Home / Blogs

Towards a DNSCERT Definition

Paul Vixie

To mix metaphors, my e-mail has been ringing off the hook after my previous article ("Perspectives on a DNS-CERT”) and I've had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I've had some discussions with ICANN and with members of the DNS-OARC board and staff, and it's time I checkpointed the current state of my thinking about all this.

First, DNS-OARC was convened as an operational and technical body, and they've stuck to that vision, and they're likely to continue to stick to it. This means that the technical and operational functions associated with a DNSCERT seem natural and necessary to the DNS-OARC folks, and, subject to clearing it with their membership and having a viable funding model, they're ready to march forward.

Second, ICANN has heard the community's reaction loud and clear, that the world wants them to remain a technical coordinating body, and to not become an infrastructure operator over and above what they already do for their "L Root". They've also heard my arguments about how easy it is to find seed funding for possibly unsustainable activities and that the proof of a proposal's viability comes in its fourth year not its first year. ICANN can be of great help to a DNSCERT both in doing the "gap analysis” [PDF] as they've already done, and in socializing and publicizing the idea to their GTLD and CCTLD holders who would have to join and sponsor a DNSCERT activity if it's ever going to amount to anything.

Third, DNSCERT as envisaged by the ICANN SSR "gap analysis” [PDF] is a different goal set than DNS-OARC's. Some things DNSCERT would do are outside of the scope of DNS-OARC, and some things DNS-OARC is doing and/or will someday do are beyond the scope of DNSCERT. There's substantial overlap, but I was wrong earlier when I said that DNS-OARC should do it all.


I think what's needed is a new nonprofit corporation ("The DNSCERT Foundation" or similar; let's call it TDF here) whose members are other international nonprofit corporations representing DNS stakeholders — such as ICANN, DNS-OARC, various CERTs, CENTR, MAAWG, APWG, and a few dozen others. Current and future members of DNS-OARC will join and sponsor the DNSCERT activity through their DNS-OARC membership and additional restricted grants of money and of "like kind" resources including personnel and equipment.

DNSCERT should be a joint venture across the entire DNS industry, and the 24x7 "watch floor" should be distributed across the globe. Much of the technical and operations work should be outsourced to the participants, who by running a tool set in common and doing training in common including sending personnel to DNSCERT HQ on a quarterly or annual rotation, will form an extremely robust and redundant asset base for the DNSCERT function.

TDF's main purpose would be to define a DNSCERT Functions Contract and then enter into a joint venture with DNS-OARC Inc. to execute that contract. TDF's role in the JV would be governance and oversight. DNS-OARC's role would be execution. TDF's governance activities would include research above the raw technology level, such as system level risk assessment and contingency planning. For example, perhaps ICANN's ill-fated "DNS Root System Scalability Study” [PDF] could be retried in this broader framework since ICANN's track record for hiring consultants to write reports and recommendations isn't working.

Getting There

I've socialized and refined the above proposal by talking to a lot of people, most of whom did not give me permission to thank them publicly. I do have permission to mention that Ondrej Filip (.CZ), Leslie Cowley (.UK), Frederico Neves (.BR), Jay Daley (.NZ), and Jeff Moss (DefCon) think that something like this is worth investigating further. My first order of business is to expand that list — if you and/or your company would like to weigh in positively on this proposal, please send me e-mail and I'll add you to the list, or you can add a comment to this article.

Importantly, neither ICANN nor DNS-OARC wants to take the next step of making a formal public statement of support of this approach unless the community has first given the nod. Therefore I'm asking ICANN to schedule a BOF session in Brussels, and I hope it's early in the week like Monday or Tuesday, where we can get a whole bunch of DNS stakeholders (including many DNS-OARC members) in a room and find out whether the community has a will and if so what it is.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: DNS, ICANN


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


BOF time and place Yurie Ito  –  Jun 20, 2010 1:59 AM PDT

The BOF room is reserved on 22nd Tuesday 1800pm

At: Room 313/315 on the 3rd floor at Square Brussels Meeting Centre (ICANN meeting venue)

BOF attendence and participation Eric Brunner-Williams  –  Jun 22, 2010 11:21 AM PDT

The room was filled with cc and g operators, non-dns security people, some ICANN staff, and the discussion was lively, interesting, but not yet conclusive of any particular thesis concerning next steps.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Dyn Partners with the Internet Systems Consortium to Host Global F-Root Nameservers

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

What Holds Firms Back from Choosing Cloud-Based External DNS?

United States Court Has Granted an Interim Relief for DCA Trust on .Africa gTLD

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Protect Your Privacy - Opt Out of Public DNS Data Collection

Measuring DNS Performance for the User Experience

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability