Home / Blogs

Towards a DNSCERT Definition

Paul Vixie

To mix metaphors, my e-mail has been ringing off the hook after my previous article ("Perspectives on a DNS-CERT”) and I've had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I've had some discussions with ICANN and with members of the DNS-OARC board and staff, and it's time I checkpointed the current state of my thinking about all this.

First, DNS-OARC was convened as an operational and technical body, and they've stuck to that vision, and they're likely to continue to stick to it. This means that the technical and operational functions associated with a DNSCERT seem natural and necessary to the DNS-OARC folks, and, subject to clearing it with their membership and having a viable funding model, they're ready to march forward.

Second, ICANN has heard the community's reaction loud and clear, that the world wants them to remain a technical coordinating body, and to not become an infrastructure operator over and above what they already do for their "L Root". They've also heard my arguments about how easy it is to find seed funding for possibly unsustainable activities and that the proof of a proposal's viability comes in its fourth year not its first year. ICANN can be of great help to a DNSCERT both in doing the "gap analysis” [PDF] as they've already done, and in socializing and publicizing the idea to their GTLD and CCTLD holders who would have to join and sponsor a DNSCERT activity if it's ever going to amount to anything.

Third, DNSCERT as envisaged by the ICANN SSR "gap analysis” [PDF] is a different goal set than DNS-OARC's. Some things DNSCERT would do are outside of the scope of DNS-OARC, and some things DNS-OARC is doing and/or will someday do are beyond the scope of DNSCERT. There's substantial overlap, but I was wrong earlier when I said that DNS-OARC should do it all.

Proposal

I think what's needed is a new nonprofit corporation ("The DNSCERT Foundation" or similar; let's call it TDF here) whose members are other international nonprofit corporations representing DNS stakeholders — such as ICANN, DNS-OARC, various CERTs, CENTR, MAAWG, APWG, and a few dozen others. Current and future members of DNS-OARC will join and sponsor the DNSCERT activity through their DNS-OARC membership and additional restricted grants of money and of "like kind" resources including personnel and equipment.

DNSCERT should be a joint venture across the entire DNS industry, and the 24x7 "watch floor" should be distributed across the globe. Much of the technical and operations work should be outsourced to the participants, who by running a tool set in common and doing training in common including sending personnel to DNSCERT HQ on a quarterly or annual rotation, will form an extremely robust and redundant asset base for the DNSCERT function.

TDF's main purpose would be to define a DNSCERT Functions Contract and then enter into a joint venture with DNS-OARC Inc. to execute that contract. TDF's role in the JV would be governance and oversight. DNS-OARC's role would be execution. TDF's governance activities would include research above the raw technology level, such as system level risk assessment and contingency planning. For example, perhaps ICANN's ill-fated "DNS Root System Scalability Study” [PDF] could be retried in this broader framework since ICANN's track record for hiring consultants to write reports and recommendations isn't working.

Getting There

I've socialized and refined the above proposal by talking to a lot of people, most of whom did not give me permission to thank them publicly. I do have permission to mention that Ondrej Filip (.CZ), Leslie Cowley (.UK), Frederico Neves (.BR), Jay Daley (.NZ), and Jeff Moss (DefCon) think that something like this is worth investigating further. My first order of business is to expand that list — if you and/or your company would like to weigh in positively on this proposal, please send me e-mail and I'll add you to the list, or you can add a comment to this article.

Importantly, neither ICANN nor DNS-OARC wants to take the next step of making a formal public statement of support of this approach unless the community has first given the nod. Therefore I'm asking ICANN to schedule a BOF session in Brussels, and I hope it's early in the week like Monday or Tuesday, where we can get a whole bunch of DNS stakeholders (including many DNS-OARC members) in a room and find out whether the community has a will and if so what it is.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: DNS, ICANN

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

BOF time and place Yurie Ito  –  Jun 20, 2010 1:59 AM PDT

The BOF room is reserved on 22nd Tuesday 1800pm

At: Room 313/315 on the 3rd floor at Square Brussels Meeting Centre (ICANN meeting venue)

BOF attendence and participation Eric Brunner-Williams  –  Jun 22, 2010 11:21 AM PDT

The room was filled with cc and g operators, non-dns security people, some ICANN staff, and the discussion was lively, interesting, but not yet conclusive of any particular thesis concerning next steps.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

Victorian Government & ARI Agree to Long-Term .melbourne Partnership

Dyn Acquires Internet Intelligence Company, Renesys

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

Dyn Acquires Managed DNS Provider Nettica

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Joins Internet Technical Leaders in Welcoming IANA Globalization Progress

Why Managed DNS Means Secure DNS

DotConnectAfrica Trust Takes Its Case With ICANN to Independent Review Process (IRP) Panel

2013: A Year in Review, End of Year Message from DotConnectAfrica

TLDH Announces Sales Channel and gTLD Portfolio Update

Go-Live Schedule for Dot Chinese Online & Dot Chinese Website TLDs Announced

DotConnectAfrica Trust Attends ICANN 48 International Meeting in Buenos Aires, Argentina

TLDH Group Signs 6 New Top-Level Domain Contracts With ICANN

SPECIAL: Updates from the ICANN Meetings in Buenos Aires

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Sponsored Topics