Dropping support for the .ru top level domain
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net The impact of any action would take time (days) to propagate.
https://mailman.nanog.org/pipermail/nanog/2022-March/217815.html On Mon, Mar 14, 2022 at 11:29 AM Patrick Bryant <patrick@pbryant.com> wrote:
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net
The impact of any action would take time (days) to propagate.
Thank you for you're support.?. -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
On Mar 12, 2022, at 04:47, Patrick Bryant <patrick@pbryant.com> wrote:
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net
The impact of any action would take time (days) to propagate.
So much for livejournal then. From: NANOG <nanog-bounces+bkain1=ford.com@nanog.org> On Behalf Of Patrick Bryant Sent: Saturday, March 12, 2022 5:47 AM To: nanog@nanog.org Subject: Dropping support for the .ru top level domain WARNING: This message originated outside of Ford Motor Company. Use caution when opening attachments, clicking links, or responding. I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net<https://clicktime.symantec.com/3cdaU2sBzT5kQAgPmU9MP27VN?u=http%3A%2F%2Fa.dns.ripn.net> ru nameserver = b.dns.ripn.net<https://clicktime.symantec.com/3uMLLDAAfFot5kLW2aGrLy7VN?u=http%3A%2F%2Fb.dns.ripn.net> ru nameserver = d.dns.ripn.net<https://clicktime.symantec.com/3VvNtYSroiUZkWrafZ2AH6h7VN?u=http%3A%2F%2Fd.dns.ripn.net> ru nameserver = e.dns.ripn.net<https://clicktime.symantec.com/3L2nFmWTn2Fxrq8VYwrH8ur7VN?u=http%3A%2F%2Fe.dns.ripn.net> ru nameserver = f.dns.ripn.net<https://clicktime.symantec.com/3FPH6SgxSCtpmphH1zdCawN7VN?u=http%3A%2F%2Ff.dns.ripn.net> The impact of any action would take time (days) to propagate.
On Mar 12, 2022, at 11:47 AM, Patrick Bryant <patrick@pbryant.com> wrote: Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
Quoting from https://www.pch.net/resources/Papers/Multistakeholder-Imposition-of-Internet... : Revocation of country-code Top Level Domains (ccTLDs) Every ISO-3166 Alpha-2 two-letter abbreviation of a national name is reserved for the use of the Internet community of that nation as a “country-code Top Level Domain,” or “ccTLD.” This reservation is made expressly for the Internet community of the nation and not the government of the nation. Geographic, political, and sociocultural allocations of “internationalized” top-level domains (such as “.рф” to the Russian Federation, or “.укр” to Ukraine) are made in parallel with the ISO-3166 mechanism. The primary users of any ccTLD are its civilian constituents, who may be distributed globally and may be united by linguistic or cultural identity rather than nationality or national identity. Removal of a ccTLD from the root zone of the domain name system (the sanction suggested by the letter) would make it very difficult for anyone, globally, within Russia or without, to contact users of the affected domains, a group that consists almost entirely of Russian-speaking civilians. At the same time, it would have relatively little effect upon Russian military networks, which are unlikely to rely upon DNS servers outside their own control. We therefore conclude that the revocation, whether temporary or permanent, of a ccTLD is not an effective sanction because it disproportionately harms civilians; specifically, it is ineffective against any government that has taken cyber-defense preparatory measures to alleviate dependence upon foreign nameservers for domain name resolution. In addition, any country against which this sanction was applied would likely immediately set up an “alternate root,” competing with the one administered by the Internet Assigned Numbers Authority, using any of a number of trivial means. If one country did so, others would likely follow suit, leading to an exodus from the consensus Internet that allows general interconnection. It would break DNSSEC within .ru, and it would disrupt civilian communication within Russia. Not a good idea. -Bill
On Mon, Mar 14, 2022 at 8:30 AM Patrick Bryant <patrick@pbryant.com> wrote:
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus.
Hi Patrick, ICANN has already rejected this proposal. While individual operators can take action of their own, you should also be aware that Russia, Ukraine and the United States are all signatories to the 1907 Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land which restricts lawful disruption of telecommunications by folks who are not belligerents in the conflict. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Terrible idea on so many levels. -jim On Mon, Mar 14, 2022, 12:30 PM Patrick Bryant <patrick@pbryant.com> wrote:
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net
The impact of any action would take time (days) to propagate.
It amazes me that these knee-jerk sanction reactions go so far down the regulatory rabbit hole before they are rejected by knowledgeable people. The idea that blocking the .ru domain would punish only the Russian government is as laughable as thinking that blocking the .tv domain would punish the constitutional monarchy of Tuvalu. -mel via cell On Mar 14, 2022, at 11:59 AM, jim deleskie <deleskie@gmail.com> wrote: Terrible idea on so many levels. -jim On Mon, Mar 14, 2022, 12:30 PM Patrick Bryant <patrick@pbryant.com<mailto:patrick@pbryant.com>> wrote: I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net<http://a.dns.ripn.net> ru nameserver = b.dns.ripn.net<http://b.dns.ripn.net> ru nameserver = d.dns.ripn.net<http://d.dns.ripn.net> ru nameserver = e.dns.ripn.net<http://e.dns.ripn.net> ru nameserver = f.dns.ripn.net<http://f.dns.ripn.net> The impact of any action would take time (days) to propagate.
On Mar 12, 2022, at 5:47 AM, Patrick Bryant <patrick@pbryant.com> wrote:
I don't like the idea of disrupting any Internet service.
I certainly agree with that. Removing .ru from the root name servers will most certainly be as effective as removing certain words from dictionaries to prevent their use. As to the former, establishment of local servers with .ru re-inserted is not only technically feasible, but not particularly expensive. There is some history of alternate root server establishment. There are other likely ways to distribute layer 3 address including, for example, social media, As to the latter, most of us learn a extensive vocabulary long before gaining the ability to read dictionaries or even graffiti. My point is that this kind of “security through obscurity” may play well to newshounds and politicians, but has no practical effect. Disruption of a common robust name to layer 3 address lookup will increase operational costs without commensurate results.
As bad as it is to break an internet service, it's even worse technical side of your idea. Given that there is an agency in Russia that has the ability to intercept and modify all DNS queries, countering your "idea" is trivial. They will just route root servers locally and setup their own zones. And even if they aren't, replacing root hints in recursor is trivial. It will take a lot less time than reaching a "authoritative consensus". But the colossal harm that a violation of neutrality will cause when each country starts making sovereign root servers "just in case", their own DNSSEC, RIR, CA and etc - will cause much more significant harm to the rest of world. Please, people who generate such delusional ideas, stop trying to disrupt neutrality of the Internet. If you want to get involved in a war, go there, do not drag the rest of the world into the conflict. On 2022-03-12 12:47, Patrick Bryant wrote:
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net [1] ru nameserver = b.dns.ripn.net [2] ru nameserver = d.dns.ripn.net [3] ru nameserver = e.dns.ripn.net [4] ru nameserver = f.dns.ripn.net [5]
The impact of any action would take time (days) to propagate.
Links: ------ [1] http://a.dns.ripn.net [2] http://b.dns.ripn.net [3] http://d.dns.ripn.net [4] http://e.dns.ripn.net [5] http://f.dns.ripn.net
I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). * This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... * Countries or users that still want access will do the same with custom DNS servers. * This will take us down another path of no return as a global standard that is not political or politically controlled. * The belief that the internet is open and free (as much as possible) will be broken in one more way. * This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much. Brian ________________________________ From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <nanog@nanog.org> Subject: Dropping support for the .ru top level domain I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net<http://a.dns.ripn.net> ru nameserver = b.dns.ripn.net<http://b.dns.ripn.net> ru nameserver = d.dns.ripn.net<http://d.dns.ripn.net> ru nameserver = e.dns.ripn.net<http://e.dns.ripn.net> ru nameserver = f.dns.ripn.net<http://f.dns.ripn.net> The impact of any action would take time (days) to propagate.
My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine. Sent from my iPad
On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com> wrote:
I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... Countries or users that still want access will do the same with custom DNS servers. This will take us down another path of no return as a global standard that is not political or politically controlled. The belief that the internet is open and free (as much as possible) will be broken in one more way. This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much.
Brian
From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <nanog@nanog.org> Subject: Dropping support for the .ru top level domain
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net
The impact of any action would take time (days) to propagate.
+1 -mel beckman On Mar 14, 2022, at 9:29 PM, Fred Baker <fredbaker.ietf@gmail.com> wrote: My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine. Sent from my iPad On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com> wrote: I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). * This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... * Countries or users that still want access will do the same with custom DNS servers. * This will take us down another path of no return as a global standard that is not political or politically controlled. * The belief that the internet is open and free (as much as possible) will be broken in one more way. * This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much. Brian ________________________________ From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <nanog@nanog.org> Subject: Dropping support for the .ru top level domain I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net<http://a.dns.ripn.net> ru nameserver = b.dns.ripn.net<http://b.dns.ripn.net> ru nameserver = d.dns.ripn.net<http://d.dns.ripn.net> ru nameserver = e.dns.ripn.net<http://e.dns.ripn.net> ru nameserver = f.dns.ripn.net<http://f.dns.ripn.net> The impact of any action would take time (days) to propagate.
Agreed Brian ________________________________ From: Mel Beckman <mel@beckman.org> Sent: Monday, March 14, 2022 7:07 PM To: Fred Baker <fredbaker.ietf@gmail.com> Cc: Brian R <briansupport@hotmail.com>; nanog@nanog.org <nanog@nanog.org> Subject: Re: Dropping support for the .ru top level domain +1 -mel beckman On Mar 14, 2022, at 9:29 PM, Fred Baker <fredbaker.ietf@gmail.com> wrote: My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine. Sent from my iPad On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com> wrote: I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). * This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... * Countries or users that still want access will do the same with custom DNS servers. * This will take us down another path of no return as a global standard that is not political or politically controlled. * The belief that the internet is open and free (as much as possible) will be broken in one more way. * This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much. Brian ________________________________ From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <nanog@nanog.org> Subject: Dropping support for the .ru top level domain I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net<http://a.dns.ripn.net> ru nameserver = b.dns.ripn.net<http://b.dns.ripn.net> ru nameserver = d.dns.ripn.net<http://d.dns.ripn.net> ru nameserver = e.dns.ripn.net<http://e.dns.ripn.net> ru nameserver = f.dns.ripn.net<http://f.dns.ripn.net> The impact of any action would take time (days) to propagate.
I propose dropping support of the .ru domains as an alternative to the other measures discussed here, such as dropping Russian ASNs -- which *would* have the counterproductive effect of isolating the Russian public from western news sources. Blocking those ASNs would also be futile as a network defense, if not implemented universally, since the bad actors in Russia usually exploit proxies in other countries as pivot points for their attacks. Preventing the resolution of the .ru TLD would not impact the Russian public's ability to resolve and access all other TLDs. As I noted, there are countermeasures, including Russia standing up its own root servers, but there are two challenges to countermeasure: 1) it would require modifying evey hints file on every resolver within Russia and, 2) "other measures" could be taken against whatever servers Russia implemented as substitutes. Dropping support for the .ru TLD action may incentivize the Russian State to bifurcate its national network, making it another North Korea, but that action is already underway. Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one. The legalistic arguments of maintaining treaties is negated by the current state of war. On Tue, Mar 15, 2022 at 2:29 AM Fred Baker <fredbaker.ietf@gmail.com> wrote:
My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine.
Sent from my iPad
On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com> wrote:
I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally).
- This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... - Countries or users that still want access will do the same with custom DNS servers. - This will take us down another path of no return as a global standard that is not political or politically controlled. - The belief that the internet is open and free (as much as possible) will be broken in one more way. - This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons.
I am glad to see soo many people on here and many of the organizations running these services state as much.
Brian
------------------------------ *From:* NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> *Sent:* Saturday, March 12, 2022 2:47 AM *To:* nanog@nanog.org <nanog@nanog.org> *Subject:* Dropping support for the .ru top level domain
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net
The impact of any action would take time (days) to propagate.
I think you need to understand that these actions will only prolong the situation and likely make things worse. Less info is always worse than more. - Brian
On Mar 15, 2022, at 4:07 AM, Patrick Bryant <patrick@pbryant.com> wrote:
I propose dropping support of the .ru domains as an alternative to the other measures discussed here, such as dropping Russian ASNs -- which would have the counterproductive effect of isolating the Russian public from western news sources. Blocking those ASNs would also be futile as a network defense, if not implemented universally, since the bad actors in Russia usually exploit proxies in other countries as pivot points for their attacks.
Preventing the resolution of the .ru TLD would not impact the Russian public's ability to resolve and access all other TLDs. As I noted, there are countermeasures, including Russia standing up its own root servers, but there are two challenges to countermeasure: 1) it would require modifying evey hints file on every resolver within Russia and, 2) "other measures" could be taken against whatever servers Russia implemented as substitutes. Dropping support for the .ru TLD action may incentivize the Russian State to bifurcate its national network, making it another North Korea, but that action is already underway.
Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one. The legalistic arguments of maintaining treaties is negated by the current state of war.
On Tue, Mar 15, 2022 at 2:29 AM Fred Baker <fredbaker.ietf@gmail.com <mailto:fredbaker.ietf@gmail.com>> wrote: My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine.
Sent from my iPad
On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com <mailto:briansupport@hotmail.com>> wrote:
I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... Countries or users that still want access will do the same with custom DNS servers. This will take us down another path of no return as a global standard that is not political or politically controlled. The belief that the internet is open and free (as much as possible) will be broken in one more way. This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much.
Brian
From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org <mailto:hotmail.com@nanog.org>> on behalf of Patrick Bryant <patrick@pbryant.com <mailto:patrick@pbryant.com>> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <mailto:nanog@nanog.org> <nanog@nanog.org <mailto:nanog@nanog.org>> Subject: Dropping support for the .ru top level domain
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net <http://a.dns.ripn.net/> ru nameserver = b.dns.ripn.net <http://b.dns.ripn.net/> ru nameserver = d.dns.ripn.net <http://d.dns.ripn.net/> ru nameserver = e.dns.ripn.net <http://e.dns.ripn.net/> ru nameserver = f.dns.ripn.net <http://f.dns.ripn.net/>
The impact of any action would take time (days) to propagate.
Kind regards,Alexander Maassen -------- Oorspronkelijk bericht --------Van: brian.johnson@netgeek.us Datum: 15-03-2022 15:08 (GMT+01:00) Aan: Patrick Bryant <patrick@pbryant.com> Cc: "nanog@nanog.org list" <nanog@nanog.org> Onderwerp: Re: Dropping support for the .ru top level domain I think you need to understand that these actions will only prolong the situation and likely make things worse. Less info is always worse than more.- BrianOn Mar 15, 2022, at 4:07 AM, Patrick Bryant <patrick@pbryant.com> wrote:I propose dropping support of the .ru domains as an alternative to the other measures discussed here, such as dropping Russian ASNs -- which would have the counterproductive effect of isolating the Russian public from western news sources. Blocking those ASNs would also be futile as a network defense, if not implemented universally, since the bad actors in Russia usually exploit proxies in other countries as pivot points for their attacks. Preventing the resolution of the .ru TLD would not impact the Russian public's ability to resolve and access all other TLDs. As I noted, there are countermeasures, including Russia standing up its own root servers, but there are two challenges to countermeasure: 1) it would require modifying evey hints file on every resolver within Russia and, 2) "other measures" could be taken against whatever servers Russia implemented as substitutes. Dropping support for the .ru TLD action may incentivize the Russian State to bifurcate its national network, making it another North Korea, but that action is already underway. Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one. The legalistic arguments of maintaining treaties is negated by the current state of war.On Tue, Mar 15, 2022 at 2:29 AM Fred Baker <fredbaker.ietf@gmail.com> wrote:My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine.Sent from my iPadOn Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com> wrote: I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept...Countries or users that still want access will do the same with custom DNS servers. This will take us down another path of no return as a global standard that is not political or politically controlled. The belief that the internet is open and free (as much as possible) will be broken in one more way. This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much. Brian From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <nanog@nanog.org> Subject: Dropping support for the .ru top level domain I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net The impact of any action would take time (days) to propagate.
I’m reminded of a quote from “2010 The year we make contact”: “Just because our governments are behaving like asses doesn’t mean we have to.” (Roy Scheider as Dr. Heywood Floyd) Breaking any communications facility is, IMHO, counterproductive to all sides. Communication is almost always the key to ending conflict. In this case, it might require more than just communications, but breaking the .RU domain almost certainly isn’t going to help resolve the situation. The internet should, ideally, continue to treat governments behaving like asses as damage and route around them. Owen
On Mar 15, 2022, at 02:07 , Patrick Bryant <patrick@pbryant.com> wrote:
I propose dropping support of the .ru domains as an alternative to the other measures discussed here, such as dropping Russian ASNs -- which would have the counterproductive effect of isolating the Russian public from western news sources. Blocking those ASNs would also be futile as a network defense, if not implemented universally, since the bad actors in Russia usually exploit proxies in other countries as pivot points for their attacks.
Preventing the resolution of the .ru TLD would not impact the Russian public's ability to resolve and access all other TLDs. As I noted, there are countermeasures, including Russia standing up its own root servers, but there are two challenges to countermeasure: 1) it would require modifying evey hints file on every resolver within Russia and, 2) "other measures" could be taken against whatever servers Russia implemented as substitutes. Dropping support for the .ru TLD action may incentivize the Russian State to bifurcate its national network, making it another North Korea, but that action is already underway.
Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one. The legalistic arguments of maintaining treaties is negated by the current state of war.
On Tue, Mar 15, 2022 at 2:29 AM Fred Baker <fredbaker.ietf@gmail.com <mailto:fredbaker.ietf@gmail.com>> wrote: My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine.
Sent from my iPad
On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com <mailto:briansupport@hotmail.com>> wrote:
I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... Countries or users that still want access will do the same with custom DNS servers. This will take us down another path of no return as a global standard that is not political or politically controlled. The belief that the internet is open and free (as much as possible) will be broken in one more way. This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much.
Brian
From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org <mailto:hotmail.com@nanog.org>> on behalf of Patrick Bryant <patrick@pbryant.com <mailto:patrick@pbryant.com>> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org <mailto:nanog@nanog.org> <nanog@nanog.org <mailto:nanog@nanog.org>> Subject: Dropping support for the .ru top level domain
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net <http://a.dns.ripn.net/> ru nameserver = b.dns.ripn.net <http://b.dns.ripn.net/> ru nameserver = d.dns.ripn.net <http://d.dns.ripn.net/> ru nameserver = e.dns.ripn.net <http://e.dns.ripn.net/> ru nameserver = f.dns.ripn.net <http://f.dns.ripn.net/>
The impact of any action would take time (days) to propagate.
Owen is spot on, and for people who say dropping .ru you won’t affect citizens, they are forgetting about email addresses. I have a friend at a .ru domain who hosts his email out of country, which leaves me with a reliable way to give him real news. -mel On Mar 15, 2022, at 12:08 PM, Owen DeLong via NANOG <nanog@nanog.org> wrote: I’m reminded of a quote from “2010 The year we make contact”: “Just because our governments are behaving like asses doesn’t mean we have to.” (Roy Scheider as Dr. Heywood Floyd) Breaking any communications facility is, IMHO, counterproductive to all sides. Communication is almost always the key to ending conflict. In this case, it might require more than just communications, but breaking the .RU domain almost certainly isn’t going to help resolve the situation. The internet should, ideally, continue to treat governments behaving like asses as damage and route around them. Owen On Mar 15, 2022, at 02:07 , Patrick Bryant <patrick@pbryant.com<mailto:patrick@pbryant.com>> wrote: I propose dropping support of the .ru domains as an alternative to the other measures discussed here, such as dropping Russian ASNs -- which would have the counterproductive effect of isolating the Russian public from western news sources. Blocking those ASNs would also be futile as a network defense, if not implemented universally, since the bad actors in Russia usually exploit proxies in other countries as pivot points for their attacks. Preventing the resolution of the .ru TLD would not impact the Russian public's ability to resolve and access all other TLDs. As I noted, there are countermeasures, including Russia standing up its own root servers, but there are two challenges to countermeasure: 1) it would require modifying evey hints file on every resolver within Russia and, 2) "other measures" could be taken against whatever servers Russia implemented as substitutes. Dropping support for the .ru TLD action may incentivize the Russian State to bifurcate its national network, making it another North Korea, but that action is already underway. Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one. The legalistic arguments of maintaining treaties is negated by the current state of war. On Tue, Mar 15, 2022 at 2:29 AM Fred Baker <fredbaker.ietf@gmail.com<mailto:fredbaker.ietf@gmail.com>> wrote: My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine. Sent from my iPad On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com<mailto:briansupport@hotmail.com>> wrote: I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally). * This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... * Countries or users that still want access will do the same with custom DNS servers. * This will take us down another path of no return as a global standard that is not political or politically controlled. * The belief that the internet is open and free (as much as possible) will be broken in one more way. * This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons. I am glad to see soo many people on here and many of the organizations running these services state as much. Brian ________________________________ From: NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org<mailto:hotmail.com@nanog.org>> on behalf of Patrick Bryant <patrick@pbryant.com<mailto:patrick@pbryant.com>> Sent: Saturday, March 12, 2022 2:47 AM To: nanog@nanog.org<mailto:nanog@nanog.org> <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Dropping support for the .ru top level domain I don't like the idea of disrupting any Internet service. But the current situation is unprecedented. The Achilles Heel of general public use of Internet services has always been the functionality of DNS. Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West. The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome. The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there... ru nameserver = a.dns.ripn.net<http://a.dns.ripn.net/> ru nameserver = b.dns.ripn.net<http://b.dns.ripn.net/> ru nameserver = d.dns.ripn.net<http://d.dns.ripn.net/> ru nameserver = e.dns.ripn.net<http://e.dns.ripn.net/> ru nameserver = f.dns.ripn.net<http://f.dns.ripn.net/> The impact of any action would take time (days) to propagate.
Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one.
Your technical opinion is what everyone is responding to. Dropping support for any TLD in the root zone DB is a terrible idea, period. Proposing technical measures to futz with standards based infrastructure functionality is a terrible idea, period. On Tue, Mar 15, 2022 at 8:13 AM Patrick Bryant <patrick@pbryant.com> wrote:
I propose dropping support of the .ru domains as an alternative to the other measures discussed here, such as dropping Russian ASNs -- which *would* have the counterproductive effect of isolating the Russian public from western news sources. Blocking those ASNs would also be futile as a network defense, if not implemented universally, since the bad actors in Russia usually exploit proxies in other countries as pivot points for their attacks.
Preventing the resolution of the .ru TLD would not impact the Russian public's ability to resolve and access all other TLDs. As I noted, there are countermeasures, including Russia standing up its own root servers, but there are two challenges to countermeasure: 1) it would require modifying evey hints file on every resolver within Russia and, 2) "other measures" could be taken against whatever servers Russia implemented as substitutes. Dropping support for the .ru TLD action may incentivize the Russian State to bifurcate its national network, making it another North Korea, but that action is already underway.
Other arguments are political, and I do not presume to set international political policy. I only offer a technical opinion, not a political one. The legalistic arguments of maintaining treaties is negated by the current state of war.
On Tue, Mar 15, 2022 at 2:29 AM Fred Baker <fredbaker.ietf@gmail.com> wrote:
My viewpoint, and the reason I recommended against it, is that it gives Putin something he has wanted for a while, which is a Russia in which he is in control of information flows. We do for him what he has wanted for perhaps 20 years, and come out the bad guys - “the terrible west gut us off!”. I would rather have people in Russia have information flows that have a second viewpoint other than the Kremlin’s. I have no expectation that it will get through uncensored, but I would rather it was not in any sense “our fault” and therefore usable by Putin’s propaganda machine.
Sent from my iPad
On Mar 14, 2022, at 2:14 PM, Brian R <briansupport@hotmail.com> wrote:
I can understand governments wanting this to be an option but I would let them do blocking within their countries to their own people if that is their desire. This is another pandoras box. Its bad enough that some countries control this already to block free flow of information. If global DNS is no longer trusted then many actors will start maintaining their own broken lists (intentionally or unintentionally).
- This will not stop Russia, they will just run their own state sponsored DNS servers. We can imagine what else might be implemented on that concept... - Countries or users that still want access will do the same with custom DNS servers. - This will take us down another path of no return as a global standard that is not political or politically controlled. - The belief that the internet is open and free (as much as possible) will be broken in one more way. - This will also accelerate the advancement of crypto DNS like NameCoin (Years ago I liked the idea but I don't know how it is being run anymore.) or UnstoppableDomains for example. Similar to what is starting to happen to central banking as countries start shutting down bank accounts for political reasons.
I am glad to see soo many people on here and many of the organizations running these services state as much.
Brian
------------------------------ *From:* NANOG <nanog-bounces+briansupport=hotmail.com@nanog.org> on behalf of Patrick Bryant <patrick@pbryant.com> *Sent:* Saturday, March 12, 2022 2:47 AM *To:* nanog@nanog.org <nanog@nanog.org> *Subject:* Dropping support for the .ru top level domain
I don't like the idea of disrupting any Internet service. But the current situation is unprecedented.
The Achilles Heel of general public use of Internet services has always been the functionality of DNS.
Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD can be accomplished without disrupting the Russian population's ability to access information and services in the West.
The only countermeasure would be the distribution of Russian national DNS zones to a multiplicity of individual DNS resolvers within Russia. Russian operators are in fact implementing this countermeasure, but it is a slow and arduous process, and it will entail many of the operational difficulties that existed with distributing Host files, which DNS was implemented to overcome.
The .ru TLD could be globally disrupted by dropping the .ru zone from the 13 DNS root servers. This would be the most effective action, but would require an authoritative consensus. One level down in DNS delegation are the 5 authoritative servers. I will leave it to the imagination of others to envision what action that could be taken there...
ru nameserver = a.dns.ripn.net ru nameserver = b.dns.ripn.net ru nameserver = d.dns.ripn.net ru nameserver = e.dns.ripn.net ru nameserver = f.dns.ripn.net
The impact of any action would take time (days) to propagate.
participants (16)
-
Alexander Maassen
-
Bill Woodcock
-
Brian R
-
brian.johnson@netgeek.us
-
Christopher Morrow
-
Denys Fedoryshchenko
-
Fred Baker
-
J. Hellenthal
-
james.cutler@consultant.com
-
jim deleskie
-
Kain, Becki (.)
-
Mel Beckman
-
Owen DeLong
-
Patrick Bryant
-
Tom Beecher
-
William Herrin