News, events & blog

Back

Joint CENTR 25th R&D and 51st Tech meeting overview

In October, CENTR’s joint meeting of technical and development working groups took place, with a focus on DNS, particularly from the perspectives of anycast, scanning, and zone generation.
Joint CENTR 25th R&D and 51st Tech meeting overview

Let’s start with some interesting news. The Irish registry is developing a framework for accredited registrars, including discounts for those who achieve high accreditation scores. Italy is experimenting with AI for network traffic monitoring and analysis. Denmark has switched from PCH’s anycast service to a solution provided by the Czech registry, as the 2-3 minute zone update interval was deemed too frequent for the American market. The Dutch registry (.nl) is moving to the cloud, while the Belgians are transitioning from virtual machines to Kubernetes. The Czech registry has won the gov.cz contract and is now developing DNS, a web portal, and API interfaces for the state; additionally, they’ve secured the right to continue managing the Czech EIDAS node for the next four years. 

ICANN announced that as of 2025, offering the WHOIS service will no longer be mandatory for gTLDs, signalling the beginning of the transition to the RDAP protocol. So far, we have only observed RDAP from a distance, but a time of confusion lies ahead, where there will no longer be a single protocol to obtain information about registered domains. If we want to ensure that .ee remains accessible for everyone, implementing RDAP will likely become a priority on our agenda.

One of the German registry leaders emphasized in a short, impactful welcome speech that demand for advice and opinions from national registries is decreasing, while demand for solutions is rising. I believe this is not unique to our field but reflects a broader trend, as people now have less time to delve deeply into topics.

For discussions, participants were invited to propose topics, and attendees indicated which subjects interested them the most. Participants then divided into groups based on the most popular topics. I proposed two subjects – identity verification and contact data quality control. Unfortunately, neither was chosen for discussion. No problem – I gladly joined the discussion led by the Swedish team on DNS data synchronization between child and parent nameservers. Later, however, it started to bother me that participants preferred to discuss topics like quantum-era cryptography in the context of DNSSEC and differences in how large and small registries operate. Not that these topics are irrelevant, but their practical applications are somewhat limited. In conversations with people working in the field of quantum computing, the general view is that a practically usable quantum computer is still more than a decade away, and in that time, cryptography will also evolve, but people do enjoy speculating. And the comparison of large and small registries...some are large and have big challenges and opportunities, while others are small with their own advantages and drawbacks – but so what? Perhaps next time, I should put more emphasis on the show, humor, entertainment, and spectacle to attract people to discuss the things that matter :)

The German registry is preparing to release its ambitious global postal address validation solution to the public. The work done is impressive – data is checked against postal databases (if available for the respective country) and OpenStreetMap. Still, I come back to the question "why?". Why collect postal addresses at all? In some countries, it is mandated by law, but this is not the case in Germany. They have this requirement in domain regulation, which they themselves control. The primary use is for identifying malicious registrations, which works as long as the bad actors don’t know this is a key input. Otherwise, they start using random existing addresses instead of non-existent ones. This is likely happening already. I still hold the view that data collection should adhere to the principle of minimalism – only data necessary for service provision should be collected. But for the data that is important to collect, regular checks are necessary to ensure high data quality and accuracy.

The Swedish registry has been working on DNS data synchronization across different levels of nameservers for a long time. There are two standards available: CSYNC (RFC 7477) and CDS (RFC 8078) – both closely related to DNSSEC records. However, zone files in DNS servers contain much more, so why not have a similar automated solution to transfer data from child to parent nameserver? Johan Stenstam has been working on this topic for years and is currently trying to push through a relevant standard within IETF (DSYNC).

The .eu and .be registries no longer use HSMs (Hardware Security Modules) for holding DNSSEC keys. Moreover, they don’t use software alternatives either. For example, .be saves keys to an encrypted disk and monitors its usage. I thought DENIC was one of the few that had abandoned HSMs, but it seems time has moved on, and now we are among the few still using HSMs. The main problems with HSMs are their high cost, complex management, and limited performance. HSMs are generally slow, which is one of the main reasons .ee still has a somewhat outdated 10-minute zone update interval, while some of the world’s largest registries, like .de, do it in near real-time, or Denmark, every two minutes. .eu highlighted operational issues and a significant security risk, noting that if anything were to happen to the HSMs, the keys would be irretrievable. What needs to be protected – the key or the ability to sign? An HSM holds onto the key but does not prevent signing or the use of signatures for any purpose. This is a key consideration for developing our signature solutions, especially as we move toward cloud migration.

The Czechs noted that the number of domains going to auction has dropped significantly. A positive problem? If all domains are released through auctions, it means fewer are being deleted, and if the number of domains hasn’t drastically decreased, then the overall renewal rate has likely improved. They haven’t measured it yet. For us, the sizes have remained roughly the same since the auction was introduced. We can say that the renewal rate of domains purchased from the auction is higher than average – this is expected, as people pay more for domains bought at auction, making renewal relatively more affordable.

There was also talk of cloud-based nameserver solutions, which could be a more flexible alternative for smaller registries instead of creating their own anycast cloud. The topic of RESTful EPP interfaces also came up several times. The French registry, alongside us, has already implemented a REST-based alternative to the EPP interface, and it’s also on the agenda for .cz, .si, .be, .nl, and .ca registries. In November, we’ll have the opportunity to present our solution and experience at IETF and ICANN meetings.

Overall, it was an engaging meeting. Until next time!

Email again: