - 19-05-2021 15:11:19
Peter Thomassen - 19-05-2021 15:14:57
"if you are your own parent" :-D
Peter Thomassen - 19-05-2021 15:15:34
.de also requires DNSKEY instead of DS
Shane Kerr - 19-05-2021 15:15:44
I was correct, it's actually RSA vs ECDSA that is important in those two algorithms... they both use SHA256. :-P
Marc Groeneweg - 19-05-2021 15:17:00
The EPP RFCs mandates the choice between DS or DNSKEY
Anand Buddhdev - 19-05-2021 15:17:56
Replying to Moritz Muller: we upgraded to ensure sufficient capacity. Firstly because DNS query volumes keep rising gradually, and secondly to have enough capacity when there are spikes in traffic (happens sometimes).
Moritz Müller - 19-05-2021 15:18:07
Anand Buddhdev - 19-05-2021 15:20:03
Replying to Carsten: we used to provide secondary DNS for several ccTLDs. There was discussion about this several meetings ago, and we gradually phased out this service for most of the larger and well-provisioned ccTLDs. Now we are only providing this service for the smaller and developing ccTLDs. We are not providing service to any other commercial entities, and we are not aware of any complaints about this now.
Carsten Schiefner - 19-05-2021 15:22:00
Thanks, Anand! Now I am curious: where would the draw the line between "larger and well-provisioned" and "smaller and developing" ccTLDs?
Carsten Schiefner - 19-05-2021 15:22:42
And this would also mean that the NCC would kick out ccTLDs once they have transitioned from one camp to the other?
Anand Buddhdev - 19-05-2021 15:23:05
Carsten, the RIPE 663 document defines the criteria. We are following those.
Christian Bretterhofer - 19-05-2021 15:23:18
Carsten Schiefner - 19-05-2021 15:23:19
Thanks for the pointer. :-)
Jaap Akkerhuis - 19-05-2021 15:23:28
@Carsten, these questions have been discussed in the dns-wg a lot, consult some of the olde meeting notes
Anand Buddhdev - 19-05-2021 15:23:44
Carsten, yes, we review the ccTLDs periodically, and contact the ones who shouldn't get service from us, and phase them out.
Jaap Akkerhuis - 19-05-2021 15:24:05
and yes, the criteria have been documented
Carsten Schiefner - 19-05-2021 15:24:17
Thanks, Anand & Jaap.
Anand Buddhdev - 19-05-2021 15:24:59
João Luis Silva Damas - 19-05-2021 15:28:39
fellow wg'ers we are going to go into the break for about 15 minutes as we have a really worthwhile talk by Bert Hubert (pre-recorded)
Kurt Kayser - 19-05-2021 15:28:49
Good work, Ondrej!
Daniel Karrenberg - 19-05-2021 15:28:50
@Ondřej : can we get a full picture of that t-shirt?
João Luis Silva Damas - 19-05-2021 15:28:57
if you can, please stay as it is worth listening to what Bert has to say
Daniel Karrenberg - 19-05-2021 15:29:10
Marcos Sanz - 19-05-2021 15:29:36
you bet we're staying!
Jaap Akkerhuis - 19-05-2021 15:29:52
I'm afraid I need to drop off
João Luis Silva Damas - 19-05-2021 15:30:03
and sorry about the overrun
Daniel Karrenberg - 19-05-2021 15:30:18
dag jaap, je hebt het al gezien toch?
João Luis Silva Damas - 19-05-2021 15:30:20
"it all looked good on paper"(tm)
Blake Willis - 19-05-2021 15:32:05
love the EU TP
Niels Bakker - 19-05-2021 15:32:35
NIS 2: THE NISSENING
Yasuhiro Morishita - 19-05-2021 15:32:37
This is Bert's article:Dear EU: Please Don't Ruin the Root - Articles https://berthub.eu/articles/posts/dont-ruin-the-root/
João Luis Silva Damas - 19-05-2021 15:33:49
i really would like to see the EU try to sue the operators of G or H root, ha!
Daniel Karrenberg - 19-05-2021 15:33:51
"We are the government, we are here to help you ...."
Tom Hill - 19-05-2021 15:33:52
Jim Reid - 19-05-2021 15:34:25
Could NIS2 be one of these Bexit bonuses? :-)
João Luis Silva Damas - 19-05-2021 15:34:25
see how well that goes
Daniel Karrenberg - 19-05-2021 15:34:30
I *love* bert: The 'Munch'!
Niels Bakker - 19-05-2021 15:34:47
Daniel: it's a great Zoom virtual background, too!
Tom Hill - 19-05-2021 15:34:52
@Jim the TSR/TSB probably means we won't diverge too far from it.
Jim Reid - 19-05-2021 15:35:13
@Tom, I know. I was trying to be flippant.
Tom Hill - 19-05-2021 15:35:21
Ah, yeah, I can't be flippant about Brexit yet.
Tom Hill - 19-05-2021 15:35:26
Jelte Jansen - 19-05-2021 15:36:23
Niall O'Reilly - 19-05-2021 15:38:04
"do not combust" 8-)
Daniel Karrenberg - 19-05-2021 15:38:11
This supply chain thing reminds me of all the letters the RIPE NCC received back in Q4 of 1999 of the Y2K problem. Most sent by barely literal interns who could not spell 'Internet Address' or left the space in the form letter for filling in the service we provided .... blank.
Shane Kerr - 19-05-2021 15:38:11
Loving the fire-resistant flag. :flag-eu:
Blake Willis - 19-05-2021 15:38:34
had a good laugh with the flag joke
Carsten Schiefner - 19-05-2021 15:38:49
Suzanne Woolf - 19-05-2021 15:38:54
@Daniel Good times! :-)
Tom Hill - 19-05-2021 15:38:59
Brexiteers self-owning is always enjoyable.
Keith Mitchell - 19-05-2021 15:39:02
I miss the EU
Harry Cross - 19-05-2021 15:39:10
Marc Groeneweg - 19-05-2021 15:39:39
Isn't it true that the UK will follow EU directives for a certain period of time?
Daniel Karrenberg - 19-05-2021 15:39:43
@keith: .... wines the sentimental Scot from another continent.
Carsten Schiefner - 19-05-2021 15:39:43
I guess, we miss the remainers vice-versa.
Harry Cross - 19-05-2021 15:39:50
@Marc, that was last year
Jelte Jansen - 19-05-2021 15:39:57
"a company" does not necessarily mean "not a natural person"...
Harry Cross - 19-05-2021 15:40:02
but then we did enact the "great copy and paste act"
Tom Hill - 19-05-2021 15:40:10
Last year, with exceptions for Northern Ireland.
Tom Hill - 19-05-2021 15:40:20
But that is not a topic to discuss here.
Kurt Kayser - 19-05-2021 15:40:35
so much time, and so little clue. Sad.
Tom Hill - 19-05-2021 15:40:49
As I don't think it would extend to NIS2... Right?
Randy Bush - 19-05-2021 15:41:03
perhaps the US DOD would benefit from an audit
Michael Richardson - 19-05-2021 15:41:12
Kurt Kayser - 19-05-2021 15:41:13
yes.. opt-out.. cool.
Christian Bretterhofer - 19-05-2021 15:41:17
Kurt Kayser - 19-05-2021 15:42:10
so anycast saved us from the EU NIS2 stuff..
Jim Reid - 19-05-2021 15:42:50
Depends on your definition of "us" Kurt.
Peter Hessler - 19-05-2021 15:43:44
pool.ntp.org will be interesting.....
Florian Streibelt - 19-05-2021 15:44:05
hmm. end of the best effort principle, anyone?
Jim Reid - 19-05-2021 15:44:56
@Kurt, the NCC might be off the hook for K-root but not for its other anycast auth servers.
Andreas Härpfer - 19-05-2021 15:44:57
But pool.ntp.org is nut being run bei a central entity, right!? I can contribute my server to the pool. So whom would they go after?
João Luis Silva Damas - 19-05-2021 15:45:01
someday bureaucrats might udnerstand that best effort for certain people is always going to be better service than any possible "contracted service"
Daniel Karrenberg - 19-05-2021 15:45:03
This nerd says: governments need to learn professional risk analysis techniques.
Jelte Jansen - 19-05-2021 15:45:13
another warning there: best effort in legalese means something entirely different than best effort in engineerese
Florian Streibelt - 19-05-2021 15:45:19
@Andreas: the domain holder?
Florian Streibelt - 19-05-2021 15:45:44
Jelte: oh, right!
Carsten Schiefner - 19-05-2021 15:45:44
Thanks, Bert - excellent thoughts and points!
Blake Willis - 19-05-2021 15:45:59
Andreas Härpfer - 19-05-2021 15:46:01
Hmm, but domain holder is not providing the actual service.
Florian Streibelt - 19-05-2021 15:46:03
Marcos Sanz - 19-05-2021 15:46:12
/clap clap clap
Niall O'Reilly - 19-05-2021 15:46:13
Great preso, Bert!
Michela Galante - 19-05-2021 15:46:18
This session has now ended. The next session is RIPE NCC Services and it will start at 16.00 UTC+2. More info on the RIPE 82 meeting plan: https://ripe82.ripe.net/programme/meeting-plan/