DNS4EU – Kick-Off for Developing a European Resolver Infrastructure

DNS4EU – Kick-Off for Developing a European Resolver Infrastructure

EU Commission awards contract to a European consortium under Czech leadership. Filtering requirements of tender viewed critically

Becoming more independent from US-based tech giants in the ICT sector has been a strong intention of the EU Commission for some time: Digital sovereignty is the key to achieve this goal. This has become manifest not only in initiatives like the European cloud GAIA-X but also in the efforts to establish an independent, recursive DNS resolver service as a European alternative to open resolvers of providers such as Google or Cloudflare. In early 2022, the Commission launched a corresponding tender under the project name DNS4EU.

Shortly before Christmas, it was announced that a consortium led by the Czech company Whalebone will in future operate the public resolver infrastructure, which is based entirely in the EU and distributed across several countries.

13 Consortium Partners from 10 Member States
Whaleboneis a Czech provider of IT security products with experience in operating the infrastructure required by the EU, including a "protective DNS resolver for ISP cybersecurity". The consortium is composed of 13 security providers from 10 countries, among them the operator of the Czech research network provider CESNET, the Technical University of Prague and the DNS registry CZ.NIC, which has been developing and offering its own open-source DNS software with the Knot resolver and server for many years. Germany is represented by is the DNSSEC specialist deSEC, and for Finland, the virus and malware expert F-Secure is involved. The other partners are the Bulgarian Ministry of Digital Administration, the Romanian IT Security Directorate and the country CERTs of Portugal, Poland and Hungary. Specialised knowledge is apparently to be contributed by the Belgian law firm Time.Lex, which specialises in innovation law, and the research department of the Italian banking association Abi Lab.

It is not yet known in detail, which role each individual partner is going to play in the realisation of the projects. CZ.NIC, however, informed that its main contribution will be its Knot software suite and that it is not planning to be involved in operations.

Framework Conditions and Goals
The European Commission wants to reach 100 million users with DNS4EU. The direct connection of DNS4EU with the DNS infrastructure of telecommunication companies and ISPs shall enable the latter to sort of "outsource" the operation of their own resolvers to the consortium. As part of the EU cybersecurity strategy, an initial funding of EUR 13 million is made available to the consortium partners for the development of the resolver service.

At a virtual press conference in January, the Whalebone management revealed further details about the business model and the implementation plans for DNS4EU. The service is scheduled to go live in 2026.

Sceptics criticise the filtering requirements that were part of the tender for the resolver service and are supposed to prevent phishing or malware attacks at the DNS level, for example, based on information from individual CERTs. According to these requirements, operators commit themselves to "filtering URLs leading to illegal content based on legal requirements applicable in the EU or in national jurisdictions (e.g. based on court decisions), in full compliance with EU rules". DENIC, just like many other European ccTLD operators, also look critically at the stipulated filtering rules.

Not least because of these concerns, a taskforce was set up by the RIPE community in December to develop principles for the operation of a public resolver. The taskforce plans to present a first discussion draft in the first quarter of 2023, and a final draft before the next RIPE meeting in May.

Stefanie Welters

Manager Policy Communications & Public Affairs - DENIC eG