DNSSEC: .NL privacy statement

[an error occurred while processing this directive]

This is modified from an email Jaap Akkerhuis sent to the namedroppers mailing list. The original email can be found here.

Executive summery

So, we (SIDN) concluded that the NXT walking (now NSEC) and (EU) privacy concerns would not be a show stopper for introducing DNSSEC in the NL zone.


I see a some of arguments being made about EU concerns over privacy. The subject whether DNSSEC would be run into EU privacy concerns pops up on a regular base in various places.

Therefore, SIDN, the Dutch registry, asked for an opinion of the faculty of law of the University of Brabant. These people, all lawyers, are specialized in privacy and the influence of crypto technology on the law (and vice versa). They don't have no specialist knowledge of the DNS, but know the role it has in the proper working of the Internet.


I explained them the situation:
Lots of ccTLDs are preventing zone transfers to be done by the public in general often using privacy concerns as the primary motif. I also explained that DNSSEC has this back door where you can get the names out of the zone by walking the NXT records. So the basic question was, is there really a concern that this backdoor might prevent the deployment of DNSSEC in Europe because of privacy regulation?

Note, this was before NSEC records existed. I'm sticking here to the term NXT records to stay close to the original conversation.

They were willing to do an small study, and, if they thought that there might be any problems, they would raise that and then we would decide whether a larger study was necessary.


It resulted in:
Tilburg University (B.J. Koops & E. Schreuders), Quickscan DNSsec/NXT and privacy, March 2003 (unpublished).
It is not really big, I give here a translation from the Dutch, leaving out some of the details.
We don't think that there is a special privacy problem with the deployment of DNSSEC caused by the NXT walking which would give you a list of names which might be used to query the whois service. The privacy rules are already in force by the Wbp (Dutch privacy law, fully implementing the EU directives --j) and the regulation of the registry. (I'm skipping the details they quote from court cases and articles in our regulations --j). DNSsec only offers something new by the capability to get a list of domain names. This list is irrelevant from a privacy point of view, only the combination with the whois database gives the list personal sensitive information (with the exception that of domain names such as michaeljfox.com, vix.com and jaap-akkerhuis.nl). Possible problems occur when the list is used for interrogating the whois database. But for that, there are already existing rules so DNSsec doesn't add any problems. In short, the back door can give personal data but only in combination with whois for which is existing regulation.
Although they don't claim that they didn't do "fundamental research", We (SIDN) would have been happy to pay for such a study as well, but they refused, since they thought that such a study would have a very similar outcome.

So, we concluded that the NXT walking (now NSEC) and (EU) privacy concerns would not be a show stopper for introducing DNSSEC in the NL zone.

Related: IP rights

On this list in this context I noticed that also concernsabout the IP-rights (Intellectual Property rights) popped up, like one had on a telephone directory. (There the data is also meant to be public, but on how it is organized there are IP rights). You cannot just copy a directory because of that. For a zone file you can claim this probably as well. That gives you a handle to whack people making copies. We discussed this internally somewhat. We think that IP-rights on a zone file is an interesting idea, but doesn't prevent zone enumeration. It has more juridical aspects then technical. Back to (EU and other) pivacy concerns. Given the fact that there are multiple ways to do data mining for domain names in a zone as pointed out by several people, one really must take steps to limit access to "whois data".

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.