Home / Blogs

Perspectives on a DNS-CERT

Paul Vixie

Last week at the ICANN meeting in Nairobi, a plan was announced by ICANN staff to create a "CERT" for DNS. That's a Community Emergency Response Team (CERT) for the global Domain Name System (DNS). There are all kinds of CERTs in the world today, both inside and outside the Internet industry. There isn't one for DNS, and that's basically my fault, and so I have been following the developments in Nairobi this week very closely.

As the original founder of DNS-OARC (that's the Operations, Analysis, and Research Center for DNS, on the web at WWW.DNS-OARC.NET / see related CircleID interview), I've fielded a lot of questions from folks asking me what I think about all this. The original DNS-OARC plan (written in 2002 or so) called for a 24x7 monitoring and response and coordination function very similar to what's now being proposed by ICANN. Everybody I talked to in 2002 understood the need for this, based on the excellent track record of US-CERT and JP-CERT and even the IT-ISAC. We knew it had to be done by the DNS industry itself, rather than added to the remit of some existing government-supported CERT or ISAC.

Somewhere along the way we got distracted. Or to more accurately place the blame, I got distracted. DNS-OARC was a huge undertaking, and one that I significantly underestimated.  Internet Systems Consortium (ISC) started DNS-OARC using NSF research money, and I think NSF was happy with our results — but producing those results used up a lot of ISC's management bandwidth. DNS-OARC has received unprecedented participation and support from members of the DNS industry, who had never done anything quite like this — but the cycle time for bringing in new members was six to 18 months rather than the six to 18 weeks I planned on. Much has been achieved, but building the data and resources needed to develop OARC's necessary "critical mass" was something that ISC had to rely on partners and members for, and those folks have busy lives and long to-do lists even without this kind of stuff.

Eight years on, ISC has successfully spun DNS-OARC out as a separate non-profit corporation with its own board of directors. DNS-OARC has some fifty (50) members, comprising an unprecedented community of the key technical people from major DNS TLD registries, root operators, vendors and service providers. It has created a set of tools, experience and infrastructure vital for monitoring and analyzing the health of the DNS, and has accumulated an unparalleled set of DNS data captured from the live Internet.

But all this took years longer than I expected, and may have been a more dramatic time investment than DNS-OARC's elected trustees were expecting.

So the reason there is nothing like a "DNS CERT" in the world today is that I, as the founder of DNS-OARC, said that DNS-OARC would handle it, and then I didn't follow through. I plead ignorance and ambition — we got a lot of other great stuff done, including the existence and independence of DNS-OARC itself, so I'm not exactly weeping with guilt. But, when Rod Beckstrom (President of ICANN) got up at the microphone in Nairobi and said, the world needs something like this, and if nobody else is going to build it, he would, I thought, he's absolutely right, it's still 2002 in here, and it's time we — the DNS industry — got this done. We need a 24x7 monitoring and response and coordination function, with full time analysts looking at real time DNS events and participating in a global mesh of DNS NOCs.

Beckstrom's vision that some $4.5M is needed to get DNS-CERT properly off the ground is to be commended, and is one familiar to us at DNS-OARC, where our reach has regularly exceeded our grasp. But we've also learned some lessons over the years, not least that the DNS community guards its autonomy fiercely, and will react adversely to anything that smacks to them of unilaterally imposed central control. Something like a DNS-CERT can only be done at the grass roots level, which is both a constraint and a boon. This explains some of what we've been hearing in the hallways at how, despite its merits, there is some disquiet about the way the DNS-CERT proposal was presented. It is exactly why we went for an autonomous, neutral, membership governance model for DNS-OARC. We have to work cooperatively to ensure that DNS remains 100% available to serve as the Internet's map.

I call upon the world's governments, and upon the gTLD and ccTLD operators, and upon ICANN itself as well as other Internet governance organizations including CENTR, to support DNS-OARC Inc. in finishing what I started; and I call upon DNS-OARC Inc.'s trustees and members to use ICANN's excellent "gap analysis" for the "DNS-CERT" as the starting point to make this happen.

So, the next phone call all of those folks get may be from me, making this appeal personally. Let's make 2010 the year we (all) finally get this done.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: DNS, ICANN, Internet Governance, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Do we need another CERT? Paul Roberts  –  Mar 23, 2010 7:51 AM PDT

Is it really necessary to have a dedicated DNS CERT? The existing cert.org seems to work well from what I can tell, and having another CERT type body to monitor is just going to increase confusion, especially if cert.org/cve.mitre.org etc. continue to issue alerts all with their own vuln id's. So now when we are trying to track issues, there's yet another vuln id to track?

If a DNS CERT is created, where will it end? Will we see an SSH CERT, DHCP CERT or [insert protocol here] CERT?

I just don't really see the point. Maybe I'm missing something? (It does happen) :-)

Paul Roberts
Technical Services Manager
http://www.tuscanynetworks.com

Systems created those other (SSH, DHCP, etc) Paul Vixie  –  Mar 23, 2010 9:36 AM PDT

Systems created those other (SSH, DHCP, etc) protocols are unilateral or bilateral, whereas DNS creates a multilateral interdependent system. the folks at CERT/CC and Mitre are great at what they do but it is not this.

To protect a system you also have to study it and monitor it, to help define what "normal" and "healthy" mean. otherwise we fall back to a weak definition like "things are healthy if nobody is complaining" and that's just not true. DNS-OARC was launched to be an expertise center on the global DNS system as an operational entity. membership includes operators, implementors, researchers and protocol people, law enforcement and existing CERTs, and meatspace governments.

DNS-OARC's remit is much larger than just "be a CERT for DNS", but we always intended to include "be a CERT for DNS" in our operating plan because that function is important to the health and safety of the global domain name system as an operational entity. the gaps that are showing up through ICANN's analysis really are gaps — greg rattray and yurie ito have done some very high quality work in identifying these gaps and bringing them to the world's attention.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

Sponsored Topics