SIDN a Company that does not value the Internet!
Today I received an e-mail from SIDN, the Dutch foundation that governs the .nl domain name about their journey to work together with CIRA an organization (a not-for-profit company) that governs the .ca domain name.
The post made me sad and angry about the future of both domain names, this post will make an attempt to explain why.
The Internet
In my world, the internet has always been a place that was about cooperation and sharing. Using interconnected computer networks to share research, personal advancements and software that was aimed at making life easier.
The Internet would never have existed in it's current form if it was not for open source software. And a lot of parts of the Internet are open source software.
Web servers, DNS servers, operating systems. In fact, most of the systems that make the 'bare bones' of the Internet are open. And most of them are also developed in an open development process, you are actually encouraged to make suggestions, report bugs and be included in the development process. And for a good reason, it makes the software better: more robust, more secure, better maintainable, more inclusive, and so on.
The .nl domain name and SIDN up till about fall last year.
For a long time, I considered .nl the 'go to domain name' for someone living in the Netherlands. It was governed by a Dutch foundation (SIDN), under Dutch law and it's systems where running on Dutch soil, maintained by Dutch system administrators and governed by Dutch people.
If you wanted you could just meet all these people and talk to them about the choices that where made and how things where done. And you knew that if something happened to these systems, the people responsible would be doing their best to get everything back up and running again in no-time. It was all 'in house' and there was no one else to blame if something went wrong, just SIDN themselves. And this just made a lot of sense.
Of course SIDN asked a price for registering a domain name, it was not free. And they asked more than they could spend on 'just maintaining' all of the .nl domains so they invented SIDNfonds (SIDN fund) a separate organization aimed at building a 'strong internet for everybody'. Which was (and still is) a very nice thing to have.
The registration system
From it's start way back in the previous century SIDN maintained their own Domain Registration System, called DRS which is currently at version 5 (so DRS5). As SIDN states itself: “IDN's existing domain registration system, DRS5, still works well”...(more on that later).
DRS5 is a closed source system, it is owned by SIDN and they are the only one using this system.
In short it works something like this: If you want to start using a domain name that ends in .nl you contact one of the “registrars”, a firm that provides domain name services and has direct access to the registration system of SIDN.
In the early days you had to manually print and sign a form and send that over to the registrar, but these days you just go to a website, fill in your details and payment information and in a few clicks you have a domain name you can use. It is good to know that the name itself is not owned by you, you only 'buy' a right to use it for a certain period of time.
The change a new CTO
Less than a year ago on Monday 28 August 2023, SIDN got a new Chief Technology Officer Loek Bakker and that is when things started to change. Having worked at TenneT, Alliander, Gartner and Capgemini, Loek was never really embedded in the open character of the Internet, or at least it seems so. Loek has a clear 'business view' on what SIDN should do.
While there is nothing wrong with a good long term plan and a view out in to the entire world. I strongly disagree with the turns SIDN has taken over the last year.
Enter CIRA
On Tuesday 24 October 2023 a bomb was dropped on the Dutch Internet community. SIDN announced that they formed a partnership with CIRA a Canadian organization.
The choice that was made to do this has, to this day, not really been explained or backed with hard reasons. Why, then was the collaboration chosen? As explained in the title of the press release the reason was:
to collaboratively develop, promote and support the current CIRA Registry Platform
...
The code base and intellectual property of the product, internally known at CIRA as Fury, will be transferred to a jointly owned and managed corporation based in Canada.
Apparently the agreement was signed in Hamburg, where a picture was made in front of a wall of which a lot of bottles of wine where hanging. Nikhef would have been a far better place to sign such an agreement and make a photo in my opinion.
In that same press-release it was announced that DRS5 would be replaced (of course). What will happen now (if we don't stop it) is that all the money that is going to be payed to SIDN for having a domain name will end up in a corporation based in Canada! Which is outrageous on it self!
Canada is not bound by European and Dutch laws like GDPR or normal Dutch law (Burgerlijk Wetboek). Dutch consumers or companies will have a harder time getting their rights if the problem lies with the registration system. And the influence of that system is huge! I would even argue that the system IS SIDN.
The press release is full of terms like 'industry-leading', 'years of experience' and 'best of breed', but there is no real objective explanation of what that means. It sounds more like a 'we will try our best' kind of effort-based promise.
And then there is the 'sign of non-transparency'. It is hidden in plain view in the middle of the page Financial terms of this deal are not being disclosed at this time. So obviously there has been some kind of financial understanding, which is probably in favor of the people in that picture.
Since there where no real technical details made clear at this moment, the press release went by as 'just another cooperation'. But at this moment all alarm bells should already have gone off in the Internet community in the Netherlands.
Enter AWS
On Monday 29 January 2024 SIDN published a press release about wanting to 'embrace the newest and best standard technologies' which explained that SIDN would develop Fury (or actually CIRA would do that, where all knowledge that is still available within SIDN will be handed over to the other side of the globe in the process) and that it shall be hosted at Amazon Web Services.
Adding insult to the Dutch hosting sector
On Tuesday 2 April 2024 lightning struck again. SIDN published a press release with the unbelievable title Why the AWS public cloud is our preferred option.
In an attempt to appease the crowd, SIDN made sure to put emphasis on the fact that it would move 'only the infrastructure used to register domain names and update existing registrations'. As if that is not one of the most important parts of the service that SIDN provides. A part that (in my opinion) is best kept under complete Dutch control in the Netherlands owned by a Dutch entity, built and maintained by Dutch people.
After this even more outrage spawned, from larger and smaller hosting businesses stating that you don't need a large hyperscaler to run something as simple as a domain registration system. In fact, you are probably better off creating a system that is very well suited to run on the infrastructure of Dutch providers.
Please don't worry about the US Cloud Act
In the list of 'Clarifications' that where mentioned in the press release of 2 April 2024 SIDN states: “Data about .nl registrants will remain in Europe; it will not be transferred to the US or anywhere else. We will be using the AWS data centres in Frankfurt and Dublin.” Which chooses to blatently ignore the fact that AWS falls under the US Cloud Act, even if it would be hosted in a special room of the Dutch high council (Hoge Raad), as long as it's Amazon that runs the service, it will be subject to the US Cloud Act and when asked (not if, when) AWS will give the US secret services or court access to data about .nl registrants.
Extra scary is the fact that if you want to register a .nl domain name you must give a real address and a real phone number.
In my view SIDN simply can not comply with GDPR (and AVG it's national implementation of that) since it can not guarantee that the data will not fall in to the hands of unauthorized foreign actors.
Another example here is that CIRA itself does not conform to the GDPR for their site. They offer no GDPR-supported way to 'not' accept tracking cookies from their site. This should have been addressed by SIDN before even contemplating a partnership with them, and it should also be addressed right now!
The train keeps rolling
Even though between October 2023 and today (Tuesday 25 June 2024) there has been a storm of criticism and outrage about the plan of SIDN to move their domain registration system to AWS, there is no sign of re-evaluation or reconsidering the path chosen by SIDN.
In the latest press release they state: “SIDN's existing domain registration system, DRS5, still works well, but managing and maintaining it are very time-consuming.” yet the 'time-consuming' part has not been quantified or explained. There are a lot of people that openly doubt that this is the case and so do I.
If it where so 'time-consuming' why is there still money left to spend on SIDNfonds or ont very expensive “Spokesman” roles within SIDN itself?
And even if it where 'time-consuming', if that is the primary goal of your organization, that does not mean you should outsource it.
How is the effort that will be spent on 'Fury' going to be benefiting the rest of the Internet? Who are the real beneficiaries of the deal(s) made between SIDN and CIRA? Why are the financial details not simply disclosed?
In the press release “Product Manager Don Slaunwhite” is quoted “Everyone involved in this project shares a single objective, That makes our partnership strong.” from what I read in between the lines, the community is not 'involved in this project'.
This line sort of says it all: “We envisage a long-term alliance between SIDN and CIRA, enabling both registries to seize market opportunities and accelerate technical advances.” it's not about the Internet, instead it is about seizing market opportunities and that is sad.
A possible solution
The good thing is, I see a way out. If only the new 'Fury' system would be developed in an open way, and be licensed under an open source license. GPL3 or EUPL sounds like a good candidate. Then you can still use all those new technologies, that are being talked about in the press releases.
If the development of the system would be done in open source only with open standards only, the Dutch hosting sector could create offerings specifically tailored to that system, that would in turn be better than anything a hyperscaler could offer.
A way out of the .nl name
For me personally I see no real change and even large organizations like the Dutch Cloud Community and 'De Vereniging van Registrars' (representing basically almost all customers of SIDN) have not been able to change the course of SIDN, which leaves me with this:
I will start migrating all my domains to .eu and I will advise all my customers (and anybody that wants to hear it) to move to .eu as soon as possible.
The .eu domain name will not move to a US owned cloud company any time soon and .eu names are generally even cheaper than .nl names too, which is an added bonus. And if you move to another EU-country you can just keep your domain name, since it is still relevant to you.
Go .EU!