Discuss mailing list

[Jonah Aragon <jonah AT triplebit.net>]

This hasn’t really been brought up here, but I’ve been looking into GDPR compliance and how it fits in to our Matomo website tracking, and I think it’s relevant to a lot more aspects of this community. 

So I wanted to get some thoughts from the community, especially concerning DNS server logging. At this point in time, we don’t seem to have an official stance on DNS logging, but it seems to me that any logging involving IP addresses, but especially query logging, is directly impacted by GDPR.

As far as I can tell, the onus of GDPR compliance falls on the individual operators, as they are both the data processor and controller of the information collected.

Even if that is the case, I think OpenNIC should finally take a stricter no-logging stance in regard to the DNS servers regardless. I’m proposing the following ideas:

- Immediately, OpenNIC should adopt a no/anon logging policy for all new servers.

- Immediately, any servers that don’t have the no/anon logging flag enabled should be filtered out from the server list. We could implement some sort of checkbox along the lines of “show servers that log queries” (this would act as opt-in consent).

- Eventually (TBD), we should begin the removal of any remaining logging servers.

Regarding website tracking (Matomo), I currently believe we are fully GDPR compliant. We do not collect any data that could be used to identify an individual (no PII), as all of the data we collect is adequately anonymized (negating the need for opt-in consent). Additionally, the data we collect is publicly available and we have a simple tracking opt-out system.

As an aside, my Tier 2 servers are currently disabled pending GDPR compliance. All logs regardless of content are being deleted. Please don’t use them in the meantime.

Jonah