1 00:00:00,080 --> 00:00:02,020 Join us at The Hedge for a conversation 2 00:00:02,159 --> 00:00:03,060 about engineering, 3 00:00:03,439 --> 00:00:06,819 technology, and business. In this episode, Jeff Houston, 4 00:00:06,879 --> 00:00:09,439 Russ White, and Tom Ammon dig into the 5 00:00:09,439 --> 00:00:12,080 second part of their discussion of DNS over 6 00:00:12,080 --> 00:00:12,580 HTTPS. 7 00:00:24,714 --> 00:00:26,335 In their thirst for speed, 8 00:00:26,910 --> 00:00:29,789 part of the HTTP protocol standard says, look. 9 00:00:29,789 --> 00:00:31,149 I know you're gonna ask for this style 10 00:00:31,149 --> 00:00:32,590 sheet. I know you're gonna ask for this 11 00:00:32,590 --> 00:00:33,090 element. 12 00:00:33,469 --> 00:00:35,229 Look. Let's just save the trouble. Here it 13 00:00:35,229 --> 00:00:37,090 is. I'm gonna push it at you. 14 00:00:38,510 --> 00:00:40,689 I know you're gonna ask for google.com. 15 00:00:40,989 --> 00:00:43,082 I know you are. I can tell you 16 00:00:43,082 --> 00:00:46,987 are. Here's an answer. Now you know I 17 00:00:46,987 --> 00:00:49,554 gave it to you, and what I put 18 00:00:49,554 --> 00:00:51,715 on the wire, you got because the channel's 19 00:00:51,715 --> 00:00:52,215 encrypted. 20 00:00:52,835 --> 00:00:53,975 Is it the right answer? 21 00:00:56,170 --> 00:00:58,010 And is it and is it not just 22 00:00:58,010 --> 00:01:00,810 the right answer but even going further and 23 00:01:00,810 --> 00:01:03,390 saying is it the answer that 24 00:01:04,010 --> 00:01:07,549 for instance, I'm load balancing and I'm now 25 00:01:07,689 --> 00:01:09,689 the server can now mess with my load 26 00:01:09,689 --> 00:01:10,670 balancing algorithm 27 00:01:11,885 --> 00:01:12,385 as, 28 00:01:12,844 --> 00:01:13,505 you know, 29 00:01:13,885 --> 00:01:15,405 an end user or not as an end 30 00:01:15,405 --> 00:01:16,625 user, but as a website 31 00:01:17,325 --> 00:01:17,825 and 32 00:01:18,525 --> 00:01:21,005 play games. Well, that's Well not really The 33 00:01:21,005 --> 00:01:23,084 game the games can be wonderful. I can 34 00:01:23,084 --> 00:01:24,510 push you names 35 00:01:25,069 --> 00:01:28,030 that the DNS can't query using DNS over 36 00:01:28,030 --> 00:01:28,530 UDP. 37 00:01:29,390 --> 00:01:29,890 Right. 38 00:01:30,349 --> 00:01:32,430 Yep. Right? And and if I can play 39 00:01:32,430 --> 00:01:34,510 some games with DNSSEC, I can't even sign 40 00:01:34,510 --> 00:01:35,890 it. It'll look just fine, 41 00:01:36,270 --> 00:01:37,790 but it only exists in a in a 42 00:01:37,790 --> 00:01:38,770 certain context. 43 00:01:39,415 --> 00:01:41,114 So we used to think 44 00:01:41,415 --> 00:01:42,715 when we asked ourselves, 45 00:01:43,334 --> 00:01:44,555 what makes the Internet? 46 00:01:45,255 --> 00:01:47,174 And and the first answer going back to 47 00:01:47,174 --> 00:01:49,194 the, you know, nineteen eighties was, 48 00:01:49,495 --> 00:01:51,495 well, it's one address family and one name 49 00:01:51,495 --> 00:01:51,995 family. 50 00:01:53,379 --> 00:01:54,980 Because if I send you a name, the 51 00:01:54,980 --> 00:01:56,420 name means the same to me as it 52 00:01:56,420 --> 00:01:58,659 does to you. You translate the name into 53 00:01:58,659 --> 00:02:01,379 an address. The address addresses the same host 54 00:02:01,379 --> 00:02:02,760 for me and for you. 55 00:02:04,180 --> 00:02:05,239 Fine in the eighties. 56 00:02:05,620 --> 00:02:08,264 This day and age, what makes the Internet? 57 00:02:08,264 --> 00:02:10,905 And and if you say address space, I'll 58 00:02:10,905 --> 00:02:12,685 smack you around the head and go no. 59 00:02:12,745 --> 00:02:13,245 No. 60 00:02:13,625 --> 00:02:15,004 Nat's killed all that. 61 00:02:16,185 --> 00:02:19,064 We make the v four network work by 62 00:02:19,064 --> 00:02:22,365 phenomenal amounts of address sharing and address translation. 63 00:02:23,099 --> 00:02:24,860 So what makes the Internet is not a 64 00:02:24,860 --> 00:02:26,240 coherent address space. 65 00:02:27,180 --> 00:02:28,939 The only thing that makes the Internet the 66 00:02:28,939 --> 00:02:30,960 Internet is a coherent name space. 67 00:02:32,139 --> 00:02:33,659 If you give me a name of a 68 00:02:33,659 --> 00:02:34,159 resource, 69 00:02:35,115 --> 00:02:37,675 some website, my bank, whatever, and I give 70 00:02:37,675 --> 00:02:38,814 that name to you, 71 00:02:39,514 --> 00:02:40,175 I confidently 72 00:02:40,555 --> 00:02:43,354 expect that you will look at the same 73 00:02:43,354 --> 00:02:43,854 thing. 74 00:02:44,314 --> 00:02:46,414 The same digital artifact will exist. 75 00:02:47,370 --> 00:02:49,389 And in some ways, with an open DNS, 76 00:02:49,689 --> 00:02:51,709 we can both check on it on this. 77 00:02:51,930 --> 00:02:54,750 So the coherency of the namespaces, single namespaces, 78 00:02:54,889 --> 00:02:55,949 is sort of obvious. 79 00:02:56,569 --> 00:02:58,810 Now, yes, I go into some private corporate 80 00:02:58,810 --> 00:03:01,289 world and split DNS, and all bets are 81 00:03:01,289 --> 00:03:04,634 off, but I did that. I physically did 82 00:03:04,935 --> 00:03:06,634 that. But what if my browser 83 00:03:07,014 --> 00:03:07,995 takes me there? 84 00:03:09,175 --> 00:03:10,395 What if my browser 85 00:03:10,854 --> 00:03:11,995 takes me to namespaces 86 00:03:13,014 --> 00:03:15,034 that are fractured, are broken? 87 00:03:15,500 --> 00:03:17,900 And that the name that I use and 88 00:03:17,900 --> 00:03:20,000 context, when I pass that name to you, 89 00:03:20,300 --> 00:03:22,159 you see something entirely different. 90 00:03:23,180 --> 00:03:24,879 What's the Internet at that point? 91 00:03:25,739 --> 00:03:27,340 Yeah. I mean, it there's a lot of 92 00:03:27,340 --> 00:03:29,099 cool things you could do with that, but 93 00:03:29,099 --> 00:03:30,939 there's a lot of really broken things you 94 00:03:30,939 --> 00:03:32,514 can do with that. Right. And and, you 95 00:03:32,514 --> 00:03:35,094 know, it's one of these amazingly powerful weapons 96 00:03:35,875 --> 00:03:36,375 that, 97 00:03:36,675 --> 00:03:39,555 literally, you can imagine all kinds of highly 98 00:03:39,555 --> 00:03:40,615 customized namespaces 99 00:03:41,395 --> 00:03:43,574 that remain an absolute secret. 100 00:03:45,120 --> 00:03:47,040 And there are really cool things you could 101 00:03:47,040 --> 00:03:49,939 do, but, really, some very bad things 102 00:03:50,400 --> 00:03:50,900 that 103 00:03:51,280 --> 00:03:51,780 currently 104 00:03:52,560 --> 00:03:55,040 we rely on to stop you doing bad 105 00:03:55,040 --> 00:03:55,540 things. 106 00:03:56,284 --> 00:03:57,025 For example, 107 00:03:57,564 --> 00:04:00,444 most bots bot armies work on command and 108 00:04:00,444 --> 00:04:01,344 control networks. 109 00:04:01,884 --> 00:04:03,884 I'm like, the only reason why bot armies 110 00:04:03,884 --> 00:04:05,324 are set up is to rent them out. 111 00:04:05,324 --> 00:04:07,564 So you need some mechanism to start them 112 00:04:07,564 --> 00:04:09,085 and stop them and and so on because, 113 00:04:09,085 --> 00:04:10,229 otherwise, why bother? 114 00:04:10,629 --> 00:04:13,110 And the control mechanisms are largely inside the 115 00:04:13,110 --> 00:04:13,610 DNS. 116 00:04:14,229 --> 00:04:16,229 And so this whole idea of an open 117 00:04:16,229 --> 00:04:19,129 DNS with cryptographically generated domain names 118 00:04:19,990 --> 00:04:22,454 is the bread and butter of the DDoS 119 00:04:22,615 --> 00:04:26,134 industry. And oddly enough, also, the open factor 120 00:04:26,134 --> 00:04:27,814 of the DNS is bread and butter to 121 00:04:27,814 --> 00:04:30,555 the law enforcement industry trying to stop it. 122 00:04:31,254 --> 00:04:31,995 And so, 123 00:04:32,615 --> 00:04:35,094 you know, bad names get invented to control 124 00:04:35,094 --> 00:04:35,594 botnets. 125 00:04:36,520 --> 00:04:38,280 The good guys go and chase down the 126 00:04:38,280 --> 00:04:40,199 bad names by looking at query levels of 127 00:04:40,199 --> 00:04:42,439 who's doing queries and say, well, that's obviously 128 00:04:42,439 --> 00:04:44,460 a control name. Let's take it out. 129 00:04:45,400 --> 00:04:47,879 But what if the name goes silent, goes 130 00:04:47,879 --> 00:04:49,580 dark, goes into dough? 131 00:04:50,514 --> 00:04:51,574 And quite frankly 132 00:04:52,835 --> 00:04:54,995 I'm sorry. Your machine can no longer do 133 00:04:54,995 --> 00:04:55,495 HTTPS. 134 00:04:56,435 --> 00:04:58,435 It's it's regarded as insecure. You might as 135 00:04:58,435 --> 00:04:59,654 well shut down the Internet. 136 00:05:00,754 --> 00:05:02,615 You can't do this. It's invisible. 137 00:05:03,169 --> 00:05:05,250 It just looks like any other old web 138 00:05:05,250 --> 00:05:05,750 page. 139 00:05:06,290 --> 00:05:08,949 And so the first kind of issue is 140 00:05:09,169 --> 00:05:10,470 the DNS becomes, 141 00:05:11,250 --> 00:05:12,769 I don't know, less of an area for 142 00:05:12,769 --> 00:05:15,029 control. We need other forms of weapon 143 00:05:15,649 --> 00:05:18,035 to stop the the proliferation of the DNS 144 00:05:18,035 --> 00:05:19,975 being used in in ways that, 145 00:05:20,355 --> 00:05:23,235 you know, proliferate and control badness in its 146 00:05:23,235 --> 00:05:24,375 all its various forms. 147 00:05:25,235 --> 00:05:26,375 That seems retrograde. 148 00:05:26,754 --> 00:05:28,615 It seems like an own goal 149 00:05:29,920 --> 00:05:32,420 that if the desire was improved privacy, 150 00:05:33,600 --> 00:05:34,580 have we overachieved 151 00:05:35,040 --> 00:05:37,939 and actually made life easier for bad people 152 00:05:38,399 --> 00:05:40,480 as much as we've improved the privacy for 153 00:05:40,480 --> 00:05:41,379 everyone else? 154 00:05:42,205 --> 00:05:43,504 Difficult kind of question. 155 00:05:43,965 --> 00:05:45,645 And as I said, because it's not a 156 00:05:45,645 --> 00:05:46,545 geek knob, 157 00:05:47,165 --> 00:05:49,404 it's not even a question that users will 158 00:05:49,404 --> 00:05:51,665 be given the opportunity to answer individually. 159 00:05:52,925 --> 00:05:54,384 Who gets to make the call? 160 00:05:55,884 --> 00:05:56,384 Gee. 161 00:05:57,169 --> 00:05:59,750 I said 78% of the world use Chrome, 162 00:06:00,449 --> 00:06:02,389 12% of the world use Firefox, 163 00:06:03,410 --> 00:06:04,709 and the rest don't matter. 164 00:06:05,810 --> 00:06:08,389 Yep. So who controls this? 165 00:06:09,810 --> 00:06:10,470 A small 166 00:06:11,675 --> 00:06:12,175 clique 167 00:06:12,634 --> 00:06:13,134 cartel? 168 00:06:14,395 --> 00:06:16,634 A small group of developers in the Mozilla 169 00:06:16,634 --> 00:06:19,035 Foundation and a small group of developers employed 170 00:06:19,035 --> 00:06:19,694 by Google 171 00:06:20,795 --> 00:06:21,775 control this. 172 00:06:22,714 --> 00:06:24,175 Is this what we want? 173 00:06:25,035 --> 00:06:26,254 These are difficult, 174 00:06:26,879 --> 00:06:27,780 serious questions 175 00:06:28,400 --> 00:06:30,960 about the integrity of the network, the integrity 176 00:06:30,960 --> 00:06:31,699 of the namespace, 177 00:06:32,160 --> 00:06:33,860 even the cohesion of the network. 178 00:06:34,639 --> 00:06:36,020 Should we, by default, 179 00:06:36,960 --> 00:06:38,900 carry the users down a path 180 00:06:39,285 --> 00:06:39,785 which 181 00:06:40,324 --> 00:06:42,665 effectively closes and seals off 182 00:06:43,365 --> 00:06:45,845 all of those elements and places the control 183 00:06:45,845 --> 00:06:46,345 knobs 184 00:06:46,884 --> 00:06:49,545 inside basically two browser factories. 185 00:06:51,365 --> 00:06:53,064 Well, what's what's wrong with saying 186 00:06:53,470 --> 00:06:55,230 we won't do it in the browser? Why 187 00:06:55,230 --> 00:06:57,310 don't we just allow the stub resolver to 188 00:06:57,310 --> 00:06:58,129 do it and 189 00:06:58,750 --> 00:07:00,769 and and don't implement it in the browser? 190 00:07:00,910 --> 00:07:02,589 How are you gonna stop it? And number 191 00:07:02,589 --> 00:07:04,910 one and number two Sure. Sure. And number 192 00:07:04,910 --> 00:07:05,324 two, 193 00:07:05,725 --> 00:07:08,444 it I guarantee you that in the need 194 00:07:08,444 --> 00:07:10,205 for speed and the quest for speed, it's 195 00:07:10,205 --> 00:07:11,745 going into the browser anyway. 196 00:07:12,205 --> 00:07:13,965 See, Russ has got the answer, I think, 197 00:07:13,965 --> 00:07:15,665 there. It's not I'm like, 198 00:07:17,085 --> 00:07:18,529 fine. Go and use 199 00:07:19,149 --> 00:07:20,669 I don't know. Chrome doesn't do it at 200 00:07:20,669 --> 00:07:22,909 the moment. Don't use Firefox. In other words, 201 00:07:22,909 --> 00:07:24,370 change your browser, but 202 00:07:24,829 --> 00:07:27,709 most users don't see the network in these 203 00:07:27,709 --> 00:07:29,949 kinds of dimensions. Right. What they They just 204 00:07:29,949 --> 00:07:31,935 type in URLs, and it just does stuff. 205 00:07:32,334 --> 00:07:35,134 What they see is is some testing site, 206 00:07:35,134 --> 00:07:37,294 PCNet, or I don't know, whoever. Take take 207 00:07:37,294 --> 00:07:39,855 your pick, Tom's hardware, whoever. They go out 208 00:07:39,855 --> 00:07:41,794 and they do browser war test, 209 00:07:42,175 --> 00:07:44,415 and it turns out that Firefox is faster 210 00:07:44,415 --> 00:07:46,420 because it's doing this, and they all go 211 00:07:46,420 --> 00:07:47,480 download Firefox. 212 00:07:48,019 --> 00:07:50,680 Right. Because That's exactly exactly right. It's faster. 213 00:07:50,980 --> 00:07:53,699 And so in some ways, if Firefox comes 214 00:07:53,699 --> 00:07:56,600 up with a connection to a lightning fast 215 00:07:56,740 --> 00:07:58,199 open recursive resolver, 216 00:07:59,220 --> 00:08:01,754 and the folk who build open recursive resolver 217 00:08:01,915 --> 00:08:05,055 certainly try extremely hard to be extremely fast 218 00:08:05,115 --> 00:08:05,615 everywhere, 219 00:08:06,314 --> 00:08:08,714 then they're gonna use it. And users will 220 00:08:08,714 --> 00:08:11,134 go, yippee. This is really fast. 221 00:08:12,555 --> 00:08:13,055 Now 222 00:08:13,435 --> 00:08:15,514 we've said that all of this is about 223 00:08:15,514 --> 00:08:16,735 better personal privacy. 224 00:08:18,220 --> 00:08:20,379 But, again, here is one of the most 225 00:08:20,379 --> 00:08:22,240 achingly difficult compromises 226 00:08:23,019 --> 00:08:25,339 that any user is gonna have to grapple 227 00:08:25,339 --> 00:08:27,019 with. And, again, the problem is they're not 228 00:08:27,019 --> 00:08:27,759 being asked. 229 00:08:28,379 --> 00:08:31,665 Because if, for example, I choose to use 230 00:08:31,665 --> 00:08:33,605 Google's public DNS service 231 00:08:33,904 --> 00:08:36,384 and I set up my browser, Firefox, to 232 00:08:36,384 --> 00:08:39,365 pin all my queries to Google's public DNS, 233 00:08:41,424 --> 00:08:43,649 no one else can see me, but I'm 234 00:08:43,649 --> 00:08:45,970 sharing my life with Google even more than 235 00:08:45,970 --> 00:08:46,870 I was before. 236 00:08:47,730 --> 00:08:48,549 In other words, 237 00:08:49,089 --> 00:08:51,110 I don't have any secrets from them anymore 238 00:08:51,169 --> 00:08:52,709 because they know everything. 239 00:08:53,730 --> 00:08:55,329 Now I could say the same if I 240 00:08:55,329 --> 00:08:57,730 use CloudFlare or Quad nine or any other 241 00:08:57,730 --> 00:08:59,110 open DNS resolver 242 00:09:00,075 --> 00:09:00,975 that, in essence, 243 00:09:02,315 --> 00:09:05,375 I'm sharing my life with that particular party. 244 00:09:05,754 --> 00:09:06,254 Now 245 00:09:07,034 --> 00:09:08,095 with my ISP, 246 00:09:08,634 --> 00:09:09,774 the theory goes, 247 00:09:10,235 --> 00:09:11,214 it's my country, 248 00:09:11,514 --> 00:09:12,334 my rules, 249 00:09:12,710 --> 00:09:13,210 my 250 00:09:13,629 --> 00:09:14,129 regulations, 251 00:09:14,549 --> 00:09:17,610 and my ISP, if they do anything contrary 252 00:09:18,549 --> 00:09:20,570 to my country's privacy standards, 253 00:09:21,269 --> 00:09:23,290 they have a fine to pay. They have 254 00:09:23,750 --> 00:09:27,154 ramifications. So in some ways, using my ISP 255 00:09:27,694 --> 00:09:30,095 is a known issue that when they behave 256 00:09:30,095 --> 00:09:30,595 badly, 257 00:09:31,134 --> 00:09:34,414 there's mediation measures. Right. Beyond that, if I'm 258 00:09:34,414 --> 00:09:37,554 using my DNS resolver on my host, 259 00:09:38,320 --> 00:09:40,320 I have the ability to install some small 260 00:09:40,320 --> 00:09:42,980 piece of software that randomizes who I'm using. 261 00:09:43,519 --> 00:09:45,839 Whereas if the DNS resolver is hidden in 262 00:09:45,839 --> 00:09:46,500 the browser 263 00:09:48,639 --> 00:09:51,200 Alright. Now let's say that my DNS resolver 264 00:09:51,200 --> 00:09:53,205 in my browser, that is a hidden choice, 265 00:09:54,085 --> 00:09:55,865 goes to a resolver 266 00:09:56,325 --> 00:09:57,225 located in, 267 00:09:58,485 --> 00:09:59,865 oh, look, Absurdistan. 268 00:10:00,884 --> 00:10:02,825 Yeah. Now in Absurdistan, 269 00:10:03,365 --> 00:10:05,605 I, Jeff, am an alien. I have no 270 00:10:05,605 --> 00:10:06,105 rights. 271 00:10:06,860 --> 00:10:09,340 Whatever the privacy rules and regulations are in 272 00:10:09,340 --> 00:10:09,840 Abzurdistan, 273 00:10:10,700 --> 00:10:12,960 I have nothing I can do about that. 274 00:10:13,899 --> 00:10:15,840 So my data's being exfiltrated 275 00:10:16,620 --> 00:10:17,600 without my knowledge 276 00:10:18,139 --> 00:10:19,820 by a bunch of browser vendors who are 277 00:10:19,820 --> 00:10:22,695 chasing speed and actually aren't interested, oddly enough, 278 00:10:22,695 --> 00:10:24,154 in my security and privacy. 279 00:10:24,855 --> 00:10:26,455 They're doing it in the name of enhanced 280 00:10:26,455 --> 00:10:27,434 security and privacy. 281 00:10:27,815 --> 00:10:29,335 But in some ways, there's a certain amount 282 00:10:29,335 --> 00:10:32,475 of destruction going on at the same time. 283 00:10:32,855 --> 00:10:33,355 Because 284 00:10:34,460 --> 00:10:37,660 when I make that HTTPS, that TLS connection 285 00:10:37,660 --> 00:10:39,040 to that recursive resolver, 286 00:10:39,740 --> 00:10:42,080 I can't deny it was me. It's me. 287 00:10:42,540 --> 00:10:44,300 I can't deny I did it. I did 288 00:10:44,300 --> 00:10:44,800 it. 289 00:10:45,899 --> 00:10:49,040 All of a sudden, there's no uncertainty anymore. 290 00:10:49,304 --> 00:10:50,044 Yeah. It was 291 00:10:50,464 --> 00:10:50,964 me. 292 00:10:51,384 --> 00:10:54,024 So the recursive resolver not only gets to 293 00:10:54,024 --> 00:10:56,345 see me, but they get the most valuable 294 00:10:56,345 --> 00:10:59,464 piece of information they could possibly get. It 295 00:10:59,464 --> 00:11:01,004 really is me. 296 00:11:01,860 --> 00:11:03,720 No mucking around. It's me. 297 00:11:04,660 --> 00:11:06,980 And that's something the DNS never provided in 298 00:11:06,980 --> 00:11:09,860 the past because with UDP, you had forwarders 299 00:11:09,860 --> 00:11:12,679 and handlers and load distributors and obfuscators 300 00:11:13,059 --> 00:11:15,220 and all kinds of rubbish. And so when 301 00:11:15,220 --> 00:11:18,254 a query arrives somewhere, sort of, who's asking? 302 00:11:18,394 --> 00:11:19,294 Well, I don't know. 303 00:11:20,634 --> 00:11:21,134 Guess. 304 00:11:21,914 --> 00:11:23,134 But now with HTTPS, 305 00:11:23,514 --> 00:11:26,174 the recursive resolver goes, ah, Russ, 306 00:11:26,634 --> 00:11:27,615 good to see you. 307 00:11:27,995 --> 00:11:29,434 Oh, by the way, here's some names you 308 00:11:29,434 --> 00:11:30,095 might like. 309 00:11:30,799 --> 00:11:32,879 Because it's you. You know? You just gotta 310 00:11:32,879 --> 00:11:35,120 get away from that. And and, again, the 311 00:11:35,120 --> 00:11:37,839 issue is, Russ, you might wanna make that 312 00:11:37,839 --> 00:11:38,339 choice. 313 00:11:38,879 --> 00:11:40,100 But I'm 314 00:11:40,639 --> 00:11:41,139 quite 315 00:11:41,839 --> 00:11:42,339 disturbed 316 00:11:42,975 --> 00:11:45,534 that a bunch of developers inside the browser 317 00:11:45,534 --> 00:11:47,794 factory is making that choice for you. 318 00:11:48,815 --> 00:11:50,514 And once the defaults get shifted, 319 00:11:50,975 --> 00:11:52,815 then I think we're into a very, very 320 00:11:52,815 --> 00:11:55,315 different and rather disturbing world in this space. 321 00:11:56,129 --> 00:11:58,629 And so that's the kind of background to 322 00:11:58,690 --> 00:12:00,470 why that meeting in Prague 323 00:12:01,330 --> 00:12:02,149 was so 324 00:12:02,610 --> 00:12:03,110 tensioned 325 00:12:04,450 --> 00:12:05,990 that everyone went there, 326 00:12:06,450 --> 00:12:08,929 that this is not really about increasing the 327 00:12:08,929 --> 00:12:11,785 privacy of the DNS. Oddly enough, it's actually 328 00:12:11,785 --> 00:12:14,205 about decreasing the privacy of the DNS 329 00:12:14,665 --> 00:12:15,165 selectively. 330 00:12:16,504 --> 00:12:18,985 Yeah. I think that's the critical point. So 331 00:12:18,985 --> 00:12:20,504 is there I mean, where do we go 332 00:12:20,504 --> 00:12:22,345 from here? Is there anything that that we 333 00:12:22,345 --> 00:12:24,264 can tell people who are listening to this, 334 00:12:24,264 --> 00:12:24,899 you know, 335 00:12:28,580 --> 00:12:31,240 cry? No. Enjoy the taste of sweet irony? 336 00:12:36,899 --> 00:12:37,399 I 337 00:12:38,024 --> 00:12:39,865 I I I think this is a difficult 338 00:12:39,865 --> 00:12:40,365 issue, 339 00:12:40,745 --> 00:12:42,764 and I would certainly believe 340 00:12:43,065 --> 00:12:44,125 that at some point, 341 00:12:45,225 --> 00:12:46,204 the technology 342 00:12:46,664 --> 00:12:49,084 debate, which used to be in the DNS, 343 00:12:49,304 --> 00:12:50,684 a very small debate 344 00:12:51,200 --> 00:12:53,379 with a very, very small cadre 345 00:12:53,919 --> 00:12:54,500 of professionals 346 00:12:56,080 --> 00:12:57,220 who, on the whole, 347 00:12:57,919 --> 00:12:59,379 obeyed a principle of 348 00:12:59,840 --> 00:13:01,539 do things incredibly slowly 349 00:13:02,240 --> 00:13:02,740 and 350 00:13:03,524 --> 00:13:05,684 be really, really sure if you wanna change 351 00:13:05,684 --> 00:13:06,345 the world, 352 00:13:08,245 --> 00:13:11,024 got taken over by a, 353 00:13:12,084 --> 00:13:12,824 more aggressive, 354 00:13:13,444 --> 00:13:14,424 browser community 355 00:13:15,044 --> 00:13:16,824 that, you know, has just done WebRTC, 356 00:13:17,284 --> 00:13:18,424 has just done HTTPS, 357 00:13:18,950 --> 00:13:20,730 has just done this, and just done that. 358 00:13:21,110 --> 00:13:23,589 And that world has an entirely different set 359 00:13:23,589 --> 00:13:24,809 of ethics and standards, 360 00:13:25,589 --> 00:13:27,990 that getting product out the door is much 361 00:13:27,990 --> 00:13:30,490 more important than getting good product. 362 00:13:32,424 --> 00:13:34,825 And I suspect that the only real kind 363 00:13:34,825 --> 00:13:36,745 of approach left in this space is to 364 00:13:36,745 --> 00:13:39,065 say, well, we should not be going down 365 00:13:39,065 --> 00:13:40,365 this path so quickly. 366 00:13:41,225 --> 00:13:43,304 We might want to do it, but we 367 00:13:43,304 --> 00:13:44,524 might want to understand 368 00:13:45,460 --> 00:13:48,679 how we make informed and reasonable choices. 369 00:13:49,779 --> 00:13:50,279 Now 370 00:13:51,379 --> 00:13:53,159 this is not just the DNS. 371 00:13:54,980 --> 00:13:56,679 This is not just the DNS 372 00:13:57,379 --> 00:13:57,879 because 373 00:13:58,464 --> 00:13:59,365 there is an increasing 374 00:14:00,065 --> 00:14:01,764 amount of impatience 375 00:14:02,384 --> 00:14:04,085 by the application community 376 00:14:05,105 --> 00:14:06,884 about the incredibly 377 00:14:07,264 --> 00:14:09,284 slow pace of the infrastructure 378 00:14:09,585 --> 00:14:10,085 community. 379 00:14:11,850 --> 00:14:13,710 What if I wanna change this to TCP? 380 00:14:14,809 --> 00:14:17,610 Oh, jeez. I need to make Apple and 381 00:14:17,610 --> 00:14:18,110 Android 382 00:14:18,570 --> 00:14:21,610 and Windows and and and and and and 383 00:14:21,610 --> 00:14:23,230 I've gotta get it in all the distributions, 384 00:14:23,610 --> 00:14:25,370 and I've gotta do this, and I've gotta 385 00:14:25,529 --> 00:14:27,070 oh god. I'm gonna die first. 386 00:14:27,875 --> 00:14:28,534 You can't. 387 00:14:28,835 --> 00:14:29,335 Right? 388 00:14:30,274 --> 00:14:32,834 The the network is now so big. It 389 00:14:32,914 --> 00:14:35,654 it's sort of sclerotic. It's just not changing. 390 00:14:36,434 --> 00:14:37,095 The frustration 391 00:14:37,475 --> 00:14:39,554 from the application folk who are used to 392 00:14:39,554 --> 00:14:41,629 pushing our product is, okay. 393 00:14:42,009 --> 00:14:43,149 I'm gonna do it myself. 394 00:14:44,490 --> 00:14:47,129 And so things that we always thought were 395 00:14:47,129 --> 00:14:47,629 infrastructure 396 00:14:48,330 --> 00:14:50,830 are now moving to so called user space. 397 00:14:51,769 --> 00:14:53,389 So the DNS has moved. 398 00:14:53,795 --> 00:14:56,535 Browsers, anyone can do DNS over HTTPS, 399 00:14:57,235 --> 00:14:59,095 and no firewall can stop you. 400 00:14:59,555 --> 00:15:00,055 Okay? 401 00:15:00,434 --> 00:15:02,134 What about TCP? Well, 402 00:15:02,514 --> 00:15:03,894 need I mention QUIC 403 00:15:04,754 --> 00:15:06,995 Right. Which is another example. You you lift 404 00:15:06,995 --> 00:15:09,190 up what was used to be a lower 405 00:15:09,190 --> 00:15:11,429 level function and just drag it into the 406 00:15:11,429 --> 00:15:11,929 application. 407 00:15:12,309 --> 00:15:13,829 And so now all it does is, hi. 408 00:15:13,829 --> 00:15:16,629 I'm just sending UDP. There's nothing suspicious in 409 00:15:16,629 --> 00:15:17,129 here. 410 00:15:18,149 --> 00:15:19,365 Deep inside this 411 00:15:19,684 --> 00:15:22,245 is a pseudo TCP, and deep inside that 412 00:15:22,245 --> 00:15:22,985 is encryption. 413 00:15:23,524 --> 00:15:25,284 What's going on in those packets? Yeah. You're 414 00:15:25,284 --> 00:15:26,184 not meant to know. 415 00:15:26,644 --> 00:15:28,745 Not even the platform is meant to know. 416 00:15:29,044 --> 00:15:31,705 How quickly can QUIC be changed? Well, 417 00:15:32,149 --> 00:15:33,590 I put out a new version of the 418 00:15:33,590 --> 00:15:35,350 browser, a new version of the app, and 419 00:15:35,350 --> 00:15:37,269 I've changed it. I don't have to wait 420 00:15:37,269 --> 00:15:39,669 for Apple or Android or anyone else. I 421 00:15:39,669 --> 00:15:40,649 just change it. 422 00:15:41,509 --> 00:15:43,850 And so the way we're kind of coping 423 00:15:44,070 --> 00:15:45,644 with an ever larger network 424 00:15:46,205 --> 00:15:47,985 is to actually push control 425 00:15:48,684 --> 00:15:50,845 further and further away from the folk who 426 00:15:50,845 --> 00:15:51,904 used to control it. 427 00:15:52,764 --> 00:15:55,485 So the folk who operated the wires and 428 00:15:55,485 --> 00:15:57,105 the routers, yeah, irrelevant. 429 00:15:58,350 --> 00:16:00,669 The folk who even pushed out operating system 430 00:16:00,669 --> 00:16:01,970 platforms, irrelevant. 431 00:16:03,389 --> 00:16:05,230 Even the folk who've moved the data centers 432 00:16:05,230 --> 00:16:07,330 and set that CDN stuff up, irrelevant. 433 00:16:08,350 --> 00:16:11,730 Because it's now a world negotiated around applications, 434 00:16:12,715 --> 00:16:14,955 And it's the applications themselves that kinda go, 435 00:16:14,955 --> 00:16:18,095 look. I'm not gonna expose anything at all 436 00:16:18,154 --> 00:16:20,394 to the lower levels of the technology stack. 437 00:16:20,394 --> 00:16:22,715 It's just not gonna be there. I'm gonna 438 00:16:22,715 --> 00:16:24,894 suck everything up that's of value and importance, 439 00:16:25,250 --> 00:16:27,730 and I'm gonna drive it directly from inside 440 00:16:27,730 --> 00:16:30,230 the app. It gives me ultimate control, 441 00:16:31,009 --> 00:16:33,009 and it gives me, if you will, a 442 00:16:33,009 --> 00:16:33,990 degree of 443 00:16:34,850 --> 00:16:35,350 relationship 444 00:16:35,730 --> 00:16:38,129 with the end user that nobody else can 445 00:16:38,129 --> 00:16:38,629 intermediate. 446 00:16:39,575 --> 00:16:41,735 I own them. When they're running my app, 447 00:16:41,735 --> 00:16:43,195 they're me, and I'm them. 448 00:16:43,735 --> 00:16:45,115 And I suspect that 449 00:16:45,894 --> 00:16:47,674 having gone down this path, 450 00:16:49,815 --> 00:16:51,654 it's hard to say, can we wind that 451 00:16:51,654 --> 00:16:53,495 back? And and if you did, sort of, 452 00:16:53,495 --> 00:16:54,794 why would we want to? 453 00:16:56,399 --> 00:16:58,559 Yeah. Which is a long way of saying, 454 00:16:58,559 --> 00:17:00,159 Russ, to your question, what can we do 455 00:17:00,159 --> 00:17:00,820 about it? 456 00:17:02,240 --> 00:17:04,240 I, for one, embrace our new overlords and 457 00:17:04,240 --> 00:17:05,619 wish them all the best. 458 00:17:10,025 --> 00:17:11,865 Hope that they that they do well by 459 00:17:11,865 --> 00:17:14,025 us. I hope they I hope I do 460 00:17:14,025 --> 00:17:15,785 well under the regime. I'm like, what else 461 00:17:15,785 --> 00:17:16,684 can I say? 462 00:17:17,705 --> 00:17:19,545 It is a different world in that respect, 463 00:17:19,545 --> 00:17:21,569 and and, yes, power has changed, 464 00:17:22,049 --> 00:17:23,750 and the power is shifted inexorably, 465 00:17:25,569 --> 00:17:27,649 further and further up the stack, and and 466 00:17:27,649 --> 00:17:29,750 the DNS is coming along with it. 467 00:17:30,130 --> 00:17:31,970 Yeah. Well, software eats the world, and we 468 00:17:31,970 --> 00:17:34,450 don't think about the consequences of software eating 469 00:17:34,450 --> 00:17:35,414 the world. We just 470 00:17:36,134 --> 00:17:37,975 we run off and say it glibly and 471 00:17:37,975 --> 00:17:39,815 say, yeah. Software is eating the world. Yeah. 472 00:17:39,815 --> 00:17:41,575 What does that mean? Well, I don't know. 473 00:17:41,575 --> 00:17:43,174 It eats the world. Yeah. Well 474 00:17:44,295 --> 00:17:46,375 You're right. And and now you're kinda seeing 475 00:17:46,375 --> 00:17:49,019 that. And, of course, it's leaving a whole 476 00:17:49,019 --> 00:17:50,000 bunch of players 477 00:17:50,539 --> 00:17:52,160 in a very, very strange position. 478 00:17:53,900 --> 00:17:55,119 They have no ability 479 00:17:56,380 --> 00:17:57,759 to exert influence. 480 00:17:59,100 --> 00:18:00,320 QoS is dead. 481 00:18:00,825 --> 00:18:03,944 The whole issue of I control the way 482 00:18:03,944 --> 00:18:06,524 applications perform on my network. No. You don't. 483 00:18:06,825 --> 00:18:09,704 The applications have long since given up. They 484 00:18:09,704 --> 00:18:10,444 don't expose 485 00:18:10,744 --> 00:18:13,144 enough for the network or the network operator 486 00:18:13,144 --> 00:18:15,080 to control it. I control what you're seeing 487 00:18:15,080 --> 00:18:17,019 through the DNS. I'm sorry. You don't. 488 00:18:17,480 --> 00:18:20,039 And so all those traditional mechanisms, which actually, 489 00:18:20,039 --> 00:18:21,720 I think, comes back from the old telephone 490 00:18:21,720 --> 00:18:25,640 thinking, that the network operator actually set the 491 00:18:25,640 --> 00:18:26,140 standards, 492 00:18:26,840 --> 00:18:27,740 set the agenda, 493 00:18:28,315 --> 00:18:30,875 ran the system, and the application folk were 494 00:18:30,875 --> 00:18:32,955 just folk who, you know, created the color 495 00:18:32,955 --> 00:18:35,275 and the light, but the true control was 496 00:18:35,275 --> 00:18:36,095 was was elsewhere. 497 00:18:36,875 --> 00:18:39,914 That's over now. The application folk are actually 498 00:18:39,914 --> 00:18:41,375 the true controllers of this, 499 00:18:41,720 --> 00:18:43,640 and that all they regard you know, require 500 00:18:43,640 --> 00:18:44,619 from everyone else 501 00:18:45,079 --> 00:18:48,440 is just the crappiest possible cheap network that 502 00:18:48,440 --> 00:18:50,920 just switches packets, and that they'll do the 503 00:18:50,920 --> 00:18:51,420 rest. 504 00:18:52,920 --> 00:18:55,674 Yeah. That's that's interesting because that that has 505 00:18:55,674 --> 00:18:57,434 a lot of implications for a lot of 506 00:18:57,434 --> 00:18:59,695 other places going on in the world. Well, 507 00:18:59,755 --> 00:19:01,195 you know, we could look even at the 508 00:19:01,195 --> 00:19:02,255 things like security, 509 00:19:03,275 --> 00:19:05,595 and and the effort has always been and 510 00:19:05,595 --> 00:19:07,434 and I'll touch upon a subject that the 511 00:19:07,434 --> 00:19:09,115 Russ and I are quite familiar with, routing 512 00:19:09,115 --> 00:19:09,615 security. 513 00:19:10,119 --> 00:19:12,200 And the whole issue goes, if we tighten 514 00:19:12,200 --> 00:19:13,019 up the infrastructure, 515 00:19:13,720 --> 00:19:14,940 everything will be good. 516 00:19:15,559 --> 00:19:16,220 The application 517 00:19:16,519 --> 00:19:17,339 world says, 518 00:19:17,880 --> 00:19:18,619 don't care. 519 00:19:19,480 --> 00:19:21,960 Just don't care. I wanna know who I'm 520 00:19:21,960 --> 00:19:22,859 talking to, 521 00:19:23,605 --> 00:19:25,524 how I talk to them, the path I 522 00:19:25,524 --> 00:19:26,505 use, meh, 523 00:19:27,524 --> 00:19:28,184 not interested. 524 00:19:28,804 --> 00:19:30,484 I will decide if I'm talking to the 525 00:19:30,484 --> 00:19:31,304 right party. 526 00:19:31,684 --> 00:19:34,424 I actually don't value routing security. 527 00:19:35,365 --> 00:19:37,384 It just doesn't matter to me anymore. 528 00:19:38,819 --> 00:19:41,380 And from that respect, you know, the whole 529 00:19:41,380 --> 00:19:42,599 emphasis on 530 00:19:42,900 --> 00:19:44,039 who gets to 531 00:19:45,140 --> 00:19:45,720 run, operate, 532 00:19:46,420 --> 00:19:48,819 oversee the integrity of the service that gets 533 00:19:48,819 --> 00:19:49,319 delivered, 534 00:19:49,940 --> 00:19:51,799 the application folk are kinda going, 535 00:19:52,259 --> 00:19:53,319 leave it to us. 536 00:19:53,664 --> 00:19:55,505 Just leave it to us. We don't want 537 00:19:55,505 --> 00:19:56,244 your input. 538 00:19:59,904 --> 00:20:01,204 Which yes. Again, 539 00:20:02,065 --> 00:20:02,565 it's, 540 00:20:03,505 --> 00:20:06,724 a little worrying from a network engineering perspective. 541 00:20:06,785 --> 00:20:07,285 Right? 542 00:20:07,930 --> 00:20:10,809 Oh, totally. Totally worrying. It it it because 543 00:20:10,809 --> 00:20:13,309 I think it rewrites exactly what network engineering 544 00:20:13,690 --> 00:20:14,509 is on about. 545 00:20:14,890 --> 00:20:16,650 You know, there was this model, and and 546 00:20:16,650 --> 00:20:18,170 it was certainly a model I grew up 547 00:20:18,170 --> 00:20:18,670 with, 548 00:20:19,049 --> 00:20:20,590 where the network engineer 549 00:20:21,535 --> 00:20:23,775 should have had some familiarity with the profile 550 00:20:23,775 --> 00:20:25,634 of traffic that the network was carrying, 551 00:20:26,015 --> 00:20:28,654 and therefore was able to make sound judgment 552 00:20:28,654 --> 00:20:30,515 as to where to place limited resources 553 00:20:30,894 --> 00:20:33,075 to create the maximum number of happy customers. 554 00:20:33,535 --> 00:20:35,309 You know? It was sort of, I will 555 00:20:35,309 --> 00:20:37,069 do these decisions on the behalf of the 556 00:20:37,069 --> 00:20:39,549 users to maximize my profit and to maximize 557 00:20:39,549 --> 00:20:42,210 my customers' enjoyment. There we go. Now 558 00:20:42,750 --> 00:20:44,130 you don't get that say. 559 00:20:44,589 --> 00:20:46,109 You just don't get to play in that 560 00:20:46,109 --> 00:20:48,609 game as a network engineer because the application's 561 00:20:48,829 --> 00:20:50,625 kinda going, I'm not telling you what I'm 562 00:20:50,625 --> 00:20:51,125 doing. 563 00:20:51,825 --> 00:20:53,625 I'm just not telling you what I'm doing. 564 00:20:53,625 --> 00:20:55,765 I'm not telling anyone what I'm doing. 565 00:20:58,144 --> 00:21:00,644 Wow. Yeah. Okay. Now that 566 00:21:01,585 --> 00:21:03,045 now now that we're all depressed. 567 00:21:03,830 --> 00:21:05,430 Well, you want me to talk about dough. 568 00:21:05,430 --> 00:21:07,830 I'm like, that's what dough this this is 569 00:21:07,830 --> 00:21:09,930 why dough is just such a big topic 570 00:21:10,470 --> 00:21:13,210 Yeah, sure. Of course. It's not the dns 571 00:21:13,269 --> 00:21:15,430 per se. Yeah, it's everything that comes with 572 00:21:15,430 --> 00:21:17,414 it So what do you think just to 573 00:21:17,414 --> 00:21:19,914 speculate, what do you think is keeping the 574 00:21:20,055 --> 00:21:22,134 the browser people from just pushing the button? 575 00:21:22,134 --> 00:21:23,914 Why wouldn't they just do it right now? 576 00:21:25,815 --> 00:21:26,475 You know, 577 00:21:27,255 --> 00:21:28,795 ten years ago, they would have. 578 00:21:29,460 --> 00:21:31,319 Ten years ago, they were confident 579 00:21:32,980 --> 00:21:34,679 that both the public commentary 580 00:21:35,460 --> 00:21:37,960 and the underlying regulatory regime 581 00:21:38,579 --> 00:21:39,319 were sufficiently 582 00:21:39,619 --> 00:21:41,984 distracted by, gee whiz, isn't this amazing, 583 00:21:42,865 --> 00:21:44,545 that anything was possible, and you could have 584 00:21:44,545 --> 00:21:45,444 just done it. 585 00:21:45,904 --> 00:21:47,825 Because no one was there to say, that's 586 00:21:47,825 --> 00:21:49,684 not a good thing. That's a bad thing. 587 00:21:49,904 --> 00:21:51,684 Because the argument was one-sided. 588 00:21:52,464 --> 00:21:53,984 You know, the folk who knew what they 589 00:21:53,984 --> 00:21:55,799 were doing were busy employed to do it. 590 00:21:56,680 --> 00:21:58,440 And the other side of this, there was 591 00:21:58,440 --> 00:22:00,140 no one there to voice that view. 592 00:22:00,840 --> 00:22:02,220 But these days, 593 00:22:02,600 --> 00:22:04,140 regulators are emboldened. 594 00:22:05,640 --> 00:22:06,779 The entire GDPR 595 00:22:07,080 --> 00:22:07,580 exercise 596 00:22:07,974 --> 00:22:08,714 that kinda 597 00:22:09,095 --> 00:22:11,254 goes, I am sick and tired of you 598 00:22:11,254 --> 00:22:13,894 folk playing with my data as if it 599 00:22:13,894 --> 00:22:14,714 didn't matter. 600 00:22:15,095 --> 00:22:17,494 It's my data. Look after it or pay 601 00:22:17,494 --> 00:22:18,634 horrendous fines. 602 00:22:19,014 --> 00:22:21,160 Up to you, but get better. And what 603 00:22:21,160 --> 00:22:23,320 it really says is that the regulators are 604 00:22:23,320 --> 00:22:24,299 prepared to say, 605 00:22:25,000 --> 00:22:26,700 I'm not gonna accept technology 606 00:22:27,240 --> 00:22:28,839 at all. I'm going to accept it on 607 00:22:28,839 --> 00:22:29,900 a conditional basis. 608 00:22:30,440 --> 00:22:32,359 Folk have to feel comfortable in using it 609 00:22:32,359 --> 00:22:33,019 and confident 610 00:22:33,365 --> 00:22:35,625 that it's a two way relationship, and and 611 00:22:35,684 --> 00:22:38,164 the end user is actually having being respected 612 00:22:38,164 --> 00:22:38,984 in this process. 613 00:22:39,684 --> 00:22:43,144 So what's stopping this is that if Google 614 00:22:43,684 --> 00:22:44,904 went all the way, 615 00:22:45,285 --> 00:22:46,825 and all the way is 616 00:22:47,365 --> 00:22:50,380 Chrome gets hardwired to go to Google's public 617 00:22:50,380 --> 00:22:51,759 DNS by default, 618 00:22:52,380 --> 00:22:53,900 and you have to go down the nerve 619 00:22:53,900 --> 00:22:54,559 node path 620 00:22:54,940 --> 00:22:56,079 to unravel it. 621 00:22:56,539 --> 00:22:58,799 My suspicion at that point is that 622 00:22:59,259 --> 00:23:00,400 whatever antitrust, 623 00:23:00,940 --> 00:23:03,200 anti, you know, massive business 624 00:23:03,575 --> 00:23:04,875 sentiment is out there, 625 00:23:06,055 --> 00:23:08,775 that move would unleash a certain amount of 626 00:23:08,775 --> 00:23:10,234 immediate regulatory reaction. 627 00:23:10,615 --> 00:23:11,595 Mhmm. Because 628 00:23:12,134 --> 00:23:15,494 tying up that particular browser, 78% 629 00:23:15,494 --> 00:23:16,200 of the world, 630 00:23:16,679 --> 00:23:18,700 with that particular view of the DNS, 631 00:23:20,119 --> 00:23:22,700 with shutting down everyone else's view, 632 00:23:23,240 --> 00:23:23,740 with 633 00:23:24,119 --> 00:23:27,159 concentrating a huge amount of strategic information about 634 00:23:27,159 --> 00:23:29,579 what people are doing inside the same company 635 00:23:30,119 --> 00:23:31,179 is kind of like, 636 00:23:31,825 --> 00:23:34,384 if you think there's competition out there, you're 637 00:23:34,384 --> 00:23:36,085 just not thinking right. 638 00:23:36,545 --> 00:23:39,125 At that point, we're all dancing Google's tune. 639 00:23:39,424 --> 00:23:39,924 And 640 00:23:40,225 --> 00:23:42,065 if that's about as bad as it gets, 641 00:23:42,065 --> 00:23:43,424 then I guess that's as bad as it 642 00:23:43,424 --> 00:23:45,845 gets. So would Google do it? 643 00:23:46,220 --> 00:23:47,119 I would hope. 644 00:23:48,220 --> 00:23:50,140 And in fact, I'm pretty confident that somewhere 645 00:23:50,140 --> 00:23:52,799 inside that massive company are a few adults. 646 00:23:53,579 --> 00:23:55,820 And and a little a little bit of 647 00:23:55,820 --> 00:23:56,640 adult supervision 648 00:23:57,019 --> 00:23:57,519 because 649 00:23:57,820 --> 00:23:59,505 knowing that you can do it 650 00:24:00,384 --> 00:24:03,825 is completely different from deciding that you will 651 00:24:03,825 --> 00:24:04,484 do it. 652 00:24:05,345 --> 00:24:06,944 And it's certainly a case that you can, 653 00:24:06,944 --> 00:24:08,704 and as as I said before, as long 654 00:24:08,704 --> 00:24:10,464 as it's a nerd knob and kinda difficult 655 00:24:10,464 --> 00:24:11,365 to turn on, 656 00:24:12,305 --> 00:24:13,125 doesn't matter. 657 00:24:13,440 --> 00:24:14,960 But if the default is there for the 658 00:24:14,960 --> 00:24:16,819 shift that way for whatever reason, 659 00:24:17,440 --> 00:24:18,960 then at that point, we're going down a 660 00:24:18,960 --> 00:24:20,019 path that is, 661 00:24:21,119 --> 00:24:24,000 awesomely fearsome. It just is difficult to understand 662 00:24:24,000 --> 00:24:25,839 where it goes after that Yeah. Because it 663 00:24:25,839 --> 00:24:28,000 displaces so much control in one one one 664 00:24:28,000 --> 00:24:28,500 entity. 665 00:24:29,095 --> 00:24:30,795 We don't know how to deal with it. 666 00:24:30,934 --> 00:24:31,914 Right. Yeah. 667 00:24:32,934 --> 00:24:34,695 Well, Jeff, thanks for coming on the hedge 668 00:24:34,695 --> 00:24:36,075 and depressing us all. 669 00:24:37,815 --> 00:24:39,255 Yeah. I mean, this was really a good 670 00:24:39,255 --> 00:24:41,414 conversation. Now is there any place anybody can 671 00:24:41,414 --> 00:24:43,740 go to read other than IPJ about dough? 672 00:24:43,819 --> 00:24:45,420 Because I know your article in IPJ was 673 00:24:45,420 --> 00:24:46,960 very perceptive and very good, 674 00:24:47,500 --> 00:24:49,579 Internet Protocol Journal. But is there but but 675 00:24:49,579 --> 00:24:51,339 there are there other places people should be 676 00:24:51,339 --> 00:24:51,839 looking? 677 00:24:53,900 --> 00:24:55,039 There is an overall, 678 00:24:56,059 --> 00:24:59,075 advocacy page about the technology of privacy, 679 00:24:59,694 --> 00:25:01,394 the DNS privacy project. 680 00:25:02,654 --> 00:25:03,554 And Synodin, 681 00:25:04,015 --> 00:25:04,835 Sarah Dickinson, 682 00:25:05,134 --> 00:25:07,054 is a big big, player in that. And 683 00:25:07,054 --> 00:25:09,694 that's a page, well, we're seeing. It doesn't 684 00:25:09,694 --> 00:25:11,775 have the commentary, but it certainly describes the 685 00:25:11,775 --> 00:25:12,275 technology. 686 00:25:13,660 --> 00:25:15,820 For commentary around it and for a sort 687 00:25:15,820 --> 00:25:17,900 of a larger thing, I certainly have written 688 00:25:17,900 --> 00:25:20,240 a number of things myself about this. And, 689 00:25:20,779 --> 00:25:23,920 as usual, you'll find that on potaroo.net. 690 00:25:24,539 --> 00:25:26,559 It's a small, furry Australian animal. 691 00:25:27,275 --> 00:25:28,794 Www.potaroo.net, 692 00:25:28,794 --> 00:25:31,214 and you'll find some articles there about DNS, 693 00:25:31,275 --> 00:25:32,255 DNS privacy, 694 00:25:32,875 --> 00:25:35,275 and some discussion about, well, what does it 695 00:25:35,275 --> 00:25:36,654 mean and where is it going? 696 00:25:37,194 --> 00:25:38,335 Related areas. 697 00:25:38,970 --> 00:25:39,630 My suspicion is 698 00:25:41,609 --> 00:25:44,089 that things will go sleepy until someone turns 699 00:25:44,089 --> 00:25:46,490 it on big time, and then every last 700 00:25:46,490 --> 00:25:48,569 news outlet, tech news outlet on the planet 701 00:25:48,569 --> 00:25:50,349 will go, oh, my god, Armageddon's 702 00:25:50,650 --> 00:25:51,309 just happened. 703 00:25:53,234 --> 00:25:55,014 But at that point, it'll be too late. 704 00:25:55,954 --> 00:25:57,875 Okay. Alright. So we know where to find 705 00:25:57,875 --> 00:25:59,654 you on pot potteroo.net. 706 00:25:59,875 --> 00:26:01,554 I know you also ride on Circle ID 707 00:26:01,554 --> 00:26:03,254 from time to time and APNIC. 708 00:26:03,554 --> 00:26:05,149 I I see your stuff out on APNIC. 709 00:26:05,929 --> 00:26:06,429 Twitter 710 00:26:06,730 --> 00:26:08,669 or anything like that? 711 00:26:09,849 --> 00:26:11,629 No. Not me. Not me. 712 00:26:12,649 --> 00:26:15,369 I I find 15 words, about 15,000 words 713 00:26:15,369 --> 00:26:16,095 too few. 714 00:26:17,694 --> 00:26:19,134 So if you go to Poturu, you know, 715 00:26:19,134 --> 00:26:20,494 don't go there for a two minute look 716 00:26:20,494 --> 00:26:21,855 because you're not gonna make it. 717 00:26:22,335 --> 00:26:24,015 It'll take a little bit apart for me. 718 00:26:24,015 --> 00:26:25,775 No. That's no. That's fine. I don't I 719 00:26:25,775 --> 00:26:27,615 don't really do a lot on Twitter either. 720 00:26:27,615 --> 00:26:29,220 People DM me on Twitter and I check 721 00:26:29,299 --> 00:26:30,659 it about once a month and go Oh, 722 00:26:30,659 --> 00:26:32,599 somebody dm me like a month ago. 723 00:26:32,900 --> 00:26:33,400 Yeah, 724 00:26:33,859 --> 00:26:35,460 I have I have the same issue. I 725 00:26:35,460 --> 00:26:36,599 I just like whatever 726 00:26:36,980 --> 00:26:37,480 so 727 00:26:37,859 --> 00:26:39,799 So tom, where can people find you? 728 00:26:40,339 --> 00:26:41,480 Well, I do, 729 00:26:41,894 --> 00:26:43,335 look at Twitter a little more often than 730 00:26:43,335 --> 00:26:45,414 once a month, Tom Ammon, and then I'm 731 00:26:45,414 --> 00:26:46,315 also on LinkedIn. 732 00:26:46,775 --> 00:26:47,275 Okay. 733 00:26:47,654 --> 00:26:48,855 And I'm Russ. You can find me at 734 00:26:48,855 --> 00:26:50,375 rule eleven dot tech, and you can follow 735 00:26:50,375 --> 00:26:52,394 the hedge on rule11.tech, 736 00:26:52,455 --> 00:26:54,535 unless Tom decides to start blogging too, and 737 00:26:54,535 --> 00:26:55,974 then there would be more than one place 738 00:26:55,974 --> 00:26:57,950 to follow it But you know, I've been 739 00:26:57,950 --> 00:26:59,490 trying with tom. It just doesn't 740 00:27:00,110 --> 00:27:01,090 It hasn't taken 741 00:27:02,830 --> 00:27:04,670 So thanks for coming on jeff and thanks 742 00:27:04,670 --> 00:27:05,809 for taking your time, 743 00:27:06,509 --> 00:27:07,410 and enjoy 744 00:27:08,269 --> 00:27:09,490 standing on the ceiling 745 00:27:10,205 --> 00:27:12,765 I just the books are amazing to me 746 00:27:12,765 --> 00:27:13,265 that 747 00:27:16,684 --> 00:27:19,164 Gravity is a wonderful thing. Thanks. Russ. Thanks, 748 00:27:19,164 --> 00:27:19,664 Tom 749 00:27:41,252 --> 00:27:43,333 Thank you for joining us. You can find 750 00:27:43,333 --> 00:27:45,778 the hedge at rule11.tech.