Home / Blogs

Perspectives on a DNS-CERT

Paul Vixie

Last week at the ICANN meeting in Nairobi, a plan was announced by ICANN staff to create a "CERT" for DNS. That's a Community Emergency Response Team (CERT) for the global Domain Name System (DNS). There are all kinds of CERTs in the world today, both inside and outside the Internet industry. There isn't one for DNS, and that's basically my fault, and so I have been following the developments in Nairobi this week very closely.

As the original founder of DNS-OARC (that's the Operations, Analysis, and Research Center for DNS, on the web at WWW.DNS-OARC.NET / see related CircleID interview), I've fielded a lot of questions from folks asking me what I think about all this. The original DNS-OARC plan (written in 2002 or so) called for a 24x7 monitoring and response and coordination function very similar to what's now being proposed by ICANN. Everybody I talked to in 2002 understood the need for this, based on the excellent track record of US-CERT and JP-CERT and even the IT-ISAC. We knew it had to be done by the DNS industry itself, rather than added to the remit of some existing government-supported CERT or ISAC.

Somewhere along the way we got distracted. Or to more accurately place the blame, I got distracted. DNS-OARC was a huge undertaking, and one that I significantly underestimated.  Internet Systems Consortium (ISC) started DNS-OARC using NSF research money, and I think NSF was happy with our results — but producing those results used up a lot of ISC's management bandwidth. DNS-OARC has received unprecedented participation and support from members of the DNS industry, who had never done anything quite like this — but the cycle time for bringing in new members was six to 18 months rather than the six to 18 weeks I planned on. Much has been achieved, but building the data and resources needed to develop OARC's necessary "critical mass" was something that ISC had to rely on partners and members for, and those folks have busy lives and long to-do lists even without this kind of stuff.

Eight years on, ISC has successfully spun DNS-OARC out as a separate non-profit corporation with its own board of directors. DNS-OARC has some fifty (50) members, comprising an unprecedented community of the key technical people from major DNS TLD registries, root operators, vendors and service providers. It has created a set of tools, experience and infrastructure vital for monitoring and analyzing the health of the DNS, and has accumulated an unparalleled set of DNS data captured from the live Internet.

But all this took years longer than I expected, and may have been a more dramatic time investment than DNS-OARC's elected trustees were expecting.

So the reason there is nothing like a "DNS CERT" in the world today is that I, as the founder of DNS-OARC, said that DNS-OARC would handle it, and then I didn't follow through. I plead ignorance and ambition — we got a lot of other great stuff done, including the existence and independence of DNS-OARC itself, so I'm not exactly weeping with guilt. But, when Rod Beckstrom (President of ICANN) got up at the microphone in Nairobi and said, the world needs something like this, and if nobody else is going to build it, he would, I thought, he's absolutely right, it's still 2002 in here, and it's time we — the DNS industry — got this done. We need a 24x7 monitoring and response and coordination function, with full time analysts looking at real time DNS events and participating in a global mesh of DNS NOCs.

Beckstrom's vision that some $4.5M is needed to get DNS-CERT properly off the ground is to be commended, and is one familiar to us at DNS-OARC, where our reach has regularly exceeded our grasp. But we've also learned some lessons over the years, not least that the DNS community guards its autonomy fiercely, and will react adversely to anything that smacks to them of unilaterally imposed central control. Something like a DNS-CERT can only be done at the grass roots level, which is both a constraint and a boon. This explains some of what we've been hearing in the hallways at how, despite its merits, there is some disquiet about the way the DNS-CERT proposal was presented. It is exactly why we went for an autonomous, neutral, membership governance model for DNS-OARC. We have to work cooperatively to ensure that DNS remains 100% available to serve as the Internet's map.

I call upon the world's governments, and upon the gTLD and ccTLD operators, and upon ICANN itself as well as other Internet governance organizations including CENTR, to support DNS-OARC Inc. in finishing what I started; and I call upon DNS-OARC Inc.'s trustees and members to use ICANN's excellent "gap analysis" for the "DNS-CERT" as the starting point to make this happen.

So, the next phone call all of those folks get may be from me, making this appeal personally. Let's make 2010 the year we (all) finally get this done.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: DNS, ICANN, Internet Governance, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Do we need another CERT? Paul Roberts  –  Mar 23, 2010 6:51 AM PST

Is it really necessary to have a dedicated DNS CERT? The existing cert.org seems to work well from what I can tell, and having another CERT type body to monitor is just going to increase confusion, especially if cert.org/cve.mitre.org etc. continue to issue alerts all with their own vuln id's. So now when we are trying to track issues, there's yet another vuln id to track?

If a DNS CERT is created, where will it end? Will we see an SSH CERT, DHCP CERT or [insert protocol here] CERT?

I just don't really see the point. Maybe I'm missing something? (It does happen) :-)

Paul Roberts
Technical Services Manager
http://www.tuscanynetworks.com

Systems created those other (SSH, DHCP, etc) Paul Vixie  –  Mar 23, 2010 8:36 AM PST

Systems created those other (SSH, DHCP, etc) protocols are unilateral or bilateral, whereas DNS creates a multilateral interdependent system. the folks at CERT/CC and Mitre are great at what they do but it is not this.

To protect a system you also have to study it and monitor it, to help define what "normal" and "healthy" mean. otherwise we fall back to a weak definition like "things are healthy if nobody is complaining" and that's just not true. DNS-OARC was launched to be an expertise center on the global DNS system as an operational entity. membership includes operators, implementors, researchers and protocol people, law enforcement and existing CERTs, and meatspace governments.

DNS-OARC's remit is much larger than just "be a CERT for DNS", but we always intended to include "be a CERT for DNS" in our operating plan because that function is important to the health and safety of the global domain name system as an operational entity. the gaps that are showing up through ICANN's analysis really are gaps — greg rattray and yurie ito have done some very high quality work in identifying these gaps and bringing them to the world's attention.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

ICANN Los Angeles Recap Webinar

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Auctions Update: MMX Wins .law and .vip

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Afilias

DNS Security

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines