Home / Blogs

DNS Gets A Formal Coordination System

Paul Vixie

CircleID recently interview Paul Vixie, Founder & Chairman of Internet Software Consortium (ISC), to discuss ISC's newly formed Operations, Analysis, and Research Center (OARC).

OARC is launched in response to DDoS attacks at the Internet's core infrastructure and the vital requirement for a formal coordination system. OARC is also a part of US homeland security initiatives, such as the formation of Information Sharing and Analysis Centers (ISACs).

CircleID: Can you give us an overview of what OARC is?

Paul Vixie: OARC is ISC's new Operations, Analysis, and Research Center, a crisis coordination system for the global DNS. We're trying to help our members better understand how the DNS operates and respond to incidents and threats.

CircleID: We have also heard the term DNS-OARC, any difference?

Paul Vixie: You heard about it pre-launch when the working title was "ISC DNS-OARC". The official title as of launch is "ISC OARC for DNS".

CircleID: OARC has mentioned, "The Domain Name System (DNS), born 20+ years ago, has become the primary governor of traffic flows on the Internet. When the DNS stops working, so do all applications: no email, no web browsing, no instant messaging, no FTP, no e-commerce." Can you give us an overview of the state of DNS, and consequentially the Internet, as it stands today? What kind of critical point, if any, have we reached that has necessitated the formation of OARC?

Paul Vixie: The DNS has, quite simply, outgrown the informal coordination system we've always used. Root operators, TLDs, and other operators of critical pieces of infrastructure have always worked closely together. But, as the DNS has grown up, and as the threats have also grown up, there has arisen a crying need for better mechanisms for working together.

The OARC allows our members to coordinate closely in a secure, trusted environment. We have taken great pains to set up an on-line system that allows competitors to share critical information in a way that allows them to cooperate together to solve problems.

CircleID: OARC has pointed out that "Despite the critical nature of the DNS, responses to attacks have been handled informally, testing of software is not coordinated, and long-term analysis to better performance, stability, and security is sorely lacking." Considering that DNS is now 20+ years old, one can't help question why an essential collaborative organization, such as OARC, has taken so long to be created?

Paul Vixie: Twenty years ago, we didn't need these kinds of mechanisms. Ten years ago, we still didn't need them. And, you could argue that even five years ago, we still didn't need them.

It always takes time to build the consensus it takes to make an organization like OARC work. We've spent a year talking to key players, listening to what they wanted to see, and iterating towards a framework that works for everybody.

CircleID: Can you share with us a little about the type of members and countries that have joined OARC. Who is encouraged to join?

Paul Vixie: We've had a great reception to the system. Most of the root operators have signed up (or have indicated that they will shortly sign up), as have all four regional registries (RIPE, APNIC, ARIN, and LACNIC). The research community has also been well represented with organizations such as ISTS at Dartmouth College, CAIDA, and InternetPerils. We're also getting good representation from big registry operators such as Afilias. And, the big industrial players have also been signing up: companies such as Cisco, MCI, XO Communications, and Telehouse USA.

As to who should sign up, I think that is anybody who feels they have a mission-critical need to know what is happening with the global DNS. Registries and registrars, ccTLD operators, large corporate NOCs, ISPs and ecommerce companies that host many domain names are all likely candidates. This is also a natural for law enforcement groups that are worried about attacks on the Internet.

CircleID: Can you tell us a little more about "Root Servers Advisory Group" and "OARC Policy Council" — the two "governance mechanisms" within OARC? Who elects them and what are their roles?

Paul Vixie: The Root Servers Advisory Group (RSAG) is open to the root operators. They play a critical role in the global DNS and we wanted to have a formal mechanism to make sure we hear any concerns they have.

The OARC Policy Council determines policy for the OARC. It consists of one person elected by the membership of OARC, one elected by the RSAG, and one representative from ISC, the OARC secretariat.

CircleID: What about the involvement of other Internet bodies and organizations? Would ICANN, IANA, IETF, or ITU, for instance, have any roles within OARC?

Paul Vixie: Of course. ICANN and ITU members are natural candidates for membership and we've spent considerable time briefing officials from those organizations. The IETF doesn't have an operational role, so it doesn't make sense for it, though we're really pleased the Internet Society is a founding member.

CircleID: OARC describes its role as "a neutral forum that allows competitors to share potentially confidential information and thus coordinate their response to incidents that affect the entire industry." Can you explain how a "neutral forum" and co-operation is established, given the fact that some members of OARC will potentially be direct competitors of each other?

Paul Vixie: We've got a variety of mechanisms. First, there is legal: everybody signs a membership agreement that has stringent confidentiality requirements. Second is technical: we've built a system that allows our members to securely upload confidential data and then choose with whom it is shared. Third is the most important: social. We're taking great pains to foster an environment of cooperation and consensus so people feel comfortable with working together to solve common problems.

CircleID: OARC has specified five key functions at its core. Can you tell us about these functions?

Paul Vixie: The most visible function is our Incident Response System. That's the crisis coordination part of the OARC. But, we want this center to be more than just a knee-jerk response to attacks, so we're taking a long-term perspective. That's where the other four areas come in.

OARC's Operational Characterization program is collecting data about the performance and functionality of key nameservers during both normal and abnormal periods of operation. This let's us understands how these servers operate and what the stress points are. We're working with other data collection efforts around the Internet, such as the RIPE NCC's DNSMON program.

The OARC Analysis program attempts to understand the data we collect. In this program, we're partnering with key researchers around the Internet who have been conducting long-term studies of DNS operation in the real-world. Some of those groups are CAIDA, which is well-known for pioneering studies about many different aspects of Internet operation, and ISTS at Dartmouth College, well-known for their DNS work.

The fourth program is our OARC Testing Laboratory. Here, we're establishing a real-world test environment, with a sophisticated network infrastructure and representative systems on different hardware and software platforms and all of the key DNS software. This allows us to test, for example, patches that are developed in response to an attack.

Finally, OARC has an Outreach & Education Program, a vital program that allows us to reach out to non-members and communicate whatever is learned as a result of OARC's activities.

CircleID: Several types of participants have been named as being part of OARC including top-level domain (TLD) operators. What type of role, if any, would OARC play in issues such as VeriSign's recent controversial introduction of "Site Finder" made possible by placing a wildcard name in the root of COM and NET top-level domains. As you are very well aware, this action, now under review by ICANN, has raised a varying range of concerns over the stability of DNS and the Internet.

Paul Vixie: VeriSign's SiteFinder was a political and business decision. That's ICANN's ballpark. OARC is an operations center. We're worried about threats to security and things that impact performance and functionality. I think OARC would have had a minimal role to play during the recent SiteFinder controversy.

CircleID: Given OARC's potentially significant role in enhancing performance, stability, and security of the DNS, what factors will play a key role in ensuring OARC's long-term success?

Paul Vixie: Our long-term success will be determined by how effective we are in solving real problems for people who are operating DNS servers in the real world.

CircleID: And now that OARC has been officially launched, what is its first priority task?

Paul Vixie: Our first priority task is the same priority we've had for the year it has taken to make OARC a reality: making the ISC OARC for DNS a useful, vital operations center that helps improve the security, stability, and performance of the global DNS. 

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Related topics: Cyberattack, Cybercrime, DDoS, DNS, Registry Services, ICANN, Internet Governance, Regional Registries, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Re: DNS Gets A Formal Coordination System ShadowEyez  –  Oct 22, 2003 10:28 AM PDT

Sounds like a good operations center for long term changes and stability to DNS, and something that is needed.  However, if this organization existed when VeriSign launched SiteFinder by implementing wild masks, if ORAC had only taken a "minimal role" in this, it might be viewed as "toothless" or irrelavant, given that the main jist seems to be "solving real problems for people who are operating DNS servers in the real world".

I realize that a long term stability goal is noble and needed, but the "real world" in IT and Internet operations sometimes needs quick reaction to potentially service halting problems, especially given the creative attacks hackers and miscreants employ today.

Sounds like a good move for the technical community.  Just be sure to be practical as well.  I look forward to seeing the implemtation and evolution of ORAC.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

Four Reasons to Move from .COM to Your .BRAND Domain

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Neustar to Launch usTLD Stakeholder Council

Introducing the New .ORGANIC Domain: A Trusted, Credible Space for Organic Products on the Web

.WANG - 15,000 Registrations on Day One of General Availability

Dot Brand: Why Your Brand Needs Its Own Top-Level Domain

Afilias Announces Start of .BLACK Sunrise Period

Radix Launches Three New TLDs in Sunrise With Backing from 50+ Registrar Partners

.WANG General Availability Opens on June 30, 2014

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

.Press Domain Names - The Changing Face of Journalism

LogicBoxes Waives Upfront Fees for New gTLD Vertical Integration Solutions

Radix Announces .Website Launch Timeline

.Host Timeline Released As Pioneer Program Kicks Off

Verisign Named to the OTA's 2014 Online Trust Honor Roll

TLD Registry Sponsored Xinnet's Partner Conference in Nanjing

Afilias Selected for CIO 100 Award

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

Sponsored Topics