The #fediverse is supposed to be decentralized. But the fact that the network has a decentralized architecture does not mean that it is perfectly decentralized in practice. We survey here the #DNS authoritative servers for the domains used by the fediverse instances. Unfortunately, yes, they are too concentrated.
@lanodan@queer.hacktivis.me
@lanodan Mais j'avais bien dit que je n'étudiais que le DNS (parce que je le connais et que je laisse d'autres étudier d'autres aspects).
@bortzmeyer Cloudflare, ugh.
@bortzmeyer That's interesting data, but is the problem? There are natural concentrations for bulk infrastructure services. DNS is one of those. So are IP transit providers, layer-1 optical fiber transport vendors, server manufacturers, ethernet switch vendors, etc.
I suppose the question what the threat model or adverse consequences are? If it's reliability, then these vendors typically have redundancy built into their infrastructure. For impersonation, that's what certificates are for..
@lmamakos It is certainly not natural. It may be a law of capitalism, but not of nature.
The mention of switches is quite irrelevant: you cannot really control the online presence of someone through switches (unless you control all of them, and can talk to them), so it is not comparable to DNS hosting.
@lmamakos For the reliability, no, these providers do not have redundancy. Cloudflare, for instance, had several times broke their entire network. Redundancy of machines is not important, this is redundancy of companies/people that matters.
@lmamakos And for the risk of impersonation, you know that certificates don't help: if you control the domin, you can have as many certificates as you want, as demonstrated in many attacks where the attacker got a certificate.
@lmamakos And finally, there is the risk of censorship, if one company can make you disappear from the Internet instantly.
@bortzmeyer I think that responses to the various threats you propose are either inexpensive (e.g., OV certificate rather than DV) or economically difficult with a free service. It's certainly possible to use multiple auth DNS service providers (including running your own). And depending on your paranoia, attacking software running in routers and switches isnt impossible, either. Think SolarWinds.
@bortzmeyer The DigitalOcean and Linode nameservers also use Cloudflare DNS Firewall.
(ns1.digitalocean.com - ns3.digitalocean.com, ns1.linode.com - ns5.linode.com)
inwx.de also uses Cloudflare DNS, but e.g. ns.inwx.de does not.
And one of Gandi's nameservers uses Cloudflare.
@bortzmeyer
The dependence of AP on DNS also limits options for account and data portability. Hopefully projects like Zot/Nomad, IPFS, and DataShards, can give us ways to make the 'verse more independent of DNS servers.
@strypey It's a different issue, I think. The DNS is decentralized so it is perfectly possible to use it in a decentralized way. But providing decentralized technologies is not enough. People can still use them in a centralised way.
IPFS, that you mention, is a good example. It is decentralized but its implementation is so complicated to install that most people use it in a centralised way, through one of the few Web gateways.
@bortzmeyer en fait dans un réseau tu ne peux pas avoir de réelle décentralisation. Sauf à « structurellement » bloquer des acteurs à une taille particulière et donc rendre impossible toute forme de « monopole ». Des lors qu’il y a standard économiquement un gros acteurs aura plus de capacités qu’un petit et donc tendance à en gagner davantage à cause d’externalités et où d’économies d’échelles.
@DalzAsylum À part « bloquer structurellement » (une loi ?) on peut aussi bloquer « politiquement » la taille, par une prise de conscience des acteurs et un effort volontariste de leur part.
@bortzmeyer si on est sur un reseau mondialisé les jeux d’acteurs feront que ça marchera pas sans une gouvernance (politique ça peut passer par des lois mais aussi d’autres moyens je pense) forte, les bonnes volontés ne marchent plus arrivé à un certain niveau (il y a sans doute des études en économie sur ce point, je ne maîtrise pas).
@bortzmeyer Si techniquement on limite la possibilité des acteurs (je sais pas si c’est possible, faut que je lise ton papier sur le DNS) ca facilite la vie.
Par exemple ne pourrait on penser à une blockchain (tadam) n’autorisant pas, techniquement, tout acteur disposant de plus de x% de capacité de calcul.
Y’a des géants en situation de monopole ou d’oligopole. Les dévisser implique du politique et du technique. Par l’un ou l’autre je crois.
@bortzmeyer sur l’aspect économique y’a sans doute @gregoryvanel qui peut m’aider.
