Post APlOI6UBiDOaa6Tzns by bortzmeyer@mastodon.gougere.fr
(DIR) More posts by bortzmeyer@mastodon.gougere.fr
(DIR) Post #APjwzRJV9x2PkqOsPQ by bortzmeyer@mastodon.gougere.fr
2022-11-18T21:07:38Z
2 likes, 3 repeats
The #fediverse is supposed to be decentralized. But the fact that the network has a decentralized architecture does not mean that it is perfectly decentralized in practice. We survey here the #DNS authoritative servers for the domains used by the fediverse instances. Unfortunately, yes, they are too concentrated. https://www.bortzmeyer.org/nameservers-fediverse.html
(DIR) Post #APk0cvrZoIxxetrUQq by lanodan@queer.hacktivis.me
2022-11-18T21:13:19.998448Z
0 likes, 0 repeats
@bortzmeyer Y'a pas que le DNS d'ailleurs, si OVH, Online, Hetzner tombent je pense qu'un grosse partie du fédiverse tombe.
(DIR) Post #APkCQdZ3DZpYsg6Gw4 by mathew@mastodon.social
2022-11-19T00:01:09Z
0 likes, 0 repeats
@bortzmeyer Cloudflare, ugh.
(DIR) Post #APkDeYvpL3rmWNxQQq by lmamakos@universeodon.com
2022-11-19T00:14:21Z
0 likes, 0 repeats
@bortzmeyer That's interesting data, but is the problem? There are natural concentrations for bulk infrastructure services. DNS is one of those. So are IP transit providers, layer-1 optical fiber transport vendors, server manufacturers, ethernet switch vendors, etc.I suppose the question what the threat model or adverse consequences are? If it's reliability, then these vendors typically have redundancy built into their infrastructure. For impersonation, that's what certificates are for..
(DIR) Post #APkOuULrEaYkRfvi1g by mnordhoff@infosec.exchange
2022-11-19T02:21:02Z
0 likes, 0 repeats
@bortzmeyer The DigitalOcean and Linode nameservers also use Cloudflare DNS Firewall.(ns1.digitalocean.com - ns3.digitalocean.com, ns1.linode.com - ns5.linode.com)inwx.de also uses Cloudflare DNS, but e.g. ns.inwx.de does not.And one of Gandi's nameservers uses Cloudflare.
(DIR) Post #APkmWvGBw1pLqoZjCS by strypey@mastodon.nzoss.nz
2022-11-19T06:45:45Z
0 likes, 0 repeats
@bortzmeyerThe dependence of AP on DNS also limits options for account and data portability. Hopefully projects like Zot/Nomad, IPFS, and DataShards, can give us ways to make the 'verse more independent of DNS servers.
(DIR) Post #APknuZfdxJINnRK25I by bortzmeyer@mastodon.gougere.fr
2022-11-19T07:01:09Z
0 likes, 0 repeats
@strypey It's a different issue, I think. The DNS is decentralized so it is perfectly possible to use it in a decentralized way. But providing decentralized technologies is not enough. People can still use them in a centralised way.IPFS, that you mention, is a good example. It is decentralized but its implementation is so complicated to install that most people use it in a centralised way, through one of the few Web gateways.
(DIR) Post #APlNWEbgDRr3rrA4Q4 by bortzmeyer@mastodon.gougere.fr
2022-11-19T13:40:02Z
1 likes, 0 repeats
@lanodan Mais j'avais bien dit que je n'étudiais que le DNS (parce que je le connais et que je laisse d'autres étudier d'autres aspects).
(DIR) Post #APlNhmSufeHE40ZBA0 by bortzmeyer@mastodon.gougere.fr
2022-11-19T13:41:58Z
0 likes, 0 repeats
@lmamakos It is certainly not natural. It may be a law of capitalism, but not of nature.The mention of switches is quite irrelevant: you cannot really control the online presence of someone through switches (unless you control all of them, and can talk to them), so it is not comparable to DNS hosting.
(DIR) Post #APlNtp9wTpxLtUR4ng by bortzmeyer@mastodon.gougere.fr
2022-11-19T13:43:04Z
0 likes, 0 repeats
@lmamakos For the reliability, no, these providers do not have redundancy. Cloudflare, for instance, had several times broke their entire network. Redundancy of machines is not important, this is redundancy of companies/people that matters.
(DIR) Post #APlOI6UBiDOaa6Tzns by bortzmeyer@mastodon.gougere.fr
2022-11-19T13:44:27Z
0 likes, 0 repeats
@lmamakos And for the risk of impersonation, you know that certificates don't help: if you control the domin, you can have as many certificates as you want, as demonstrated in many attacks where the attacker got a certificate.
(DIR) Post #APlOIEH0l5bojYNaNM by bortzmeyer@mastodon.gougere.fr
2022-11-19T13:45:06Z
0 likes, 0 repeats
@lmamakos And finally, there is the risk of censorship, if one company can make you disappear from the Internet instantly.
(DIR) Post #APlnjhcyE50ORlqcYy by lmamakos@universeodon.com
2022-11-19T18:20:08Z
0 likes, 0 repeats
@bortzmeyer I think that responses to the various threats you propose are either inexpensive (e.g., OV certificate rather than DV) or economically difficult with a free service. It's certainly possible to use multiple auth DNS service providers (including running your own). And depending on your paranoia, attacking software running in routers and switches isnt impossible, either. Think SolarWinds.
(DIR) Post #AQn4nftUW6iNKeMMyG by DalzAsylum@framapiaf.org
2022-12-20T07:11:56Z
0 likes, 0 repeats
@bortzmeyer en fait dans un réseau tu ne peux pas avoir de réelle décentralisation. Sauf à « structurellement » bloquer des acteurs à une taille particulière et donc rendre impossible toute forme de « monopole ». Des lors qu’il y a standard économiquement un gros acteurs aura plus de capacités qu’un petit et donc tendance à en gagner davantage à cause d’externalités et où d’économies d’échelles.
(DIR) Post #AQnEHh67VNvbL9ejei by bortzmeyer@mastodon.gougere.fr
2022-12-20T08:58:10Z
0 likes, 0 repeats
@DalzAsylum À part « bloquer structurellement » (une loi ?) on peut aussi bloquer « politiquement » la taille, par une prise de conscience des acteurs et un effort volontariste de leur part.
(DIR) Post #AQnEn7wFlH65Yx1sMi by DalzAsylum@framapiaf.org
2022-12-20T09:03:52Z
0 likes, 0 repeats
@bortzmeyer si on est sur un reseau mondialisé les jeux d’acteurs feront que ça marchera pas sans une gouvernance (politique ça peut passer par des lois mais aussi d’autres moyens je pense) forte, les bonnes volontés ne marchent plus arrivé à un certain niveau (il y a sans doute des études en économie sur ce point, je ne maîtrise pas).