Home / Blogs

Towards a DNSCERT Definition

Paul Vixie

To mix metaphors, my e-mail has been ringing off the hook after my previous article ("Perspectives on a DNS-CERT”) and I've had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I've had some discussions with ICANN and with members of the DNS-OARC board and staff, and it's time I checkpointed the current state of my thinking about all this.

First, DNS-OARC was convened as an operational and technical body, and they've stuck to that vision, and they're likely to continue to stick to it. This means that the technical and operational functions associated with a DNSCERT seem natural and necessary to the DNS-OARC folks, and, subject to clearing it with their membership and having a viable funding model, they're ready to march forward.

Second, ICANN has heard the community's reaction loud and clear, that the world wants them to remain a technical coordinating body, and to not become an infrastructure operator over and above what they already do for their "L Root". They've also heard my arguments about how easy it is to find seed funding for possibly unsustainable activities and that the proof of a proposal's viability comes in its fourth year not its first year. ICANN can be of great help to a DNSCERT both in doing the "gap analysis” [PDF] as they've already done, and in socializing and publicizing the idea to their GTLD and CCTLD holders who would have to join and sponsor a DNSCERT activity if it's ever going to amount to anything.

Third, DNSCERT as envisaged by the ICANN SSR "gap analysis” [PDF] is a different goal set than DNS-OARC's. Some things DNSCERT would do are outside of the scope of DNS-OARC, and some things DNS-OARC is doing and/or will someday do are beyond the scope of DNSCERT. There's substantial overlap, but I was wrong earlier when I said that DNS-OARC should do it all.

Proposal

I think what's needed is a new nonprofit corporation ("The DNSCERT Foundation" or similar; let's call it TDF here) whose members are other international nonprofit corporations representing DNS stakeholders — such as ICANN, DNS-OARC, various CERTs, CENTR, MAAWG, APWG, and a few dozen others. Current and future members of DNS-OARC will join and sponsor the DNSCERT activity through their DNS-OARC membership and additional restricted grants of money and of "like kind" resources including personnel and equipment.

DNSCERT should be a joint venture across the entire DNS industry, and the 24x7 "watch floor" should be distributed across the globe. Much of the technical and operations work should be outsourced to the participants, who by running a tool set in common and doing training in common including sending personnel to DNSCERT HQ on a quarterly or annual rotation, will form an extremely robust and redundant asset base for the DNSCERT function.

TDF's main purpose would be to define a DNSCERT Functions Contract and then enter into a joint venture with DNS-OARC Inc. to execute that contract. TDF's role in the JV would be governance and oversight. DNS-OARC's role would be execution. TDF's governance activities would include research above the raw technology level, such as system level risk assessment and contingency planning. For example, perhaps ICANN's ill-fated "DNS Root System Scalability Study” [PDF] could be retried in this broader framework since ICANN's track record for hiring consultants to write reports and recommendations isn't working.

Getting There

I've socialized and refined the above proposal by talking to a lot of people, most of whom did not give me permission to thank them publicly. I do have permission to mention that Ondrej Filip (.CZ), Leslie Cowley (.UK), Frederico Neves (.BR), Jay Daley (.NZ), and Jeff Moss (DefCon) think that something like this is worth investigating further. My first order of business is to expand that list — if you and/or your company would like to weigh in positively on this proposal, please send me e-mail and I'll add you to the list, or you can add a comment to this article.

Importantly, neither ICANN nor DNS-OARC wants to take the next step of making a formal public statement of support of this approach unless the community has first given the nod. Therefore I'm asking ICANN to schedule a BOF session in Brussels, and I hope it's early in the week like Monday or Tuesday, where we can get a whole bunch of DNS stakeholders (including many DNS-OARC members) in a room and find out whether the community has a will and if so what it is.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: DNS, ICANN

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

BOF time and place Yurie Ito  –  Jun 20, 2010 12:59 AM PST

The BOF room is reserved on 22nd Tuesday 1800pm

At: Room 313/315 on the 3rd floor at Square Brussels Meeting Centre (ICANN meeting venue)

BOF attendence and participation Eric Brunner-Williams  –  Jun 22, 2010 10:21 AM PST

The room was filled with cc and g operators, non-dns security people, some ICANN staff, and the discussion was lively, interesting, but not yet conclusive of any particular thesis concerning next steps.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

LogicBoxes Announces Automation Solutions for ccTLD

ICANN Los Angeles Recap Webinar

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Auctions Update: MMX Wins .law and .vip

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Nominum Announces Future Ready DNS

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

Video Interviews from ICANN 50 in London

ICANN London Recap Webinar

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

Dyn Acquires Internet Intelligence Company, Renesys

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Sponsored Topics

dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign
Afilias

DNSSEC

Sponsored by
Afilias