 Oh, wafseld? Nou, denk ik. Je hebt de microphone, ja. Ja, dat is wel fijn. Oké, welkom, everybody, that just joined our next speaker, Peter Cernoos. Yes. And he will be talking about repairing DNS, a TLD scale in the Czech Republic, I guess. Yes. Good luck. Better in dot CZ. Dot CZ. Good morning. My name is Peter Cernoos from CZNIC. A few words about CZNIC. We are dot CZTLD, TLG registry. Now we have about 1.3 million of domains. And we have very strong R&D department. Yes, some people missing or leave. But we follow the power DNS way. So we need lots of Peters in CZNIC. Our products are not DNS, not resolver. Beard, routing, daemon, and tourist omnia. You can find colleagues stands downstairs. And everything which is developed in CZNIC is open source. And for tourist omnia router, not only open software, but also open hardware. So you can download the PCB layout and bill of materials and construct your own router. And we do some research. En one of them is about some kind of stability or correct settings of DNS server managing dot CZ domain. We have very simple requirements to get domain delegated to your servers. You need only two alternative DNS servers for delegation. It's all. After this, we make some checks. But if you have wrong configuration or your DNS servers are dead, we only send email on contacts. Lots of time the contacts are old or non-existent emails. And nobody responds. But we still think the domain holders are responsible people. It is their responsibility to have domain up and running. But no old times. For information how big impact is the non-working domain or badly configured domain, we need some data. We inspired by IIS health check. It is a little bit older, but they made some checks for wall dot SE domain. And get information for government sites and for big companies. How configured is their service? Is everything is okay? And publish report every year in the past. We tested with DNS check mentioned in previous presentation. And for me is very good, I can speak after Zonmaster presentation. Because now we use Zonmaster for these checks. And this is very good and very fast tool. With DNS check, it took 10 days to get to 1.3 million of domains. And it was very hard to process result. You get database with not so strict structure and you need found everything. In Zonmaster you get everything in JSON, in relation databases and work is very well. There is one important question and it was in the questions for the previous presentation. What is correct state? We can, I think there are people from which knows DNS. And we can try some small pool. Do you think it is necessary to have DNS server available over TCP and 2DP port 53? Yes. And second question, IPv4 and IPv6. Necessary for all DNS servers serving the zone? Yes. Yes. I think so, but yes. We have yes, some no in this part. And this is on this second and very simple question. Third one, alternative server should not be reclusive. Yes or no? Yes. Depend. Alternative servers in different AS. Yes. Yes. This is the reason. Lots of people, lots of opinions. And this last three is very tricky. Without public zone transfers. Don't care. Times in soar record in some range. Correct reverser calls for DNS servers. Yes. Would be beautiful. No. Actually no need to make your rivers clear. Yes. And they are only very easy questions. But DNS is very complex. Yes, lots of things. Lot of people think this is very simple. No, it isn't. Ah, ok. We start with some guideline. It is very similar as previously mentioned. A fourth of center working group. It is based on zone master default policy. We only cover critical and error states. Which we can get from this zone master test. And we try to explain every setting. Why is important set it correctly. Or set it right as we think. And this will be used in Czech Republic for National Cyber Security Office. And this requirement will be mandatory for government domain. Now in Czech Republics government and municipalities owns around 7000 domain. And lots of them are very badly misconfigured. Now this is available in Czech Republics. We will work on translation in the future. But as we discussed in the past there is no effort. And I am a little bit pessimistic with zone master people's effort about make it standard. Because there is too many use cases in DNS. And there is no one simple recommendation. This is only valid correct state. So we try made it mandatory for government. But for other people this will be only recommendations. Same data from zone master checks over the dot CSEC domain. We have 3.5% domain with critical errors. This means the domains are dead. All name servers in delegations are dead or don't provide the selected domain. And there is no simple solution for this problem. Or better there can be only politician solution. We can adjust rules for domain registration. For example dot IS, Icelandic registry requires very strict rules. En when you broke your domain you get warning over email. And after I think for maybe 8 weeks the domain is removed and is free for another registration. But we prefer the way yes there is correct settings but it is your domain. It is up to you. 13% domain contains errors. The most common is delegation mismatch. So registry domain sets some DNS servers to delegation and change of infrastructure typically. And this can end with longer resolutions and longer time need to found the servers. 3.5% of all domains not from 14% but all of the domains are servers without TCP opened. It is blocks maybe not implemented. Who knows? No, we don't have too many djbdns servers at CZ. These djbdns can do TCP but you need to configure it explicitly. Yes, configure and made some ritual sacrifice or something. Ok, lots of servers are recursive or are pointed to private addresses. Yes, we have lots of domains in which their DNS servers is on a private namespace or private addresses. And lots of DNS-related problems. And if I ask for the some question in the beginning, the DNS question which is correct setting and which is not, is more complex than everything else. We have lots of domains with warnings. Of all domains contains some warning. The most common no reverse records. And this is very common for IPv6 dns server. Some domains owned by well-known people in dns community is without reverse records for IPv6 servers. But IPv6 is with us for 18, maybe 20 years. This is the same as IPv4. And we had yesterday's discussion about EDNS0 and 5% of domain of their alternative servers returned bad response for EDNS query. So still lots of domains. It is about 60, maybe 70,000 of domains in cz returned EDNS errors. Lots of serial numbers and too low expire values. Again, there is no correct value for all. There was a question for previous presentation for this. It's some recommendation, but you can have special use cases which you need the lower expire value. Yes, lots of domains have expire lower than refresh value. This is funny tool. So, which we plan it cz because I miss one image now. Sorry, yes. This was result from dns check. We're still running this tool. In this result, about three quarters looks okay. So it is great, but we need to scare people to get some attention. So we need to adjust the rules and produce more errors. This is only way how to get attention for domain owners from administrators. We want to join this data from another sources. One nice project is dns magnitude from NICAT. We wanted to identify which domains are visited or heavily used and try to focus on this domain. But still you get a very long tail of domains with few visits en with bad configuration because these domains are typically on some home servers. Maybe the home service is turned off for years. We try to contact the correct people. This is the most difficult part because sometimes when we send e-mail we get no response from people. Sometimes angry response. No, this is not error. We want it and lots of other complains. The mind focus is educate people. We try to make a topic from this and explain why it is important to have a correctly configured dns server. This is the most difficult part because everyone thinks he can understand dns. We also work on our own user interface or web user interface for ZonMaster. We can maybe join our teams and combine this effort because we want something simple. When we tested in the past the dns checks lots of people after announcements test their domains and repair them. We hopen in the same result after we announced the ZonMaster web page. Is this all? Is it time for a question? 5 minutes for questions, yes. No. Go. I don't have a question but if you can go back to the slide the errors are not critical. The next one. This one. Yes, this one. I would argue that the bad dns0 answer is a critical error because there is an effort between the open source vendors to just obsolete the... well, basically make the servers that give you your own answer if you ask them if dns0 and they fail badly then to stop doing all the workarounds in the resolvers. We're just going to start believing them. There's an effort between the open source vendors that we should just stop supporting those servers and there should be some date in the future where they just say they fail because you gave me a wrong answer. There's two things. It doesn't have to support dns0. It doesn't have to not fail. There's two things. I would argue that if it fails for dns0 it should be a critical error in this test and it applies to its own master as well. Yes. Not a question, sorry. No, okay. I think this one is moved to guidelines. It is warning but it is in guidelines servers needs to reply with dns0 correctly. What I'm saying if you ask with dns0 it gives you a serve fail and it doesn't give you a serve fail without dns0 that should be a critical error. Just remember that the master this sort of decision is in the configuration file so you can always edit etc. the master. Yeah, but it's not the default but you can... You can make full requests. I'm arguing that we as a dns community should set this standard and see these errors as a critical. When you talk about educating the main holders how is it looking with registrars in between? Do you educate those as well? No, because registrars very often have good configured servers. We found big registrars and contacted directly and they repair lots of things very fast. Is it unique to your TLD? I'm very sad. Not all. Something, yes, but we have special infrastructure we need this, this and this and we cannot change it and after one year they start yet, we change it and this is better because we are the best. I must be saying I know that there is another TLD for example, like in Hungary when there is mandatory training for registrars, so it's not like oh, I'm a new registrar we need to do some training so it's not just like free and hips. It is for IT as well, it does not work. It is for IT as well, it does not work. I used to have that but they removed that. Any other questions? Maybe a little hard. I managed quite some domains for our company and the things you have problems with are the stuff that people ask for marketing reasons for some event for Sliced Bread version 2.com and by the time you get everything correct, do you think it's over? Because it sit by some lawyers that's a big problem en dan registrars for one year or two