Hi everyone,
I find it a bit strange that a german Verein under german laws (quote from the websites privacy policy: “As deSEC is located in Germany, privacy standards are rather high.”) who is proudly listing the European Union and its DNS4EU membership on the front page has both their nameservers hosted at NetActuate Inc. based in North Carolina, US. Was not the idea behind DNS4EU to create EU based services?
Hello @Momo,
To me this seem more appropriately to post on the DNS4EU forums
instead of at deSEC community forum.
@Momo I think the title of your post may be misleading.
deSEC uses an Anycast network with multiple frontend servers around the world in addition to master servers. The IPs of ns1.desec.io and ns2.desec.org are registered to the US company you mentioned, that is true. And 3 of the currently 15 Anycast frontend locations are in the US. But that does not imply any hosting of critical services is done in the US.
I don’t think deSEC has published where the master servers are located/hosted. But the IPs of update.dedyn.io or desec.io may be a better indication of where (or at least at which company) the relevant and critical parts of the infrastructure are located. Hint: Frankfurt, Germany.
fiwswe
Hi,
There is nothing strange about this at all. deSEC being German and European means that the organization abides to applicable law, such as the European General Data Protection Regulation, and that it’s charitable tax status is with respect to the quite strict definition in the German tax code. It also means that deSEC and all of its activities fall under the jurisdiction of German and European courts of law.
This doesn’t mean deSEC can’t have servers outside of the European Union. On the contrary, websites with global user base do want locations close to their users to keep connection latency low. Without the global presence, deSEC could not be an option for such websites.
The deSEC team is aware that servers abroad (and at home) are at risk of falling into the wrong hands. That’s why the deSEC DNS hosting architecture keeps all cryptographic keys on a server located in Germany. The servers in the distribution network contain only the DNS information that they are distributing - not any of the user database, access logs, DNSSEC signing keys, and so on. Basically only information that is intended to be public anyway. They are not part of the “trusted computing base”.
Nevertheless, the security of the cryptographic keys could be further improved by using a hardware security module (HSM) - so that even somebody who gets physical access to the signing server in Germany would face challenges getting the keys. Unfortunately such devices are very expensive.
If you are willing to contribute a couple thousand Euros to deSEC’s mission, using an HSM could certainly be put on the roadmap.
Stay secure,
Nils
Hi Nils,
thank you for your clarification. I understand that you need a global anycast network to provide fast DNS services on a global scale and I understand that you choose an american company for this, which does not have access to any personal non-public data (and DNS records are public, of course) but can interrupt your entire name service in mere seconds if they get told to do so. That is why deSEC sadly is not for me. But thank you for being open with that.
Best regards,
Momo