A 2019 update on PowerDNS, Galileo, DoH and other things

Last year I wrote a post listing what I had been doing in 2018, because it turned out it was a lot, so much that it was useful to summarise it somewhat.

This year there is less to report, but people have wondered what I’ve been up to. And I’ve learned that if you leave room for speculation about your intentions, wrong answers tend to come up.

This (professional) year for me mostly consisted of two things: DNS over HTTPS and Galileo. 2019 also marked somewhat of a transition for me over at PowerDNS.

The tl;dr:

  • I joined the RIPE NCC Community Projects Fund selection committee.
  • I became a member of the Europol Communication Providers Advisory Group
  • In 2018, I handed over PowerDNS day to day management. In 2019, the PowerDNS team is now also fully running the technical side of things (very well I might say).
  • I launched a project that now, with a great community, monitors all “GPS” satellites around the world, including Galileo, BeiDou and GLONASS.
  • The attempt to write a book on DNA (not DNS!) did not yet work out, but expect more news in 2020.

PowerDNS

I co-founded PowerDNS back in 1999 and with some brief interruptions have been working on it for twenty years now. In 2019 my last major innovations to PowerDNS (DNS over HTTPS and the LUA records) have been merged by the very capable team that now actually runs the show.

Although this has been clear to all relevant people, it makes sense to repeat it here: I am no longer the technical or in fact any other kind of head honcho over at PowerDNS.

As I stated already a year ago, I can now safely get hit by a bus and PowerDNS would be fine. The news this year is that not only am I no longer doing day to day PowerDNS management, the team is now also fully in charge of all technical decisions.

I am extremely proud of PowerDNS reaching this level of maturity but I hope to continue to provide at least some “spiritual leadership” (when asked). I also anticipate doing incidental programming work on the project, but (like everyone), I’ll have to get my PRs approved through the regular process.

I do still work for PowerDNS and Open-Xchange because I believe in our mission, which is keeping the internet open for permissionless innovation and unmonetized communication, which brings me to the next subject.

Centralized DNS over HTTPS

Together with my Open-Xchange colleagues, we spent an inordinate amount of time pointing out how centralized DNS over HTTPS should not be the future of the internet. Put very briefly, various organizations (Cloudflare, Mozilla) argue that DNS needs to be encrypted (yes!) but that in order to do so, we must also move people’s DNS, by default, to new third parties (no!).

Now, many of us have been around long enough to remember how well previous centralization attempts have worked. We recall the “Microsoft Tax” on computing. We’ve seen how walled gardens work. We know how hard it is to operate email outside of the gmail/outlook ecosystem. We see the signs on the wall whenever someone proposes to move part of the internet to their systems.

Now everyone is of course assuring us they have no nefarious plans, and that if we centralize our internet on their services (which they provide free of charge), they won’t do anything evil with it. Perhaps. In many articles we have pointed out that encrypting DNS is laudable, but does not actually plug a privacy leak - nothing that is in DNS is not also present in plaintext packets. Instead, moving DNS to a new third party decreases privacy - now this new party ALSO knows which sites we are visiting.

We’ve also pointed out that privacy policies are well and good, but governments do not care about such policies and frequently show up with warrants to hand over data in bulk. Sending your DNS to a US controlled entity is especially bad that way since the US government passed a law stating explicitly that servers world-wide fall under its jurisdiction as long as the operator is American.

The response from the centralised DoH proponents has been deeply disappointing. They’ve noted I must be a shill for telecommunication service providers. They’ve intimated I am a front for European governments. They sent legal threats (very Trumpian, over Twitter).

It is also extremely dispiriting to hear that when one resists further centralisation of the internet, we get told this must be because PowerDNS users want to continue to spy on their subscribers.

It would be tremendously helpful if instead proponents engaged with the substance of the arguments, and for example address worries on state surveillance, network neutrality and the governance related to making decisions on behalf of the public.

One thing I learned this year is that activism actually appears to work. I had previously been more of the “code speaks louder than words” belief, but I learned a lot from my coworkers this year on how to effectively influence opinion and policy.

As part of this effort I presented at the Europol/Interpol cybercrime congress, which eventually led to me joining the Europol Communication Providers Advisory Group . So perhaps people are right when they point out I am a “front for European governments” – and if this means arguing to not relinquish control of the Internet to companies far away unable to explain their reasons for wanting such control, I am fine with that.

I hope that 2020 brings us much more encrypted DNS, but deployed in a way in which we do not have to send traffic details to intransparently selected third parties.

Galileo

In July of this year, Galileo (“Europe’s GPS”) suffered a major breakdown. To my great amazement, no one turned out to have been monitoring Galileo (or GPS in fact) in public. Later I found that many universities and institutes do gather data, but not in an accessible way - FTP servers full of .Z files.

I also learned that most of the existing monitoring was best suited for seeing just how well things were going - during the 6 day Galileo outage for example, many receiver instruments appeared to have papered over significant problems, in an attempt to make the best (fix) of a bad situation.

So something had to be done. I quickly found that there were affordable $10 receivers willing to provide the “raw ones and zeroes” of GPS, Galileo, BeiDou and GLONASS satellites. Through the internet, dozens of people showed up willing and able to host such receivers and make them contribute data to what soon became known as galmon.eu.

This site quickly achieved 247 coverage of all satellites and duly started spotting problems, some small, some large. At this point, most of the Galileo industry discovered the site as well and many of the vendors, operators and institutes became regular visitors to our status website.

Our unique selling point is that we unearth “every last bit” of GNSS operations, focusing more on how well the satellites (and their atomic clocks) are doing than how well the receivers are able to do their job.

Galmon.eu is a real “internet community effort”. We now have over 40 receivers in the network operated by dedicated professionals who go to great lengths to deliver quality coverage. It may look like it is “all me” but the truth is nothing like that - without the knowledge, resources and efforts provided by the community, the project would be nowhere!

Now, it has to be realised that running a global satellite navigation system is stupendously hard work. Galileo is not quite finished and has not yet been declared fully operational. Simultaneously, the European Union is promoting Galileo heavily. Through clever industrial policies and stimuli, there are now over 1 billion phones that use Galileo - no mean feat.

But since things aren’t quite done, our site frequently found oddities, and some of our discoveries caught the attention of Galileo powers that be. I’m very pleased that, by and large, the Galileo community has responded very well to us barging into their field, especially since initially I was “only partially aware” of how GNSS actually works (charitably put).

It is no fun for a bureaucracy if an outsider shows up and starts to measure the quality of their work in public, and perhaps finding some skeletons there, or things that take some explaining. Especially if such articles rack up over 100k views.

It is a great credit to Galileo that various of their people took the time to educate me on the things I got wrong but also to encourage me to go on with the site. I flatter myself that our efforts have been somewhat useful, perhaps in indirect ways.

To learn more about GPS/GNSS and our project:

I am in any case grateful to the many people that took time to share their advanced GNSS knowledge with me & thus contribute to a better monitored constellation of navigation satellites.

Other things

I applied to join the RIPE NCC Community Projects Fund selection committee and was accepted. We’ve now handed out our 2019 grants, and I hope in 2020 to foster even more applications for funds.

Over the year, I got some way into writing a fun book on DNA, since this continues to fascinate me. It turns out writing books is exceptionally hard so I’ve changed tack. Some blog posts on DNA over the past year (and likely the next) are actually meant to be chapters in the new attempt to get to a book.

Some relevant posts: