Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APNIC Chief Scientist, Geoff Huston, gives a presentation on DOH and the changing nature of the DNS as infrastructure at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
Introduction to DNS and DHCP. The presentations highlights the introduction of Domain name System and Dynamic Host Configuration Protocol. These are essential study part in computer networking
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
APNIC Chief Scientist Geoff Huston gives an overview of the complex many-layered model of DNS security, and a new emerging world of choices for protecting traffic, hiding queries, and the future trends in ISP provided, and independent third-party DNS services at the 2nd ICANN APAC-TWNIC Engagement Forum, held from 15 to 16 April 2021.
APNIC Chief Scientist, Geoff Huston, gives a presentation on DOH and the changing nature of the DNS as infrastructure at NZNOG 2020 in Christchurch, New Zealand, from 28 to 31 January 2020.
Domain Name System and Dynamic Host Configuration Protocol.pptxUsmanAhmed269749
Introduction to DNS and DHCP. The presentations highlights the introduction of Domain name System and Dynamic Host Configuration Protocol. These are essential study part in computer networking
in this presentation their is the detailed information regarding Domain Name System that is DNS.
What is DNS,how it works,query, resolution wtc all are being covered thoroughly in this presentation as it would have in for all new upcoming Engineering students to know about the DNS as well as would also help employees to get the better understanding regarding the protocol.
The complete agenda of the presentation is to provide the detailed knowledge regarding dns as its the most basic protocol used in Web development.
Hope you would like it. If so please do like share and subscribe.
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
Security Specialist Jamie Gillespie presents on DNS Security, examining the complex interactions of this system, from domain registration to name resolution, the security risks of each component, and the mitigation options currently available at 23rd PITA AGM and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
A discussion of DNS private resolver architecture, how it is leveraged for private resolution for Azure <-> Azure and Azure <-> On-Prem and other things including private DNS zones and conditional forwarding rules.
As presented to the Brisbane Azure Group by Rachel Calleia (https://www.linkedin.com/in/rachel-calleia-669439144/)
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
A discussion of DNS private resolver architecture, how it is leveraged for private resolution for Azure <-> Azure and Azure <-> On-Prem and other things including private DNS zones and conditional forwarding rules.
As presented to the Brisbane Azure Group by Rachel Calleia (https://www.linkedin.com/in/rachel-calleia-669439144/)
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
More Related Content
Similar to Presentation on 'The Path to Resolverless DNS' by Geoff Huston
in this presentation their is the detailed information regarding Domain Name System that is DNS.
What is DNS,how it works,query, resolution wtc all are being covered thoroughly in this presentation as it would have in for all new upcoming Engineering students to know about the DNS as well as would also help employees to get the better understanding regarding the protocol.
The complete agenda of the presentation is to provide the detailed knowledge regarding dns as its the most basic protocol used in Web development.
Hope you would like it. If so please do like share and subscribe.
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
Security Specialist Jamie Gillespie presents on DNS Security, examining the complex interactions of this system, from domain registration to name resolution, the security risks of each component, and the mitigation options currently available at 23rd PITA AGM and Annual Conference in Nadi, Fiji from 8 to 12 April 2019.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
A discussion of DNS private resolver architecture, how it is leveraged for private resolution for Azure <-> Azure and Azure <-> On-Prem and other things including private DNS zones and conditional forwarding rules.
As presented to the Brisbane Azure Group by Rachel Calleia (https://www.linkedin.com/in/rachel-calleia-669439144/)
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
A discussion of DNS private resolver architecture, how it is leveraged for private resolution for Azure <-> Azure and Azure <-> On-Prem and other things including private DNS zones and conditional forwarding rules.
As presented to the Brisbane Azure Group by Rachel Calleia (https://www.linkedin.com/in/rachel-calleia-669439144/)
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
This talk is specifically for NON-SharePoint infrastructure administrators (or for new ones still figuring things out)! Instead it’s for the rest of the SharePoint team – come learn about the basic building blocks of SharePoint infrastructure – things like DNS, load balancing, AD, high availability and disaster recovery, backup options, database options, and some of the core components of Windows in an understandable way so you can speak the lingo and seem really smart!
Zvonimir Mavretić
The Domain Name System (DNS) is a critical part of Internet infrastructure and the largest distributed Internet directory service. DNS translates names to IP addresses, a required process for web navigation, email delivery, and other Internet functions. However, the DNS infrastructure is not secure enough unless the security mechanisms such as Transaction Signatures (TSIG) and DNS Security Extensions (DNSSEC) are implemented. To guarantee the availability and the secure Internet services, it is important for networking professionals to understand DNS concepts, DNS Security, configurations, and operations.
This course will discuss the concept of DNS Operations in detail, mechanisms to authenticate the communication between DNS Servers, mechanisms to establish authenticity, and integrity of DNS data and mechanisms to delegate trust to public keys of third parties. Participant will be involved in Lab exercises and do configurations based on number of scenarios.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Similar to Presentation on 'The Path to Resolverless DNS' by Geoff Huston (20)
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...APNIC
Chimi Dorji, Internet Resource Analyst at APNIC, presented on Registry Data Accuracy Improvements at SANOG 41 jointly held with INNOG 7 in Mumbai, India from 25 to 30 April 2024.
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
Sunny Chendi, Senior Advisor, Membership and Policy at APNIC, presents 'APNIC Policy Roundup' at the 5th ICANN APAC-TWNIC Engagement Forum and 41st TWNIC OPM in Taipei, Taiwan from 23 to 24 April.
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
Dave Phelan, Senior Network Analyst/Technical Trainer at APNIC, presents 'DDoS In Oceania and the Pacific' at NZNOG 2024 held in Nelson, New Zealand from 8 to 12 April 2024.
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
Geoff Huston, Chief Scientist at APNIC deliver keynote presentation on the 'Future Evolution of the Internet' at the Everything Open 2024 conference in Gladstone, Australia from 16 to 18 April 2024.
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
Paul Wilson, Director General of APNIC delivers a presentation on IP addressing and IPv6 to the Policymakers Program during IETF 119 in Brisbane Australia from 16 to 22 March 2024.
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
Tom Harrison, Product and Delivery Manager at APNIC presents at the Registration Protocols Extensions working group during IETF 119 in Brisbane, Australia from 16-22 March 2024
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
Che-Hoo Cheng, Senior Director, Development at APNIC presents on the "Benefits of doing Internet peering and running an Internet Exchange (IX)" at the Communications Regulatory Commission of Mongolia's IPv6, IXP, Datacenter - Policy and Regulation International Trends Forum in Ulaanbaatar, Mongolia on 7 March 2024
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
APNIC Senior Advisor, Membership and Policy, Sunny Chendi presented on APNIC updates and RIR Policies for ccTLDs at APTLD 85 in Goa, India from 19-22 February 2024.
Lao Digital Week 2024: It's time to deploy IPv6APNIC
APNIC Development Director Che-Hoo Cheng presents on the importance of deploying IPv6 at the Lao Digital Week 2024, held in Vientiane, Lao PDR from 10 to 14 January 2024.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
4. Issues
• Speed – the DNS can be exceptionally slow, and the interaction with
resolver caches makes resolution unpredictable
• Filtering – the DNS is a convenient control point for content
management
• MetaData collection – the DNS is a real time window on user
behaviour
• This can be performed at the recursive resolver, or by a third party on the
path between the stub resolver and the recursive resolver
• Search – NXDOMAIN rewriting into active search
5.
6. Background
• Browser vendors were simplifying the UI and combined the navigation and
search input boxes to a single input pane
• This resulted in a significant level of cross leakage between DNS and Search
• Some DNS resolver operators saw an opportunity to gather revenue by re-
directing NXDOMAIN to search
• Google responded quickly with a large scale open DNS service that
provided absolute integrity of responses, and supported DNSSEC validation
to back this up
• Google’s DNS service rapidly gathered momentum, particularly in the
enterprise sector
8. Use of Resolvers in the Internet
66% of users direct their DNS
queries to the ISP-operated
recursive resolvers
17% of users direct their DNS
queries to in-country DNS resolvers
17% of users direct their DNS
queries to Google’s DNS service
https://stats.labs.apnic.net/rvrs
9. But…
• DNS queries use unencrypted UDP by default
• Which itself is a huge DOS issue
• Combining this with a transit across the public Internet between the
stub and open recursive resolver exposes further issues:
• The potential for third party monitoring, interception and substitution
• Loss of locational accuracy if the DNS is used to perform content steering for
CDNs
10. DNS Privacy
The response to the issues of DNS over UDP has been the development
of DNS stub-to-recursive connections over encrypted transport sessions
• DNS over TLS (DoT) uses DNS over TCP over a persistent TLS session
• DNS over QUIC (DoQ) uses DNS over an encrypted QUIC transport session
over UDP
• DNS over HTTPS (DoH) uses DNS over HTTP/3 (over QUIC) where supported,
and DNS over HTTP/2 (over TLS) otherwise
11. DoT/DoQ/DoH properties
• The stub resolver can authenticate the recursive resolver server
identity
• Which mitigates various forms of session interception
• Session encryption
• Which mitigates various forms of payload tampering
• No Head of Line Blocking (in DNS over HTTPS/3, and DoQ)
• No UDP fragmentation and TCP failover issues
• Long-held stub/recursive sessions and TCPFO can amortise the
encryption and session overheads over many queries
• Which means it’s not much different to UDP in terms of per query overheads
12. DOH/DOT Use
Query Data from Cloudflare’s 1.1.1.1 open resolver
75% of queries use UDP
19% of queries use DOH
5% of queries use DOT
13. Why DoH in particular?
• DoH is simply DNS queries and responses packaged with an HTTP
header, so why bother? Why not just use DoT or DoQ?
One view:
Paul Vixie, DNS Wars: Episode IV, NANOG 85, 2019
14. Why DoH?
• Maybe its more than a political project:
• Because DoH sits alongside all other HTTPS traffic on TCP port 443 (HTTP/2)
and UDP port 443 (HTTP/3) and is harder for network level isolation of DNS
traffic
• Because generic HTTP caching controls can be used to enable or disable the
use of HTTP caching
• Because HTTP/2 and HTTP/3 includes support for reordering, parallelism,
priority and header compression
• Because applications need not use the local stub DNS resolver and can direct
DoH queries to a recursive resolver of its own choice
• Because HTTP/2 and HTTP/3 includes “Server Push”
15. “Server Push”?
• RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2)
8.2. Server Push
HTTP/2 allows a server to pre-emptively send (or "push") responses
(along with corresponding "promised" requests) to a client in
association with a previous client-initiated request. This can be
useful when the server knows the client will need to have those
responses available in order to fully process the response to the
original request.
16. But in DoH this means…
8.2. Server Push
HTTP/2 allows a server to pre-emptively send (or "push") responses
(along with corresponding "promised" requests) to a client in
association with a previous client-initiated request. This can be
useful when the server knows the client will need to have those
responses available in order to fully process the response to the
original request.
DNS
DNS
DNS
17. What about HTTP/3?
• Yes – draft-ietf-quic-http
4.4. Server Push
Server push is an interaction mode that permits a server to push a
request-response exchange to a client in anticipation of the client
making the indicated request. This trades off network usage against
a potential latency gain. HTTP/3 server push is similar to what is
described in Section 8.2 of [HTTP2], but uses different mechanisms.
Each server push is assigned a unique Push ID by the server. The
Push ID is used to refer to the push in various contexts throughout
the lifetime of the HTTP/3 connection.
18. Which means…
• When a server sends a response to an HTTP request it can also push
unrequested DNS responses
• This allows the user application to use these DNS resolution
outcomes immediately and bypass DNS resolution delays
• It’s faster
• The user is not making these resolution queries, and is not generating
meta data within the DNS
• It has privacy benefits
20. But …
• How do you know that the server is pushing the “truth” when it provides
these DNS answers?
• The secure transport means that tampering is challenging, but the user
should still validate these responses (assuming that they are DNSSEC-
signed in the DNS)
• Which would mean that the user still has to chase down the DNSSEC
validation chain, and most of the the original speedup advantages are lost
• Or maybe not…
• The server could also push the collection of DNSSEC validation responses to the
client
• The server could also repackage these responses into a RFC 7901 EDNS0 Chain
Response, attached to the original response
21. DNSSEC-Validated DNS data
• DNSSEC validation provides the user with assurance that the data is:
• Authentic
• Current
• Complete (for each RRType)
• If that’s the case then why does it matter how the stub learned the
data?
• It could be a DNS query / response transaction
• It could be via a server push over DoH
• DNSSEC validation is providing the assurance that the data is usable
22. What if the pushed DNS
response is unsigned?
• Er, um, er…
• It’s probably best to discard it!
• You have no idea how the server obtained the DNS data in the first place
• You don’t know how current the data is
• You really don’t know if the server is trying to deceive you
• And you have no idea who you are implicitly trusting if you use the data
23. What can we say about
Resolverless DNS?
• It gives HTTP-based applications and services far more control over
the quality of the user experience
• It allows the server to pre-provision the client with DNS data that is likely to
be useful in the context of the application
• It allows the client side application to perform rapid DNSSEC validation
without relying on stub resolver capabilities and settings
• It can replace UDP-based timers, query retries, fragmentation and TCP
switching with server-to-client provision
• It operates over a secured connection with an authenticated server
• It does not leak metadata through DNS query streams
• As long as the DNS data is DNSSEC-signed
24. What about unsigned DNS data?
• Forget it!
• Resolverless DNS responses of unsigned DNS data just opens up more
potential vulnerabilities with little in the way of reasonable mitigation
25. Where is this leading?
The changing economics of the Internet
• The shift to advertiser-funded content and service has sucked the revenue
base from access and common infrastructure
• Internet infrastructure is a commodity-based activity which resists innovation
• The incentives to innovate lie in the application and service layers
• Infrastructure is under continued pressure to achieve further efficiencies and
there is a consequent pressure to scale up and centralise
The DNS is caught up in this, and innovation in the DNS is extremely
challenging to get adoption these days
Does Resolverless DNS have a chance?
26. Is there a role for
Resolverless DNS?
Perhaps…
• But I would suggest it necessarily assumes DNSSEC
• Which, at present, is a tough assumption
• Because few zones are signed
• Because DNSSEC signatures tend to create larger responses, which is a problem in UDP DNS
• Because advanced zone signing a zone is infeasible for very large zones
• And signing on the fly can be fragile
• In summary, few zones are DNSSEC are signed is because its unreliable and expensive and the
benefits do not seem to offset against the additional risks
• And few resolvers validate
• Because it takes time
• And stresses out UDP DNS
27. What about RFC 7901?
• What is a pushed DNS response was framed as if the client had set
the EDNS0 CHAIN option with the root zone as the closest trust
point?
• That way the client is provided with the DNS response and the chain
of signatures that permit the client to perform local validation of the
response in a single pushed DNS object
• And if the zone is unsigned - then no DNS response is pushed
28. Why is this interesting?
• The DNS is:
• A massive time penalty
• A significant privacy leak
• A consistent source of failure
• Resolverless DNS won’t fix all the DNS all at once
• But it can hand a significant amount of control over application and service
quality back to these HTTPS-based applications and services
• And it’s a whole lot faster!
• And is hides the client from the DNS resolution infrastructure
• And for those reasons it’s a very interesting step in the possible
evolution of the DNS
29. Why is this interesting?
We have spent a huge amount of effort over the last decade trying to make
the Internet faster:
• We’ve been deploying CDNs to replicate content and services and bring them closer
to users
• We’ve been deploying non-blocking transport protocols (such as QUIC) to exploit
parallelism
• We’ve been tuning TCP and network behaviour to create more efficient and faster
network transactions
• We’ve been packing more information in the DNS to make service startup faster (SVC
and HTTPS records)
And much of this innovation is happening at the application levels of the
protocol stack where there is ample money and an impatient agenda,
avoiding incurring any further dependencies on the lower layers of common
infrastructure where there is neither money nor impatience!