Dear Kaili, one of the ALAC's ATLAS II recommendations was that ICANN needed to adjust its contractual framework to minimize conflict between its requirements and relevant national laws. https://community.icann.org/x/P5ZCAw At present the recommendation is marked as pending the outcome of the CCWG Accountability. With the CCWG Accountability report now out, it is clear that the CCWG has not addressed this problem. The ALAC will need to address this and decide what to do with this recommendation, whether it wants to carry it through to the ICANN Board. At the end of the day, even though it is indeed so inefficient to do this, when I circulated the question to other SO/AC Chairs there was very little, if no response. So it appears that this is just not a priority for anyone... Kindest regards, Olivier On 15/12/2015 06:54, Kan Kaili wrote:

Hi,

As a new member of ALAC and not being aware of past ALAC statements on this issue, my guess is, ICANN wants to avoid complying with ANY government laws and regulations in order to show it is determined to protect the end-users regardless. That is, while European laws may stand to protect end-users' interest, laws of other governments may not.

On the other hand, the current ICANN policy of granting waivers on a case-by-case basis, may not be the most economical way to achieve the desired purpose and might be improved.

Again, this is only my personal guess.

Kaili

----- Original Message ----- *From:* Carlton Samuels <mailto:carlton.samuels@gmail.com> *To:* Roberto Gaetano <mailto:roberto_gaetano@hotmail.com> *Cc:* At-Large Worldwide <mailto:at-large@atlarge-lists.icann.org> *Sent:* Tuesday, December 15, 2015 6:03 AM *Subject:* Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

Join the club. The ALAC has pointed to the idiocy in several statements/advisories.

-Carlton

============================== Carlton A Samuels Mobile: 876-818-1799 /Strategy, Planning, Governance, Assessment & Turnaround/ =============================

On Sun, Dec 13, 2015 at 3:52 PM, Roberto Gaetano <roberto_gaetano@hotmail.com <mailto:roberto_gaetano@hotmail.com>> wrote:

I am just wondering how much this overhead does cost. Instead of complying with European law, ICANN has chosen to disregard it, and now is obliged to grant waivers one by one to European registrars. Am I the only one who thinks that this is plain silly? Cheers, R.

> -----Messaggio originale----- > Da: alac-announce-bounces@atlarge-lists.icann.org <mailto:alac-announce-bounces@atlarge-lists.icann.org> [mailto:alac-announce- <mailto:alac-announce-> > bounces@atlarge-lists.icann.org <mailto:bounces@atlarge-lists.icann.org>] Per conto di ICANN At-Large Staff > Inviato: giovedì 10 dicembre 2015 04:03 > A: alac-announce@atlarge-lists.icann.org <mailto:alac-announce@atlarge-lists.icann.org> > Oggetto: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary > Determination To Grant Registrar Data Retention Waiver Request for Ascio > Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA > > > [ICANN]<http://www.icann.org/> > News Alert > > https://www.icann.org/news/announcement-2015-12-09-en > > ________________________________ > Notice of Preliminary Determination To Grant Registrar Data Retention > Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio > Technologies, Inc. USA > > 9 December 2015 > > ICANN has made a preliminary determination that it is prepared to grant a > data retention waiver request submitted by Registrar Ascio Technologies, > Inc. Danmark - filial af Ascio Technologies, Inc. USA ("Ascio") under the 2013 > Registrar Accreditation Agreement (the "2013 RAA"). Section 2 of the Data > Retention Specification (the "Specification") of the 2013 RAA provides that > prior to granting any exemption under the Specification, ICANN will post its > determination on the ICANN website for a period of thirty (30) calendar days. > > Pursuant to Section 2 of the Specification, Ascio has submitted to ICANN a > Registrar data retention waiver request ("Waiver Request") on the basis of > Ascio's contention that compliance with the data collection and/or retention > requirements of the Specification violates applicable law in Denmark. > > The Waiver Request was accompanied by a written legal opinion from a > nationally recognized law firm citing section 5 (5) of the Danish Act on > Processing of Personal Data of 31 May 2000 (the "DPPD"). That section > provides as follows (the following is an unofficial English translation from > Danish): > > Section 5 (5). > > The data collected may not be kept in a form which makes it possible to > identify the data subject for a longer period than is necessary for the > purposes for which the data are processed. > > Following receipt of the Waiver Request, and in accordance with the 2013 > RAA, ICANN through its legal counsel and Ascio discussed the matter in good > faith in an effort to reach a mutually acceptable resolution of the matter. > > The outcome of those discussions is that Ascio is seeking a waiver with > respect to Sections 1.1.1 through 1.1.8 of the Specification that seeks to > reduce from two years to one year the period for which these specified data > elements must be retained after the Registrar's sponsorship of the > Registration ends. > > ICANN has determined on a preliminary basis that it is prepared to grant the > Waiver Request. ICANN is posting this preliminary determination for a period > of thirty (30) calendar days to seek feedback and input from the community > on the proposed data retention waiver. After the thirty (30) calendar day > period following this posting has expired, ICANN will consider all feedback > and input received before making a final determination on whether to grant > the Waiver Request. > > The scope of the proposed waiver would be to permit Ascio to maintain the > information specified in Sections 1.1.1 through 1.1.8 of the Specification for > the duration of its sponsorship of the Registration and for a period of one (1) > additional year thereafter rather than two (2) additional years thereafter. In > all other respects the terms of the Specification would remain AS-IS. > > The specific change to the Specification would be that, for the duration of the > Waiver, the retention requirement of Section 1.1 of the Data Retention > Specification be changed from "two additional years" to "one additional > year." > > If ICANN does make a final determination to grant the Waiver Request > sought by Ascio, the provisions of Section 3 of the Specification would apply > to similar waivers requested by other registrars located in Denmark and > subject to Danish law. Section 3 of the Specification provides as follows: > > If (i) ICANN has previously waived compliance with the requirements of any > requirement of this Data Retention Specification in response to a Waiver > Request from a registrar that is located in the same jurisdiction as Registrar > and (ii) Registrar is subject to the same applicable law that gave rise to > ICANN's agreement to grant such waiver, Registrar may request that ICANN > to grant a similar waiver, which request shall be approved by ICANN, unless > ICANN provides Registrar with a reasonable justification for not approving > such request, in which case Registrar may thereafter make an Wavier > Request pursuant to Section 2 of this Data Retention Specification. > > The Registrar's Waiver Request and supporting documents are available > here: https://www.icann.org/en/system/files/files/waiver-request-ascio- > technologies-09dec15-en.pdf [PDF, 6.39 MB] > > A public comment period will remain open until 23:59 UTC, 11 January 2016. > Public comments will be available for consideration by ICANN staff and the > ICANN Board. > > * Comments can be posted to: comments-ascio-technologies- > 09dec15@icann.org <mailto:09dec15@icann.org><mailto:comments-ascio-technologies- <mailto:comments-ascio-technologies-> > 09dec15@icann.org <mailto:09dec15@icann.org>> > * Comments can be viewed at: http://forum.icann.org/lists/comments- > ascio-technologies-09dec15/

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org <mailto:At-Large@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

------------------------------------------------------------------------ _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

-- Olivier MJ Crépin-Leblond, PhD http://www.gih.com/ocl.html

Hi, Thank you very much for your reply and explanation. Now I understand the issue better. Thanks again. Kaili ----- Original Message ----- From: Christian de Larrinaga To: Kan Kaili Cc: Carlton Samuels ; Roberto Gaetano ; At-Large Worldwide Sent: Tuesday, December 15, 2015 6:51 PM Subject: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA The thing to get our heads around is not that ICANN complies or not with any of the myriad of laws around the world but that it feels entitled to issue "waivers" as if it has any geo political legal standing on laws. This is a completely separate issue as to whether any local laws are better suited to end-users needs and interests. C Kan Kaili wrote: Hi, As a new member of ALAC and not being aware of past ALAC statements on this issue, my guess is, ICANN wants to avoid complying with ANY government laws and regulations in order to show it is determined to protect the end-users regardless. That is, while European laws may stand to protect end-users' interest, laws of other governments may not. On the other hand, the current ICANN policy of granting waivers on a case-by-case basis, may not be the most economical way to achieve the desired purpose and might be improved. Again, this is only my personal guess. Kaili ----- Original Message ----- From: Carlton Samuels To: Roberto Gaetano Cc: At-Large Worldwide Sent: Tuesday, December 15, 2015 6:03 AM Subject: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA Join the club. The ALAC has pointed to the idiocy in several statements/advisories. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 Strategy, Planning, Governance, Assessment & Turnaround ============================= On Sun, Dec 13, 2015 at 3:52 PM, Roberto Gaetano <roberto_gaetano@hotmail.com> wrote: I am just wondering how much this overhead does cost. Instead of complying with European law, ICANN has chosen to disregard it, and now is obliged to grant waivers one by one to European registrars. Am I the only one who thinks that this is plain silly? Cheers, R. > -----Messaggio originale----- > Da: alac-announce-bounces@atlarge-lists.icann.org [mailto:alac-announce- > bounces@atlarge-lists.icann.org] Per conto di ICANN At-Large Staff > Inviato: giovedì 10 dicembre 2015 04:03 > A: alac-announce@atlarge-lists.icann.org > Oggetto: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary > Determination To Grant Registrar Data Retention Waiver Request for Ascio > Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA > > > [ICANN]<http://www.icann.org/> > News Alert > > https://www.icann.org/news/announcement-2015-12-09-en > > ________________________________ > Notice of Preliminary Determination To Grant Registrar Data Retention > Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio > Technologies, Inc. USA > > 9 December 2015 > > ICANN has made a preliminary determination that it is prepared to grant a > data retention waiver request submitted by Registrar Ascio Technologies, > Inc. Danmark - filial af Ascio Technologies, Inc. USA ("Ascio") under the 2013 > Registrar Accreditation Agreement (the "2013 RAA"). Section 2 of the Data > Retention Specification (the "Specification") of the 2013 RAA provides that > prior to granting any exemption under the Specification, ICANN will post its > determination on the ICANN website for a period of thirty (30) calendar days. > > Pursuant to Section 2 of the Specification, Ascio has submitted to ICANN a > Registrar data retention waiver request ("Waiver Request") on the basis of > Ascio's contention that compliance with the data collection and/or retention > requirements of the Specification violates applicable law in Denmark. > > The Waiver Request was accompanied by a written legal opinion from a > nationally recognized law firm citing section 5 (5) of the Danish Act on > Processing of Personal Data of 31 May 2000 (the "DPPD"). That section > provides as follows (the following is an unofficial English translation from > Danish): > > Section 5 (5). > > The data collected may not be kept in a form which makes it possible to > identify the data subject for a longer period than is necessary for the > purposes for which the data are processed. > > Following receipt of the Waiver Request, and in accordance with the 2013 > RAA, ICANN through its legal counsel and Ascio discussed the matter in good > faith in an effort to reach a mutually acceptable resolution of the matter. > > The outcome of those discussions is that Ascio is seeking a waiver with > respect to Sections 1.1.1 through 1.1.8 of the Specification that seeks to > reduce from two years to one year the period for which these specified data > elements must be retained after the Registrar's sponsorship of the > Registration ends. > > ICANN has determined on a preliminary basis that it is prepared to grant the > Waiver Request. ICANN is posting this preliminary determination for a period > of thirty (30) calendar days to seek feedback and input from the community > on the proposed data retention waiver. After the thirty (30) calendar day > period following this posting has expired, ICANN will consider all feedback > and input received before making a final determination on whether to grant > the Waiver Request. > > The scope of the proposed waiver would be to permit Ascio to maintain the > information specified in Sections 1.1.1 through 1.1.8 of the Specification for > the duration of its sponsorship of the Registration and for a period of one (1) > additional year thereafter rather than two (2) additional years thereafter. In > all other respects the terms of the Specification would remain AS-IS. > > The specific change to the Specification would be that, for the duration of the > Waiver, the retention requirement of Section 1.1 of the Data Retention > Specification be changed from "two additional years" to "one additional > year." > > If ICANN does make a final determination to grant the Waiver Request > sought by Ascio, the provisions of Section 3 of the Specification would apply > to similar waivers requested by other registrars located in Denmark and > subject to Danish law. Section 3 of the Specification provides as follows: > > If (i) ICANN has previously waived compliance with the requirements of any > requirement of this Data Retention Specification in response to a Waiver > Request from a registrar that is located in the same jurisdiction as Registrar > and (ii) Registrar is subject to the same applicable law that gave rise to > ICANN's agreement to grant such waiver, Registrar may request that ICANN > to grant a similar waiver, which request shall be approved by ICANN, unless > ICANN provides Registrar with a reasonable justification for not approving > such request, in which case Registrar may thereafter make an Wavier > Request pursuant to Section 2 of this Data Retention Specification. > > The Registrar's Waiver Request and supporting documents are available > here: https://www.icann.org/en/system/files/files/waiver-request-ascio- > technologies-09dec15-en.pdf [PDF, 6.39 MB] > > A public comment period will remain open until 23:59 UTC, 11 January 2016. > Public comments will be available for consideration by ICANN staff and the > ICANN Board. > > * Comments can be posted to: comments-ascio-technologies- > 09dec15@icann.org<mailto:comments-ascio-technologies- > 09dec15@icann.org> > * Comments can be viewed at: http://forum.icann.org/lists/comments- > ascio-technologies-09dec15/ _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org -------------------------------------------------------------------------- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org -- Christian de Larrinaga FBCS, CITP, ------------------------- @ FirstHand ------------------------- +44 7989 386778 cdel@firsthand.net -------------------------

A few comments on this subject. I do understand that this is not a priority (except, of course, for the European registrars and their customers), but we all know how to use the delete button. The first comment is that it sounds really funny that a "waiver" is granted to allow registrars to... obey the laws of their countries - which I assume they have to do anyway, regardless the language of the contracts. It might well be a good way to solve a more complicated problem, but it is sure puzzling for a registrar to have to ask ICANN permission to comply with the law. Is it just a matter of perception, or do we have a problem of substance - or at least of form? Second, the matter under discussion (permanence of registrant information) is something that is forbidden under European law, but is not at all compulsory under US law - which means that not including this provision as compulsory in the contract would not have violated US law at all. Third, and that was really my point, that mistakenly I have not detailed in full, is the need for individual waivers, and the procedure thereof - which has been abundantly discussed in previous months in at least a couple of ICANN meetings. The procedure is that the registry needs to get a statement from the local authorities showing the unlawfulness of the provision, and only at that time an individual waiver is granted. However, the EU GAC representative had already informed ICANN about the European law (that I am sure ICANN's General Counsel knows very well). So, a bulk waiver could have been issued up front for the registrants operating in countries where such law is in effect. Again, maybe a minor nuisance, but multiplied by the number of European registrars this creates the useless loss of time and effort by ICANN, by the individual registrars and by each and every of the local authorities. It could be argued, I admit, that this is ICANN's contribution to the alleviation of the unemployment problem :>) Cheers, Roberto

-----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large- bounces@atlarge-lists.icann.org] Per conto di John R. Levine Inviato: mercoledì 16 dicembre 2015 04:57 A: Christian de Larrinaga Cc: At-Large Worldwide Oggetto: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

...

The thing to get our heads around is not that ICANN complies or not with any of the myriad of laws around the world but that it feels entitled to issue "waivers" as if it has any geo political legal standing on laws.

That seriously misrepresents what's going on.

ICANN operates under US law, and all of the registrars sign the same agreement. The agreement is entirely compliant with US law, but laws in other countries are different and sometimes contract provisions that are legal in one country are not in another. This is not something unique to ICANN or to US law.

So the waivers are the way that ICANN reconciles the inevitable conflicts between the terms in a complex contract and varying local laws. If the contracts were changed to reflect, say, French law, you'd still need waivers for registrars outside Europe, the'd just be different ones.

R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

+1 Thank you. - Kaili ----- Original Message ----- From: "Christopher Wilkinson" <cw@christopherwilkinson.eu> To: "At-Large Worldwide" <at-large@atlarge-lists.icann.org> Sent: Thursday, December 17, 2015 4:13 AM Subject: Re: [At-Large] [ALAC-Announce] ICANN News Alert -- Notice ofPreliminary Determination To Grant Registrar Data RetentionWaiver Request for Ascio Technologies,Inc. Danmark - filial af Ascio Technologies, Inc. USA Good evening: This question has already been addressed - at lest in part - in the context of the IAG-WHOIS working group earlier this year. I attach a copy of my comments to their report. The main points, which have been generally supported by the subsequent formal ALAC statement, are: 1. ICANN should apply international best practice in Privacy and Data Protection, world-wide 2. Failing which, in each relevant jurisdiction (e.g. the EU), ICANN should apply a block exemption for all Registries and Registrars concerned. No more individual procedures. That is one of Roberto's points, below. I also proposed that: 3. In any event, ICANN should reverse the burden of proof. That is, the default would be that the Registrar/Registry respects applicable law and it is up to ICANN to initiate a contrary procedure should it determine that security and stability is thereby prejudiced. (Since ICANN has never, to my knowledge, suggested that a ccTLD Registry or their Registrars are threatening Security and Stability by respecting applicable laws, I guess that is an extreme outlier case.) Best regards CW -------------------------------------------------------------------------------- On 16 Dec 2015, at 17:10, Roberto Gaetano <roberto_gaetano@hotmail.com> wrote:

A few comments on this subject. I do understand that this is not a priority (except, of course, for the European registrars and their customers), but we all know how to use the delete button.

The first comment is that it sounds really funny that a "waiver" is granted to allow registrars to... obey the laws of their countries - which I assume they have to do anyway, regardless the language of the contracts. It might well be a good way to solve a more complicated problem, but it is sure puzzling for a registrar to have to ask ICANN permission to comply with the law. Is it just a matter of perception, or do we have a problem of substance - or at least of form? Second, the matter under discussion (permanence of registrant information) is something that is forbidden under European law, but is not at all compulsory under US law - which means that not including this provision as compulsory in the contract would not have violated US law at all. Third, and that was really my point, that mistakenly I have not detailed in full, is the need for individual waivers, and the procedure thereof - which has been abundantly discussed in previous months in at least a couple of ICANN meetings. The procedure is that the registry needs to get a statement from the local authorities showing the unlawfulness of the provision, and only at that time an individual waiver is granted. However, the EU GAC representative had already informed ICANN about the European law (that I am sure ICANN's General Counsel knows very well). So, a bulk waiver could have been issued up front for the registrants operating in countries where such law is in effect. Again, maybe a minor nuisance, but multiplied by the number of European registrars this creates the useless loss of time and effort by ICANN, by the individual registrars and by each and every of the local authorities. It could be argued, I admit, that this is ICANN's contribution to the alleviation of the unemployment problem :>)

Cheers, Roberto

...

-----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large- bounces@atlarge-lists.icann.org] Per conto di John R. Levine Inviato: mercoledì 16 dicembre 2015 04:57 A: Christian de Larrinaga Cc: At-Large Worldwide Oggetto: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

...

The thing to get our heads around is not that ICANN complies or not with any of the myriad of laws around the world but that it feels entitled to issue "waivers" as if it has any geo political legal standing on laws.

That seriously misrepresents what's going on.

ICANN operates under US law, and all of the registrars sign the same agreement. The agreement is entirely compliant with US law, but laws in other countries are different and sometimes contract provisions that are legal in one country are not in another. This is not something unique to ICANN or to US law.

So the waivers are the way that ICANN reconciles the inevitable conflicts between the terms in a complex contract and varying local laws. If the contracts were changed to reflect, say, French law, you'd still need waivers for registrars outside Europe, the'd just be different ones.

R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

--------------------------------------------------------------------------------

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

I agree with you Kaili even considering that California court will be the place to defend such clause in case of breach. Would be interesting to listen to a lawyer opinion about it. Best, Vanda Scartezini Polo Consultores Associados Av. Paulista 1159, cj 1004 01311-200- Sao Paulo, SP, Brazil Land Line: +55 11 3266.6253 Mobile: + 55 11 98181.1464 Sorry for any typos. On 12/17/15, 1:17 AM, "at-large-bounces@atlarge-lists.icann.org on behalf of Kan Kaili" <at-large-bounces@atlarge-lists.icann.org on behalf of kankaili@gmail.com> wrote:

Again, as a new comer, I am now able to better understand the issue. Thanks to all of you.

As one of the ALAC's ATLAS II recommendations was that ICANN needed to adjust its contractual framework to minimize conflict between its requirements and relevant national laws, I wonder if it is possible to, after ICANN's standard contract provisions, add a simple clause like "in case of conflicts, relevant national laws prevail". Then, the registrar only needs to provide a detailed list of these conflicts so ICANN will know what is going on.

To me, this looks like a blanket waiver for all such cases which might save all the costs for case-by-case waivers, as well as looks and feels better. Or, maybe I am again missing something...?

Thanks again.

Kaili

----- Original Message ----- From: "Roberto Gaetano" <roberto_gaetano@hotmail.com> To: "'John R. Levine'" <johnl@iecc.com>; "'Christian de Larrinaga'" <cdel@firsthand.net> Cc: "'At-Large Worldwide'" <at-large@atlarge-lists.icann.org> Sent: Thursday, December 17, 2015 12:10 AM Subject: [At-Large] R: I: [ALAC-Announce] ICANN News Alert -- Notice ofPreliminary Determination To Grant Registrar Data RetentionWaiver Request for Ascio Technologies,Inc. Danmark - filial af Ascio Technologies, Inc. USA

A few comments on this subject. I do understand that this is not a priority (except, of course, for the European registrars and their customers), but we all know how to use the delete button.

The first comment is that it sounds really funny that a "waiver" is granted to allow registrars to... obey the laws of their countries - which I assume they have to do anyway, regardless the language of the contracts. It might well be a good way to solve a more complicated problem, but it is sure puzzling for a registrar to have to ask ICANN permission to comply with the law. Is it just a matter of perception, or do we have a problem of substance - or at least of form? Second, the matter under discussion (permanence of registrant information) is something that is forbidden under European law, but is not at all compulsory under US law - which means that not including this provision as compulsory in the contract would not have violated US law at all. Third, and that was really my point, that mistakenly I have not detailed in full, is the need for individual waivers, and the procedure thereof - which has been abundantly discussed in previous months in at least a couple of ICANN meetings. The procedure is that the registry needs to get a statement from the local authorities showing the unlawfulness of the provision, and only at that time an individual waiver is granted. However, the EU GAC representative had already informed ICANN about the European law (that I am sure ICANN's General Counsel knows very well). So, a bulk waiver could have been issued up front for the registrants operating in countries where such law is in effect. Again, maybe a minor nuisance, but multiplied by the number of European registrars this creates the useless loss of time and effort by ICANN, by the individual registrars and by each and every of the local authorities. It could be argued, I admit, that this is ICANN's contribution to the alleviation of the unemployment problem :>)

Cheers, Roberto

...

-----Messaggio originale----- Da: at-large-bounces@atlarge-lists.icann.org [mailto:at-large- bounces@atlarge-lists.icann.org] Per conto di John R. Levine Inviato: mercoledì 16 dicembre 2015 04:57 A: Christian de Larrinaga Cc: At-Large Worldwide Oggetto: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

...

The thing to get our heads around is not that ICANN complies or not with any of the myriad of laws around the world but that it feels entitled to issue "waivers" as if it has any geo political legal standing on laws.

That seriously misrepresents what's going on.

ICANN operates under US law, and all of the registrars sign the same agreement. The agreement is entirely compliant with US law, but laws in other countries are different and sometimes contract provisions that are legal in one country are not in another. This is not something unique to ICANN or to US law.

So the waivers are the way that ICANN reconciles the inevitable conflicts between the terms in a complex contract and varying local laws. If the contracts were changed to reflect, say, French law, you'd still need waivers for registrars outside Europe, the'd just be different ones.

R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

years to focus on what it is supposed to be doing. Yet it is still fixated on imposing terms that are neither legally required in US and in cases even illegal elsewhere.

People with no experience with large networks, which includes pretty much everyone on the ALAC, often seem to believe that collecting less information about domain registrants always improves the privacy of Internet users. The reality is much more subtle. The vast majority of users have never registered a domain and never will, so WHOIS doesn't affect them, while the vast majority of domains are registered for commercial purposes, and a dismaying number for criminal purposes. A large registrar often turns off 10,000 domains a day for malware, phishing, and other malevolent behavior. The WHOIS information that most of the waivers concern is very useful for identifying and dealing with criminals. That is so even though a lot of it is faked, since the crooks tend to have patterns when they fake stuff. I'm not guessing about this, I talk to people every day at network operators who are protecting their users and law enforcement who are protecting their citizens. Registrars should certainly comply with their national laws, and I agree that some of ICANN's rules are silly, e.g., when they grant a waiver, it should automatically apply to other registrars or registries in the same jurisdiction. But when you make it harder to tell who's behind a domain, you're also making it easier for criminals to siphon the money out of your grandmother's bank account. That may be a reasonable tradeoff, but it's a tradeoff and one that deserves better than the kneejerk reeactions we always see here. R's, John

Olivier, all This is really a relevant issue to discuss. In regions like south america where number of registrars is very low ( 17 in all regions ) users depend upon other region registrars, making whole situation worse. Vanda Scartezini Polo Consultores Associados Av. Paulista 1159, cj 1004 01311-200- Sao Paulo, SP, Brazil Land Line: +55 11 3266.6253 Mobile: + 55 11 98181.1464 Sorry for any typos. On 12/17/15, 5:28 PM, "Olivier MJ Crepin-Leblond" <at-large-bounces@atlarge-lists.icann.org on behalf of ocl@gih.com> wrote:

Dear John,

you'll find that the view of the majority of ALAC members will reflect the views from the majority of the ALSes and they are pretty much aligned with the points you have made in your email. This, in fact, is one of the major differences in points of view that the ALAC has had with some people in the GNSO's non commercial stakeholder group. The ALAC is on record in several statements that for domains that are used by commercial organisations, especially when it comes to e-commerce, accurate WHOIS records are mandatory. The ALAC's meetings with the ICANN Compliance department have often given rise to complaints that ICANN Compliance was not doing enough. The suggestion which you make, that "when they grant a waiver, it should automatically apply to other registrars or registries in the same jurisdiction." is something which is worth considering and I wonder if this could be a suggestion made by the ALAC, should it wish to pursue this topic. Kindest regards,

Olivier (my own views)

On 17/12/2015 17:44, John R. Levine wrote:

...

...

years to focus on what it is supposed to be doing. Yet it is still fixated on imposing terms that are neither legally required in US and in cases even illegal elsewhere.

People with no experience with large networks, which includes pretty much everyone on the ALAC, often seem to believe that collecting less information about domain registrants always improves the privacy of Internet users. The reality is much more subtle.

The vast majority of users have never registered a domain and never will, so WHOIS doesn't affect them, while the vast majority of domains are registered for commercial purposes, and a dismaying number for criminal purposes. A large registrar often turns off 10,000 domains a day for malware, phishing, and other malevolent behavior.

The WHOIS information that most of the waivers concern is very useful for identifying and dealing with criminals. That is so even though a lot of it is faked, since the crooks tend to have patterns when they fake stuff. I'm not guessing about this, I talk to people every day at network operators who are protecting their users and law enforcement who are protecting their citizens.

Registrars should certainly comply with their national laws, and I agree that some of ICANN's rules are silly, e.g., when they grant a waiver, it should automatically apply to other registrars or registries in the same jurisdiction. But when you make it harder to tell who's behind a domain, you're also making it easier for criminals to siphon the money out of your grandmother's bank account. That may be a reasonable tradeoff, but it's a tradeoff and one that deserves better than the kneejerk reeactions we always see here.

R's, John _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

The internet is supposed to make it easier for businesses and business people to connect and get things done faster, like, for example, recruiting business people, but ironically internet governance connected groups spend most of their time physically traveling to places to get mostly nothing done, and say "more work needs to be done". Anybody remember NamesCon 2008? Me niether. There hasn't ever been a Conference that the whole world benefitted from, because conferences in the internet age are not meant for progress, conferences are just excuses for people to travel, to see and be seen, to party, in my opinion, and in my opinion proven by the fact that the internet's supposed and oft-mentioned purpose is to facilitate the entire business process, making the decision making/meeting process at conferences obsolete, unnecessary in a business sense, and also laughable, when some business people who could easily talk and compare business notes any time of day via the internet say, "Let's wait for the conference to decide on that." Why? So Travelers can say they are leaders who physically traveled to meet and talk with relevant business people, when I am as much of a leader writing this single critique via email as they are traveling to vegas to walk around and say, "ooh, that's interesting" 1000 times. While it might be fun to do, the internet community is waiting for real tangible progress and real solutions to real world problems and all the tech community has provided them in the past 12 months is an IWatch. I would argue that the "constant conference culture" limits real progress by getting people stuck in a never ending travel loop, where all they begin to care about is the quality of the next travel destination. Ron

On 2015-12-17 07:44 PM, John R. Levine wrote:

People with no experience with large networks, which includes pretty much everyone on the ALAC, often seem to believe that collecting less information about domain registrants always improves the privacy of Internet users. The reality is much more subtle.

The vast majority of users have never registered a domain and never will, so WHOIS doesn't affect them, while the vast majority of domains are registered for commercial purposes, and a dismaying number for criminal purposes. A large registrar often turns off 10,000 domains a day for malware, phishing, and other malevolent behavior.

The WHOIS information that most of the waivers concern is very useful for identifying and dealing with criminals. That is so even though a lot of it is faked, since the crooks tend to have patterns when they fake stuff. I'm not guessing about this, I talk to people every day at network operators who are protecting their users and law enforcement who are protecting their citizens.

Registrars should certainly comply with their national laws, and I agree that some of ICANN's rules are silly, e.g., when they grant a waiver, it should automatically apply to other registrars or registries in the same jurisdiction. But when you make it harder to tell who's behind a domain, you're also making it easier for criminals to siphon the money out of your grandmother's bank account. That may be a reasonable tradeoff, but it's a tradeoff and one that deserves better than the kneejerk reeactions we always see here.

R's, John

+1 To illustrate the point, search for "fjrasile@yahoo.com". Hint: Supplying bogus data has nothing to do with privacy. Also look at the period over which those domains were registered with the registrar constantly being made aware of the issue. You'll also find this party uses more than one registrar. This is just one of many such. We also do not wish to subject the public to domains such as eicu-ae.com (spoofing eic.ac.ae ); "beautiful" WHOIS not even meeting the basic sanity checks. Yet we wish to hide this with privacy? Such issues are seen daily on domains that are registered for purposes to the detriment of the ordinary innocent user. The problem is the majority of registrants are not malicious. But a small handful are and they are extremely active in registering domains with ever changing fake WHOIS details. Even fake WHOIS details may leave patterns (as John said). Ironically I've alerted victims of credit card fraud that their details are being abused by a fraudster in WHOIS where the the pattern did not match the other circumstances. Were it not for WHOIS, this would have slipped past the victim due to the small amounts involved. Here's the problem. Unaccountable privacy is nothing more than anonymity and can be used to devastating effect against the ordinary innocent people using the internet. Some Registrars have shown themselves to not really do WHOIS sanity checks or care, some are deliberately obstructive and discourage reporting fake WHOIS, ignoring ongoing linked issues. The WDPRS system has shown itself to not be effective in such cases. Some registrars simply does not care. Laws differ from country to country. Some Registrars and resellers use this as a strategic marketing tool to attract a certain type of client. Some openly attract clients practising what would be considered illegal activities, such a fraud, in Europe, the US and most parts of the word, simply due to a jurisdiction issues and they way local law is structured. So for a mere $10-$15 a repeat malicious registrant can go jurisdiction shopping, targeting whomever he wishes, even residents of the country he lives in. E.g.: http://mediaon.com/Real-Whois-Protection.php Ironically the initial home of the German "Fake Shopkeeper Gang" who was responsible for Germany largest cyber fraud losses up to 2012. The gang moved to 'Russian' reseller Heihachi (Home of the disavowed Wikileaks copy). Later both the German gang and the Austrian owner of Heihachi were arrested. The owner of Heihachi had a prior criminal record, yet was a reseller for one of America's largest Registrars, had fake whois details as was constantly pointed out to the registrar and ICANN. So the reseller was offered a WHOIS proxy service by the registrar. In turn Heihachi offered WHOIS proxy services for domains belonging to carders, botnet herders, malware creators and distributors etc. Is this the Internet we we want? The problem is law enforcement simply does not have the resources to cater for all of the abuse found on the net. Then there is the international social/political issues. This is no reflection on the authorities, rather the state of the net and certain realities. That is why the authorities rely on partnerships with other private groups. Regards, Derek Smythe Artists Against 419 http://www.aa419.org

Next, it is NOT about not providing access to the WHOIS information for law enforcement agencies.

I'm glad you mentioned that, since that's another misconception common among people who aren't familiar with large networks.

...

The problem is law enforcement simply does not have the resources to cater for all of the abuse found on the net. Then there is the international social/political issues. This is no reflection on the authorities, rather the state of the net and certain realities. That is why the authorities rely on partnerships with other private groups.

Exactly. I spend a lot of time talking to law enforcement, and sometimes even working for them. But the vast majority of the work done protecting Internet users is not done by LE, it's done by organizations ranging from bank security departments shutting down crooks phishing their users to specialist organizations like Team Cymru who provide security data and other services to both LE and private entities. For example, they're running a training meeting in South America next month where I'll be teaching forensic techniques to cops (with a translator since my Spanish is putrid.) Identifying people who "need" access is the wrong approach. The vast majority of domains aren't registered by natural persons and have no privacy to preserve. We can figure out how to make the special cases for the natural persons who need it, but we also need to deal with the fact that a lot of crooks lie. R's, John

A big +1 to Holly's comments. Since we two are the ones who have consistently tagteamed WHOIS matters from the At-Large community in the last 7 or so years, maybe I expand on the perspective a little bit. What we know for sure is that by virtue of time in place and divergent uses, the WHOIS matter is complex enough to demand a sufficiently nuanced response. So we advised and decided an holistic view, all the way from embracing registration data collection, its management, curation and, eventually access. Even before the last WHOIS Review and the EWG's work, the ALAC has largely agreed that the 'one-size fits all' WHOIS is no longer fit to purpose. We know there is potentially a much larger dataset collected by registrars in ordinary course of business, much larger than the deliberative WHOIS dataset. We accept the conceptual underpinnings of legal and natural persons and the status inherent to both groups. We accept there would be commercial concerns to divulge data and information, not just those pertaining the rights to privacy. Spurred largely by the work of Garth Bruen and his ALS Knujon, we have embraced WHOIS accuracy and agitated for a regime for improvement and active monitoring. We held the unregulated privacy/proxy registration schema as inimical to the interests of end users. We even agreed that embracing a Thick WHOIS model was tactically advantageous to the policy goals we advocated; everyone at the same level simplified evolution to the new dispensation. We positioned for a more vigilant ICANN compliance program, hitherto largely geared to matters concerning fee collection. Our positions have been delivered in numerous pertinent statements, some more sharply worded than others, since 2007 So those who were paying attention would have noticed we were out the box and on record for differentiated access to WHOIS, a WHOIS Accuracy program and enforceable service specifications for privacy/proxy registration services for many years now. Holly, myself and others of the At-Large community continue to participate in the policy development WGs in these areas; the IAG-WHOIS Conflicts and the PPSAI, for two. Policy development has always been a long and uneven slog, especially for those of us who are true volunteers. So, for example, we go to the IAG-WHOIS Conflicts and survey the implementation even as we denounce the process as intuitively insensate as a small pet rock. [Mind you, if I were a lawyer with my shingle hanging out I would likely embrace this grand make work confection.] We continue to agitate for and still believe that a re-imagined compliance program and practice must emerge from ICANN. Finally and so you know, a series of PDPs surrounding these matters are coming on steam in the new year. We hope those of you with an interest will show up for work. -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* ============================= On Thu, Dec 17, 2015 at 7:29 PM, Holly Raiche <h.raiche@internode.on.net> wrote:

Hi Derek

Just to correct a few things.

First - this is NOT about collecting less WHOIS information - it is about MAKING PUBLIC less WHOIS information.

Next, it is NOT about not providing access to the WHOIS information for law enforcement agencies. Generally, data protection law makes exceptions on access to personal information for law enforcement agencies and other, enumerated purposes. So they WILL have access to the data - whether or not it is faked. The idea is NOT to make it harder for LEA types to have access to data for legitimate purposes - it is to make it harder for just anyone for no reason to have access to that data. And really, what the waivers do is simply allow compliance with national laws - to manage personal information so that it is NOT generally publicly available, but is available for legitimate purposes - including LEA

Next - if you look at the 2013 RAA, there are enhanced requirements for registrars checking on data so that accuracy of data is improved. (read the Whois Review Final Report in relation to that issue). It does not eliminate fake data - but makes it just that much harder to have registrars accept fake data. So while the call is about respecting data protection laws in relation to making WHOIS data public, it is NOT about removing requirements for registrars taking steps to make sure that data is correct - and checking regularly to be sure. Of course, rules are honoured in the breach. Of course, there are registrars who do not follow ICANN rules on data accuracy. But that should not be a call to ignore those rules - it should be a call for more enforcement.

And yes, there are jurisdictions where the criminals can hide. But that is about national sovereignty and the failure of governments to control their country codes - which is beyond ICANN’s jurisdiction.

So please, waivers are there to strike a balance between protecting personal information from general unregulated publication as against the legitimate needs of LEAs (and other institutions given access to personal information under enumerated circumstances) for access to that information.

Holly

On 18 Dec 2015, at 9:29 am, Derek Smythe <derek@aa419.org> wrote:

...

On 2015-12-17 07:44 PM, John R. Levine wrote:

...

People with no experience with large networks, which includes pretty much everyone on the ALAC, often seem to believe that collecting less information about domain registrants always improves the privacy of Internet users. The reality is much more subtle.

The vast majority of users have never registered a domain and never will, so WHOIS doesn't affect them, while the vast majority of domains are registered for commercial purposes, and a dismaying number for criminal purposes. A large registrar often turns off 10,000 domains a day for malware, phishing, and other malevolent behavior.

The WHOIS information that most of the waivers concern is very useful for identifying and dealing with criminals. That is so even though a lot of it is faked, since the crooks tend to have patterns when they fake stuff. I'm not guessing about this, I talk to people every day at network operators who are protecting their users and law enforcement who are protecting their citizens.

Registrars should certainly comply with their national laws, and I agree that some of ICANN's rules are silly, e.g., when they grant a waiver, it should automatically apply to other registrars or registries in the same jurisdiction. But when you make it harder to tell who's behind a domain, you're also making it easier for criminals to siphon the money out of your grandmother's bank account. That may be a reasonable tradeoff, but it's a tradeoff and one that deserves better than the kneejerk reeactions we always see here.

R's, John

+1

To illustrate the point, search for "fjrasile@yahoo.com". Hint: Supplying bogus data has nothing to do with privacy. Also look at the period over which those domains were registered with the registrar constantly being made aware of the issue. You'll also find this party uses more than one registrar.

This is just one of many such.

We also do not wish to subject the public to domains such as eicu-ae.com (spoofing eic.ac.ae ); "beautiful" WHOIS not even meeting the basic sanity checks. Yet we wish to hide this with privacy? Such issues are seen daily on domains that are registered for purposes to the detriment of the ordinary innocent user.

The problem is the majority of registrants are not malicious. But a small handful are and they are extremely active in registering domains with ever changing fake WHOIS details. Even fake WHOIS details may leave patterns (as John said).

Ironically I've alerted victims of credit card fraud that their details are being abused by a fraudster in WHOIS where the the pattern did not match the other circumstances. Were it not for WHOIS, this would have slipped past the victim due to the small amounts involved.

Here's the problem. Unaccountable privacy is nothing more than anonymity and can be used to devastating effect against the ordinary innocent people using the internet. Some Registrars have shown themselves to not really do WHOIS sanity checks or care, some are deliberately obstructive and discourage reporting fake WHOIS, ignoring ongoing linked issues. The WDPRS system has shown itself to not be effective in such cases. Some registrars simply does not care.

Laws differ from country to country. Some Registrars and resellers use this as a strategic marketing tool to attract a certain type of client. Some openly attract clients practising what would be considered illegal activities, such a fraud, in Europe, the US and most parts of the word, simply due to a jurisdiction issues and they way local law is structured. So for a mere $10-$15 a repeat malicious registrant can go jurisdiction shopping, targeting whomever he wishes, even residents of the country he lives in.

E.g.: http://mediaon.com/Real-Whois-Protection.php Ironically the initial home of the German "Fake Shopkeeper Gang" who was responsible for Germany largest cyber fraud losses up to 2012.

The gang moved to 'Russian' reseller Heihachi (Home of the disavowed Wikileaks copy). Later both the German gang and the Austrian owner of Heihachi were arrested. The owner of Heihachi had a prior criminal record, yet was a reseller for one of America's largest Registrars, had fake whois details as was constantly pointed out to the registrar and ICANN. So the reseller was offered a WHOIS proxy service by the registrar. In turn Heihachi offered WHOIS proxy services for domains belonging to carders, botnet herders, malware creators and distributors etc.

Is this the Internet we we want?

The problem is law enforcement simply does not have the resources to cater for all of the abuse found on the net. Then there is the international social/political issues. This is no reflection on the authorities, rather the state of the net and certain realities. That is why the authorities rely on partnerships with other private groups.

Regards,

Derek Smythe Artists Against 419 http://www.aa419.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

_______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

Indeed. These are architectural failures across the DNS from design, operations to policy making. What you are really saying is that DNS is not working well for operators.

It really is not helpful to attempt to put your own misunderstandings in other people's mouths.

Actually DNS is not working for most of the Internet either, witness we don't have names resolving to the billions and approaching trillions of devices and applications services at the edge of data networks.

Actually, in this regard DNS works fine. The fact that devices don't have names that hostile parties can use to find them and attack them is not a bug. We could name them if we wanted, and we most definitely do not. R's, John

Karl Auerbach wrote:

On 12/18/15 2:33 AM, Christian de Larrinaga wrote:

...

Actually DNS is not working for most of the Internet either, witness we don't have names resolving to the billions and approaching trillions of devices and applications services at the edge of data networks. I've never heard that claim before. I've run experiments with DNS and found surprisingly few limits on how far it can expand. (For example, in one experiment [more than a decade ago] we ran Bind with tens of millions of top level domains and then ran query traffic [in which we mixed a fair amount of absent names to make it more real-life.])

I'm intrigued. Was this done to establish evidence that a flattening of the hierarchy would not be a technical problem? Took about thirty years for that shift in architecture of DNS to come out of the cold. I am really referring to the scaling of DNS beyond server side hosts which are now largely in located in data centres to satisfy the need for persistent identifiers for all our devices and services. That has not happened using DNS registry business model as it has developed and managed at ICANN. I dare say it could have happened technically. But the business model doesn't work out to charge $10 or more per an for a device orientated name service. The DNS has been taken over by those using it as a pseudo business registration service. A role that the DNS is bound to fail in satisfying. Incidentally I am not knocking the work that Jon Postel and Paul Mockapetris started back in 82 ish and many others have done some amazing work on DNS which we all depend on today. But it seems to have gone as far as it can.

...

Sad fact is DNS designed in an era of big iron... DNS was designed in the mid 1980's, and the biggest of computers we had back then are overmatched even by rather small devices of today. The laptop I'm using to type this makes the Crays I used (for magnetic confinement fusion simulations) seem rather weak.

However, there is an intriguing side vector, which is that DNS is fading as a user-visible technology.

This does not mean that DNS is going to disappear, rather that it is being submerged to become an internal internet name/address technology. IP and MAC addresses used to be far more visible to users. They became submerged under DNS names. DNS is now following that path and being submerged under URI based names and application-local names (such as Facebook names, hashtags, Twitter handles, etc.) Even URI names that contain long DNS names and index data are being submerged under shortened names. I anticipate that attribute-based naming systems will come to dominate in certain areas (I am sure, however, that if one were to look inside such systems that DNS names will be there serving as internal machinery.)

I like your use of the word "submergence" of DNS. It is a great way to put it.

There is at least one of the new top level domain offerings that is based on the idea that this kind of DNS submergence is happening. It's (partial) focus is on DNS names used to located technical resources; the human semantics of the names is not particularly important because it isn't humans who are uttering those DNS names. On the other hand, because a flexible human has been supplanted by embedded firmware, the value of long term persistence of a DNS name is more important than cute words that such a name might contain.

Persistence and global reach of identifiers are critical qualities for many data applications. DNS is continuing to serve as a naming service in the sense of being submerged within a grander URI schema such as with Handles or other registries. But there is the likelihood of a different identifier model entirely appearing. There has been a lot of interesting work that might lead to persistent identifier routing for data objects or graphs of semantic links to give two examples. Both would be a move away from the "everything is a file" Unix metaphor to address content which can lie within and across many devices, even network boundaries. How far the DNS as it is currently structured can usefully serve in such an environment I don't know but it is likely to become increasingly "submerged" as you describe and I suspect increasingly routed around.

--karl--

Christian

Thank you very much, Karl, for proving the facts and telling the history for a new comer. Best, Kaili ----- Original Message ----- From: "Karl Auerbach" <karl@cavebear.com> To: <cdel@firsthand.net> Cc: <at-large@atlarge-lists.icann.org> Sent: Sunday, December 20, 2015 8:34 AM Subject: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA

On 12/19/2015 04:31 AM, Christian de Larrinaga wrote:

...

Karl Auerbach wrote:

...

...

I've never heard that claim before. I've run experiments with DNS and found surprisingly few limits on how far it can expand. (For example, in one experiment [more than a decade ago] we ran Bind with tens of millions of top level domains and then ran query traffic [in which we mixed a fair amount of absent names to make it more real-life.])

I'm intrigued. Was this done to establish evidence that a flattening of the hierarchy would not be a technical problem?

The DNS hierarchy of today is extraordinary flat - almost all of the fanout of DNS tree occurs at the third level or deeper. The root fanout is fairly constrained by UDP packet size limits to about 13. The root zone fans out to only a few hundred - now moving to maybe a couple of thousand (most sparsely populated) TLDs. The vast majority of name queries pass through the [com, net, org, in-addr.arpa] branches before the real spreading of DNS occurs. [I suspect that the .be and .ly branches get a fair amount of traffic - but they are themselves pretty flatly arranged.]

Back to our experiment:

ICANN kept making Chicken Little noises about how the sky would fall if the DNS root were to exceed a couple of hundred TLDs and thus utter care and decades of study would be needed.

I (and a couple of others) said "that's rubbish". So we took a fairly vanilla, but reasonably powerful, PC of the era running Linux, and stuffed as much memory into it as we could.

We wrote a script that took the .com zone of that era (several tens of millions of names if I remember right) [don't ask how we got it, I don't remember]. The script turned it into a root zone file with delegations to non-existent machines. We loaded it into bind, waited a bit for the file to be digested, then began testing.

(We also generated several synthetic root zones of various sizes in which we generated names of various lengths using random character sequences.)

We generated queries to that pseudo root server. Since recursion was disabled (as it is disabled on all real root servers) the fact that the delegations went nowhere was not particularly relevant.

The queries were not simple one-at-a-time queries. We overlapped queries and mixed in a good blend of missing names.

We were surprised how well it ran. It pretty much demonstrated that the ICANN theory that the DNS would go "boom" was a bogyman. It demonstrated that ICANN could allocate a ten new TLDs a day and still be well within the technological limits of DNS resolvers based on decade old hardware.

Our experiment was simple, and it did not involve zone transfers of notifications or things like that. But at least we did something concrete rather than merely waiving hands.

I told the ICANN board about these experiments, but in typical ICANN fashion there was no interest in following up with other actual experiments to ascertain whether there was an actual basis for ICANN's fears of DNS expansion.

It wasn't until a decade later that ICANN participated in the one-day-in-the-life-of-the-internet data capture and analysis experiment.

(I had also suggested that ICANN undertake to induce the creation of a DNS early-warning monitoring system - and even lined up a worldwide array of no-cost servers to run the monitors on - and also a system of DNS-in-a-box DVDs that could be disseminated so that people in disaster areas could start to bring back their local communications while they waited for the world to dig its way back in [I've lived in several areas that were hit by disasters, so I've had practical experience with this sort of thing.] But those proposals got zero traction in ICANN.)

BTW, in later years ICANN did get more technically involved - ICANN's role in internationalized domain name and DNSSEC have been good.

...

...The DNS has been taken over by those using it as a pseudo business registration service.

I agree that ICANN imposed a very simple-minded business model onto DNS right from the outset.

And ICANN has never reviewed those decisions from 1998 and even ossified some of that into legal granite - such as the gifting in perpetuity of .com/.net to Verisign in order to get Verisign to drop a lawsuit. Even worse is the gifting of fiat registry fees to Verisign and others with never an inquiry as to the actual costs of providing those registry services. By my calculations that ICANN gift is costing internet users over a $billion a year, every year, in excessive, unverified, unaudited registry fees.

...

Incidentally I am not knocking the work that Jon Postel and Paul Mockapetris started back in 82 ish and many others have done some amazing work on DNS which we all depend on today. But it seems to have gone as far as it can.

I rather disagree that DNS is running out of steam. It is a very successful design that has great scaling properties. And the decision of the root server operators to deploy anycast technology (a decision that they made on their own despite ICANN's silence) was perhaps one of the great unheralded tectonic advances to the internet's resiliency.

A couple of years back there was a multi-month long workshop on cloud computing - a lot of big names/internet pioneers were at the meetings at SRI and Google and elsewhere - we quickly zoomed into naming as a real issue: How does one name cloud things that move and divide and join (especially when third parties may have persistent transaction relationships with specific instances of those cloud things)? I was intriged by attribute based lookup systems, such as IFmap. But at the bottom of those systems often were good old DNS names.

--karl-- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large

At-Large Official Site: http://atlarge.icann.org

Christian, thankfully you have rescued some points thanks to your careful work over the years. Most of what Karl has written is so inaccurate or biased (or both) that the exercise to straighten it up is too painful; also really unnecessary at this stage. Indeed people find out the hard way that "running your own DNS" (like any other significant infrastructure) is neither easy nor cheap; nor worth the unfavorable cost/risk/benefit equation. The "charging so much for domains" is very much a canard these days. And, has anyone asked how much other alternatives being pushed actually cost and how much *more* centralization and policy inaccessibility they carry as they try to scale? In for some surprises there as well if you care to tear the heavy curtain of innuendo. Yours, Alejandro Pisanty - - - - - - - - - - - - - - - - - - - - - - - - - - - Dr. Alejandro Pisanty Facultad de Química UNAM Av. Universidad 3000, 04510 Mexico DF Mexico +52-1-5541444475 FROM ABROAD +525541444475 DESDE MÉXICO SMS +525541444475 Blog: http://pisanty.blogspot.com LinkedIn: http://www.linkedin.com/in/pisanty Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614 Twitter: http://twitter.com/apisanty ---->> Unete a ISOC Mexico, http://www.isoc.org . . . . . . . . . . . . . . . . ________________________________ Desde: at-large-bounces@atlarge-lists.icann.org [at-large-bounces@atlarge-lists.icann.org] en nombre de Christian de Larrinaga [cdel@firsthand.net] Enviado el: martes, 22 de diciembre de 2015 11:27 Hasta: Karl Auerbach CC: at-large@atlarge-lists.icann.org Asunto: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA comments inline (I've left your post in full because it's very instructive). Karl Auerbach wrote: On 12/19/2015 04:31 AM, Christian de Larrinaga wrote: Karl Auerbach wrote: I've never heard that claim before. I've run experiments with DNS and found surprisingly few limits on how far it can expand. (For example, in one experiment [more than a decade ago] we ran Bind with tens of millions of top level domains and then ran query traffic [in which we mixed a fair amount of absent names to make it more real-life.]) I'm intrigued. Was this done to establish evidence that a flattening of the hierarchy would not be a technical problem? The DNS hierarchy of today is extraordinary flat - almost all of the fanout of DNS tree occurs at the third level or deeper. The root fanout is fairly constrained by UDP packet size limits to about 13. The root zone fans out to only a few hundred - now moving to maybe a couple of thousand (most sparsely populated) TLDs. The vast majority of name queries pass through the [com, net, org, in-addr.arpa] branches before the real spreading of DNS occurs. [I suspect that the .be and .ly branches get a fair amount of traffic - but they are themselves pretty flatly arranged.] Back to our experiment: ICANN kept making Chicken Little noises about how the sky would fall if the DNS root were to exceed a couple of hundred TLDs and thus utter care and decades of study would be needed. I (and a couple of others) said "that's rubbish". So we took a fairly vanilla, but reasonably powerful, PC of the era running Linux, and stuffed as much memory into it as we could. We wrote a script that took the .com zone of that era (several tens of millions of names if I remember right) [don't ask how we got it, I don't remember]. The script turned it into a root zone file with delegations to non-existent machines. We loaded it into bind, waited a bit for the file to be digested, then began testing. (We also generated several synthetic root zones of various sizes in which we generated names of various lengths using random character sequences.) We generated queries to that pseudo root server. Since recursion was disabled (as it is disabled on all real root servers) the fact that the delegations went nowhere was not particularly relevant. The queries were not simple one-at-a-time queries. We overlapped queries and mixed in a good blend of missing names. We were surprised how well it ran. It pretty much demonstrated that the ICANN theory that the DNS would go "boom" was a bogyman. It demonstrated that ICANN could allocate a ten new TLDs a day and still be well within the technological limits of DNS resolvers based on decade old hardware. Our experiment was simple, and it did not involve zone transfers of notifications or things like that. But at least we did something concrete rather than merely waiving hands. I told the ICANN board about these experiments, but in typical ICANN fashion there was no interest in following up with other actual experiments to ascertain whether there was an actual basis for ICANN's fears of DNS expansion. It wasn't until a decade later that ICANN participated in the one-day-in-the-life-of-the-internet data capture and analysis experiment. (I had also suggested that ICANN undertake to induce the creation of a DNS early-warning monitoring system - and even lined up a worldwide array of no-cost servers to run the monitors on - and also a system of DNS-in-a-box DVDs that could be disseminated so that people in disaster areas could start to bring back their local communications while they waited for the world to dig its way back in [I've lived in several areas that were hit by disasters, so I've had practical experience with this sort of thing.] But those proposals got zero traction in ICANN.) BTW, in later years ICANN did get more technically involved - ICANN's role in internationalized domain name and DNSSEC have been good. ...The DNS has been taken over by those using it as a pseudo business registration service. I agree that ICANN imposed a very simple-minded business model onto DNS right from the outset. And ICANN has never reviewed those decisions from 1998 and even ossified some of that into legal granite - such as the gifting in perpetuity of .com/.net to Verisign in order to get Verisign to drop a lawsuit. Even worse is the gifting of fiat registry fees to Verisign and others with never an inquiry as to the actual costs of providing those registry services. By my calculations that ICANN gift is costing internet users over a $billion a year, every year, in excessive, unverified, unaudited registry fees. <C> I remember those arguments. I think there was some validity to them in the sense nobody had really tried to run a flattened hierarchy so I think your test was the correct approach. As you say it should have stimulated things. But running into a wall after providing empirical data is something I've experienced as well. I ran a domain spring clean in 2001 for .uk. It can be found on the wayback machine. A few key findings. - the registrar / registry players were against an independent look at quality of how zones were being managed. - DNS suffers entropy as records go out of date. Quite how WHOIS is supposed to keep up when DNS itself isn't able to do that should be better understood. - Managing DNS servers such as Bind takes effort and regular updates to deal with vulnerabilities. Publicly accessible DNS is highly visible as a target. That said the DNS as a technology has scaled well and as you imply could have scaled further. The question is why do we not see every user and edge point running their own domains or DNS under the ICANN managed domain industry? I expect one reason is that running DNS servers is non trivial (entropy / software updates / dependency hell etc). Another candidate is the policy behind DNS implies a heavy overhead, loss of privacy and cost including an ongoing commitment to name your devices and services using public DNS. So it is not surprising that people use URLs tagged onto third party DNS or increasingly private name spaces / registries outside the DNS entirely and then hook into a convenient domain for managing peering interfaces and so on. </C> Incidentally I am not knocking the work that Jon Postel and Paul Mockapetris started back in 82 ish and many others have done some amazing work on DNS which we all depend on today. But it seems to have gone as far as it can. I rather disagree that DNS is running out of steam. It is a very successful design that has great scaling properties. And the decision of the root server operators to deploy anycast technology (a decision that they made on their own despite ICANN's silence) was perhaps one of the great unheralded tectonic advances to the internet's resiliency. A couple of years back there was a multi-month long workshop on cloud computing - a lot of big names/internet pioneers were at the meetings at SRI and Google and elsewhere - we quickly zoomed into naming as a real issue: How does one name cloud things that move and divide and join (especially when third parties may have persistent transaction relationships with specific instances of those cloud things)? I was intriged by attribute based lookup systems, such as IFmap. But at the bottom of those systems often were good old DNS names. --karl-- <C> Yes that is the situation I've seen too. I participated in establishing a 250 million end point ENUM service or rather private ENUM service about a decade ago for an early VoIP and SIP trunking application service. As a form of iENUM it used DNS technology but it was not visible to the ICANN DNS and peered with other networks privately outside the ICANN DNS. Using the DNS as a technology is potent as it has a known code base and significant experience exists to manage it as a distributed service. But through a combination of charging so much for domains and making the policy cost so high the ICANN community has largely lost the business case for their variant of the DNS for naming the Internet edge. I think that observation is relevant for ALAC and other policy fora to put in their pipe because policy for an ICANN DNS that is engaging all users and devices is rather different in scope to one that is only engaging hosts and intermediaries and the joins between the two need careful handling. Merry Xmas! Christian </C> --

Hello Alejandro, your judgment on Karl is a bit rough. Rest assured: we all know your immense expertise, well served by your self-confidence. Your superiority shines through, perhaps more than your equanimity. If the end of the year is a time for reflection and resolve, you might consider it fair to send the message to Karl and other community members that, maybe, you just got carried away. We would understand. Let me take this opportunity to wish you, and other colleagues on this list, a healthy, happy and successful New Year (see enclosed card). Best regards, Jean-Jacques. ----- Mail original ----- De: "Dr. Alejandro Pisanty Baruch" <apisan@unam.mx> À: "Christian de Larrinaga" <cdel@firsthand.net>, "Karl Auerbach" <karl@cavebear.com> Cc: at-large@atlarge-lists.icann.org Envoyé: Mardi 22 Décembre 2015 21:19:05 Objet: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA Christian, thankfully you have rescued some points thanks to your careful work over the years. Most of what Karl has written is so inaccurate or biased (or both) that the exercise to straighten it up is too painful; also really unnecessary at this stage. Indeed people find out the hard way that "running your own DNS" (like any other significant infrastructure) is neither easy nor cheap; nor worth the unfavorable cost/risk/benefit equation. The "charging so much for domains" is very much a canard these days. And, has anyone asked how much other alternatives being pushed actually cost and how much *more* centralization and policy inaccessibility they carry as they try to scale? In for some surprises there as well if you care to tear the heavy curtain of innuendo. Yours, Alejandro Pisanty - - - - - - - - - - - - - - - - - - - - - - - - - - - Dr. Alejandro Pisanty Facultad de Química UNAM Av. Universidad 3000, 04510 Mexico DF Mexico +52-1-5541444475 FROM ABROAD +525541444475 DESDE MÉXICO SMS +525541444475 Blog: http://pisanty.blogspot.com LinkedIn: http://www.linkedin.com/in/pisanty Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614 Twitter: http://twitter.com/apisanty ---->> Unete a ISOC Mexico, http://www.isoc.org .. . . . . . . . . . . . . . . . Desde: at-large-bounces@atlarge-lists.icann.org [at-large-bounces@atlarge-lists.icann.org] en nombre de Christian de Larrinaga [cdel@firsthand.net] Enviado el: martes, 22 de diciembre de 2015 11:27 Hasta: Karl Auerbach CC: at-large@atlarge-lists.icann.org Asunto: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA comments inline (I've left your post in full because it's very instructive). Karl Auerbach wrote: On 12/19/2015 04:31 AM, Christian de Larrinaga wrote: Karl Auerbach wrote: I've never heard that claim before. I've run experiments with DNS and found surprisingly few limits on how far it can expand. (For example, in one experiment [more than a decade ago] we ran Bind with tens of millions of top level domains and then ran query traffic [in which we mixed a fair amount of absent names to make it more real-life.]) I'm intrigued. Was this done to establish evidence that a flattening of the hierarchy would not be a technical problem? The DNS hierarchy of today is extraordinary flat - almost all of the fanout of DNS tree occurs at the third level or deeper. The root fanout is fairly constrained by UDP packet size limits to about 13. The root zone fans out to only a few hundred - now moving to maybe a couple of thousand (most sparsely populated) TLDs. The vast majority of name queries pass through the [com, net, org, in-addr.arpa] branches before the real spreading of DNS occurs. [I suspect that the .be and .ly branches get a fair amount of traffic - but they are themselves pretty flatly arranged.] Back to our experiment: ICANN kept making Chicken Little noises about how the sky would fall if the DNS root were to exceed a couple of hundred TLDs and thus utter care and decades of study would be needed. I (and a couple of others) said "that's rubbish". So we took a fairly vanilla, but reasonably powerful, PC of the era running Linux, and stuffed as much memory into it as we could. We wrote a script that took the .com zone of that era (several tens of millions of names if I remember right) [don't ask how we got it, I don't remember]. The script turned it into a root zone file with delegations to non-existent machines. We loaded it into bind, waited a bit for the file to be digested, then began testing. (We also generated several synthetic root zones of various sizes in which we generated names of various lengths using random character sequences.) We generated queries to that pseudo root server. Since recursion was disabled (as it is disabled on all real root servers) the fact that the delegations went nowhere was not particularly relevant. The queries were not simple one-at-a-time queries. We overlapped queries and mixed in a good blend of missing names. We were surprised how well it ran. It pretty much demonstrated that the ICANN theory that the DNS would go "boom" was a bogyman. It demonstrated that ICANN could allocate a ten new TLDs a day and still be well within the technological limits of DNS resolvers based on decade old hardware. Our experiment was simple, and it did not involve zone transfers of notifications or things like that. But at least we did something concrete rather than merely waiving hands. I told the ICANN board about these experiments, but in typical ICANN fashion there was no interest in following up with other actual experiments to ascertain whether there was an actual basis for ICANN's fears of DNS expansion. It wasn't until a decade later that ICANN participated in the one-day-in-the-life-of-the-internet data capture and analysis experiment. (I had also suggested that ICANN undertake to induce the creation of a DNS early-warning monitoring system - and even lined up a worldwide array of no-cost servers to run the monitors on - and also a system of DNS-in-a-box DVDs that could be disseminated so that people in disaster areas could start to bring back their local communications while they waited for the world to dig its way back in [I've lived in several areas that were hit by disasters, so I've had practical experience with this sort of thing.] But those proposals got zero traction in ICANN.) BTW, in later years ICANN did get more technically involved - ICANN's role in internationalized domain name and DNSSEC have been good. ...The DNS has been taken over by those using it as a pseudo business registration service. I agree that ICANN imposed a very simple-minded business model onto DNS right from the outset. And ICANN has never reviewed those decisions from 1998 and even ossified some of that into legal granite - such as the gifting in perpetuity of .com/.net to Verisign in order to get Verisign to drop a lawsuit. Even worse is the gifting of fiat registry fees to Verisign and others with never an inquiry as to the actual costs of providing those registry services. By my calculations that ICANN gift is costing internet users over a $billion a year, every year, in excessive, unverified, unaudited registry fees. <C> I remember those arguments. I think there was some validity to them in the sense nobody had really tried to run a flattened hierarchy so I think your test was the correct approach. As you say it should have stimulated things. But running into a wall after providing empirical data is something I've experienced as well. I ran a domain spring clean in 2001 for .uk. It can be found on the wayback machine. A few key findings. - the registrar / registry players were against an independent look at quality of how zones were being managed. - DNS suffers entropy as records go out of date. Quite how WHOIS is supposed to keep up when DNS itself isn't able to do that should be better understood. - Managing DNS servers such as Bind takes effort and regular updates to deal with vulnerabilities. Publicly accessible DNS is highly visible as a target. That said the DNS as a technology has scaled well and as you imply could have scaled further. The question is why do we not see every user and edge point running their own domains or DNS under the ICANN managed domain industry? I expect one reason is that running DNS servers is non trivial (entropy / software updates / dependency hell etc). Another candidate is the policy behind DNS implies a heavy overhead, loss of privacy and cost including an ongoing commitment to name your devices and services using public DNS. So it is not surprising that people use URLs tagged onto third party DNS or increasingly private name spaces / registries outside the DNS entirely and then hook into a convenient domain for managing peering interfaces and so on. </C> Incidentally I am not knocking the work that Jon Postel and Paul Mockapetris started back in 82 ish and many others have done some amazing work on DNS which we all depend on today. But it seems to have gone as far as it can. I rather disagree that DNS is running out of steam. It is a very successful design that has great scaling properties. And the decision of the root server operators to deploy anycast technology (a decision that they made on their own despite ICANN's silence) was perhaps one of the great unheralded tectonic advances to the internet's resiliency. A couple of years back there was a multi-month long workshop on cloud computing - a lot of big names/internet pioneers were at the meetings at SRI and Google and elsewhere - we quickly zoomed into naming as a real issue: How does one name cloud things that move and divide and join (especially when third parties may have persistent transaction relationships with specific instances of those cloud things)? I was intriged by attribute based lookup systems, such as IFmap. But at the bottom of those systems often were good old DNS names. --karl-- <C> Yes that is the situation I've seen too. I participated in establishing a 250 million end point ENUM service or rather private ENUM service about a decade ago for an early VoIP and SIP trunking application service. As a form of iENUM it used DNS technology but it was not visible to the ICANN DNS and peered with other networks privately outside the ICANN DNS. Using the DNS as a technology is potent as it has a known code base and significant experience exists to manage it as a distributed service. But through a combination of charging so much for domains and making the policy cost so high the ICANN community has largely lost the business case for their variant of the DNS for naming the Internet edge. I think that observation is relevant for ALAC and other policy fora to put in their pipe because policy for an ICANN DNS that is engaging all users and devices is rather different in scope to one that is only engaging hosts and intermediaries and the joins between the two need careful handling. Merry Xmas! Christian </C> -- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org

@Christian +1. Jean-Jacques. ----- Mail original ----- De: "Christian de Larrinaga" <cdel@firsthand.net> À: "Dr. Alejandro Pisanty Baruch" <apisan@unam.mx> Cc: at-large@atlarge-lists.icann.org Envoyé: Jeudi 24 Décembre 2015 12:38:20 Objet: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA Alejandro, Karl Sorry if I inadvertently opened an old sore. I most certainly am not talking about revisiting past lives but looking to broaden and deepen understanding where DNS, as it is now, may continue to fit optimally as a global naming service and perhaps more importantly where for a variety of reasons, (largely operational business policy related) it is not a good fit. I view you both as providing important knowledge and perspectives and wish you a seasonal Merry and fraternal Christmas! Christian Dr. Alejandro Pisanty Baruch wrote: Christian, thankfully you have rescued some points thanks to your careful work over the years. Most of what Karl has written is so inaccurate or biased (or both) that the exercise to straighten it up is too painful; also really unnecessary at this stage. Indeed people find out the hard way that "running your own DNS" (like any other significant infrastructure) is neither easy nor cheap; nor worth the unfavorable cost/risk/benefit equation. The "charging so much for domains" is very much a canard these days. And, has anyone asked how much other alternatives being pushed actually cost and how much *more* centralization and policy inaccessibility they carry as they try to scale? In for some surprises there as well if you care to tear the heavy curtain of innuendo. Yours, Alejandro Pisanty - - - - - - - - - - - - - - - - - - - - - - - - - - - Dr. Alejandro Pisanty Facultad de Química UNAM Av. Universidad 3000, 04510 Mexico DF Mexico +52-1-5541444475 FROM ABROAD +525541444475 DESDE MÉXICO SMS +525541444475 Blog: http://pisanty.blogspot.com LinkedIn: http://www.linkedin.com/in/pisanty Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614 Twitter: http://twitter.com/apisanty ---->> Unete a ISOC Mexico, http://www.isoc.org .. . . . . . . . . . . . . . . . Desde: at-large-bounces@atlarge-lists.icann.org [ at-large-bounces@atlarge-lists.icann.org ] en nombre de Christian de Larrinaga [ cdel@firsthand.net ] Enviado el: martes, 22 de diciembre de 2015 11:27 Hasta: Karl Auerbach CC: at-large@atlarge-lists.icann.org Asunto: Re: [At-Large] I: [ALAC-Announce] ICANN News Alert -- Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request for Ascio Technologies, Inc. Danmark - filial af Ascio Technologies, Inc. USA comments inline (I've left your post in full because it's very instructive). Karl Auerbach wrote: On 12/19/2015 04:31 AM, Christian de Larrinaga wrote: Karl Auerbach wrote: I've never heard that claim before. I've run experiments with DNS and found surprisingly few limits on how far it can expand. (For example, in one experiment [more than a decade ago] we ran Bind with tens of millions of top level domains and then ran query traffic [in which we mixed a fair amount of absent names to make it more real-life.]) I'm intrigued. Was this done to establish evidence that a flattening of the hierarchy would not be a technical problem? The DNS hierarchy of today is extraordinary flat - almost all of the fanout of DNS tree occurs at the third level or deeper. The root fanout is fairly constrained by UDP packet size limits to about 13. The root zone fans out to only a few hundred - now moving to maybe a couple of thousand (most sparsely populated) TLDs. The vast majority of name queries pass through the [com, net, org, in-addr.arpa] branches before the real spreading of DNS occurs. [I suspect that the ..be and .ly branches get a fair amount of traffic - but they are themselves pretty flatly arranged.] Back to our experiment: ICANN kept making Chicken Little noises about how the sky would fall if the DNS root were to exceed a couple of hundred TLDs and thus utter care and decades of study would be needed. I (and a couple of others) said "that's rubbish". So we took a fairly vanilla, but reasonably powerful, PC of the era running Linux, and stuffed as much memory into it as we could. We wrote a script that took the .com zone of that era (several tens of millions of names if I remember right) [don't ask how we got it, I don't remember]. The script turned it into a root zone file with delegations to non-existent machines. We loaded it into bind, waited a bit for the file to be digested, then began testing. (We also generated several synthetic root zones of various sizes in which we generated names of various lengths using random character sequences.) We generated queries to that pseudo root server. Since recursion was disabled (as it is disabled on all real root servers) the fact that the delegations went nowhere was not particularly relevant. The queries were not simple one-at-a-time queries. We overlapped queries and mixed in a good blend of missing names. We were surprised how well it ran. It pretty much demonstrated that the ICANN theory that the DNS would go "boom" was a bogyman. It demonstrated that ICANN could allocate a ten new TLDs a day and still be well within the technological limits of DNS resolvers based on decade old hardware. Our experiment was simple, and it did not involve zone transfers of notifications or things like that. But at least we did something concrete rather than merely waiving hands. I told the ICANN board about these experiments, but in typical ICANN fashion there was no interest in following up with other actual experiments to ascertain whether there was an actual basis for ICANN's fears of DNS expansion. It wasn't until a decade later that ICANN participated in the one-day-in-the-life-of-the-internet data capture and analysis experiment. (I had also suggested that ICANN undertake to induce the creation of a DNS early-warning monitoring system - and even lined up a worldwide array of no-cost servers to run the monitors on - and also a system of DNS-in-a-box DVDs that could be disseminated so that people in disaster areas could start to bring back their local communications while they waited for the world to dig its way back in [I've lived in several areas that were hit by disasters, so I've had practical experience with this sort of thing.] But those proposals got zero traction in ICANN.) BTW, in later years ICANN did get more technically involved - ICANN's role in internationalized domain name and DNSSEC have been good. ...The DNS has been taken over by those using it as a pseudo business registration service. I agree that ICANN imposed a very simple-minded business model onto DNS right from the outset. And ICANN has never reviewed those decisions from 1998 and even ossified some of that into legal granite - such as the gifting in perpetuity of ..com/.net to Verisign in order to get Verisign to drop a lawsuit. Even worse is the gifting of fiat registry fees to Verisign and others with never an inquiry as to the actual costs of providing those registry services. By my calculations that ICANN gift is costing internet users over a $billion a year, every year, in excessive, unverified, unaudited registry fees. <C> I remember those arguments. I think there was some validity to them in the sense nobody had really tried to run a flattened hierarchy so I think your test was the correct approach. As you say it should have stimulated things. But running into a wall after providing empirical data is something I've experienced as well. I ran a domain spring clean in 2001 for .uk. It can be found on the wayback machine. A few key findings. - the registrar / registry players were against an independent look at quality of how zones were being managed. - DNS suffers entropy as records go out of date. Quite how WHOIS is supposed to keep up when DNS itself isn't able to do that should be better understood. - Managing DNS servers such as Bind takes effort and regular updates to deal with vulnerabilities. Publicly accessible DNS is highly visible as a target. That said the DNS as a technology has scaled well and as you imply could have scaled further. The question is why do we not see every user and edge point running their own domains or DNS under the ICANN managed domain industry? I expect one reason is that running DNS servers is non trivial (entropy / software updates / dependency hell etc). Another candidate is the policy behind DNS implies a heavy overhead, loss of privacy and cost including an ongoing commitment to name your devices and services using public DNS. So it is not surprising that people use URLs tagged onto third party DNS or increasingly private name spaces / registries outside the DNS entirely and then hook into a convenient domain for managing peering interfaces and so on. </C> Incidentally I am not knocking the work that Jon Postel and Paul Mockapetris started back in 82 ish and many others have done some amazing work on DNS which we all depend on today. But it seems to have gone as far as it can. I rather disagree that DNS is running out of steam. It is a very successful design that has great scaling properties. And the decision of the root server operators to deploy anycast technology (a decision that they made on their own despite ICANN's silence) was perhaps one of the great unheralded tectonic advances to the internet's resiliency. A couple of years back there was a multi-month long workshop on cloud computing - a lot of big names/internet pioneers were at the meetings at SRI and Google and elsewhere - we quickly zoomed into naming as a real issue: How does one name cloud things that move and divide and join (especially when third parties may have persistent transaction relationships with specific instances of those cloud things)? I was intriged by attribute based lookup systems, such as IFmap. But at the bottom of those systems often were good old DNS names. --karl-- <C> Yes that is the situation I've seen too. I participated in establishing a 250 million end point ENUM service or rather private ENUM service about a decade ago for an early VoIP and SIP trunking application service. As a form of iENUM it used DNS technology but it was not visible to the ICANN DNS and peered with other networks privately outside the ICANN DNS. Using the DNS as a technology is potent as it has a known code base and significant experience exists to manage it as a distributed service. But through a combination of charging so much for domains and making the policy cost so high the ICANN community has largely lost the business case for their variant of the DNS for naming the Internet edge. I think that observation is relevant for ALAC and other policy fora to put in their pipe because policy for an ICANN DNS that is engaging all users and devices is rather different in scope to one that is only engaging hosts and intermediaries and the joins between the two need careful handling. Merry Xmas! Christian </C> -- -- Christian de Larrinaga FBCS, CITP, ------------------------- @ FirstHand ------------------------- +44 7989 386778 cdel@firsthand.net ------------------------- _______________________________________________ At-Large mailing list At-Large@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/at-large At-Large Official Site: http://atlarge.icann.org