OARC is launched in response to DDoS attacks at the Internet's core infrastructure and the vital requirement for a formal coordination system. OARC is also a part of US homeland security initiatives, such as the formation of Information Sharing and Analysis Centers (ISACs).
CircleID: Can you give us an overview of what OARC is?
Paul Vixie: OARC is ISC's new Operations, Analysis, and Research Center, a crisis coordination system for the global DNS. We're trying to help our members better understand how the DNS operates and respond to incidents and threats.
CircleID: We have also heard the term DNS-OARC, any difference?
Paul Vixie: You heard about it pre-launch when the working title was "ISC DNS-OARC". The official title as of launch is "ISC OARC for DNS".
CircleID: OARC has mentioned, "The Domain Name System (DNS), born 20+ years ago, has become the primary governor of traffic flows on the Internet. When the DNS stops working, so do all applications: no email, no web browsing, no instant messaging, no FTP, no e-commerce." Can you give us an overview of the state of DNS, and consequentially the Internet, as it stands today? What kind of critical point, if any, have we reached that has necessitated the formation of OARC?
Paul Vixie: The DNS has, quite simply, outgrown the informal coordination system we've always used. Root operators, TLDs, and other operators of critical pieces of infrastructure have always worked closely together. But, as the DNS has grown up, and as the threats have also grown up, there has arisen a crying need for better mechanisms for working together.
The OARC allows our members to coordinate closely in a secure, trusted environment. We have taken great pains to set up an on-line system that allows competitors to share critical information in a way that allows them to cooperate together to solve problems.
CircleID: OARC has pointed out that "Despite the critical nature of the DNS, responses to attacks have been handled informally, testing of software is not coordinated, and long-term analysis to better performance, stability, and security is sorely lacking." Considering that DNS is now 20+ years old, one can't help question why an essential collaborative organization, such as OARC, has taken so long to be created?
Paul Vixie: Twenty years ago, we didn't need these kinds of mechanisms. Ten years ago, we still didn't need them. And, you could argue that even five years ago, we still didn't need them.
It always takes time to build the consensus it takes to make an organization like OARC work. We've spent a year talking to key players, listening to what they wanted to see, and iterating towards a framework that works for everybody.
CircleID: Can you share with us a little about the type of members and countries that have joined OARC. Who is encouraged to join?
Paul Vixie: We've had a great reception to the system. Most of the root operators have signed up (or have indicated that they will shortly sign up), as have all four regional registries (RIPE, APNIC, ARIN, and LACNIC). The research community has also been well represented with organizations such as ISTS at Dartmouth College, CAIDA, and InternetPerils. We're also getting good representation from big registry operators such as Afilias. And, the big industrial players have also been signing up: companies such as Cisco, MCI, XO Communications, and Telehouse USA.
As to who should sign up, I think that is anybody who feels they have a mission-critical need to know what is happening with the global DNS. Registries and registrars, ccTLD operators, large corporate NOCs, ISPs and ecommerce companies that host many domain names are all likely candidates. This is also a natural for law enforcement groups that are worried about attacks on the Internet.
CircleID: Can you tell us a little more about "Root Servers Advisory Group" and "OARC Policy Council" — the two "governance mechanisms" within OARC? Who elects them and what are their roles?
Paul Vixie: The Root Servers Advisory Group (RSAG) is open to the root operators. They play a critical role in the global DNS and we wanted to have a formal mechanism to make sure we hear any concerns they have.
The OARC Policy Council determines policy for the OARC. It consists of one person elected by the membership of OARC, one elected by the RSAG, and one representative from ISC, the OARC secretariat.
CircleID: What about the involvement of other Internet bodies and organizations? Would ICANN, IANA, IETF, or ITU, for instance, have any roles within OARC?
Paul Vixie: Of course. ICANN and ITU members are natural candidates for membership and we've spent considerable time briefing officials from those organizations. The IETF doesn't have an operational role, so it doesn't make sense for it, though we're really pleased the Internet Society is a founding member.
CircleID: OARC describes its role as "a neutral forum that allows competitors to share potentially confidential information and thus coordinate their response to incidents that affect the entire industry." Can you explain how a "neutral forum" and co-operation is established, given the fact that some members of OARC will potentially be direct competitors of each other?
Paul Vixie: We've got a variety of mechanisms. First, there is legal: everybody signs a membership agreement that has stringent confidentiality requirements. Second is technical: we've built a system that allows our members to securely upload confidential data and then choose with whom it is shared. Third is the most important: social. We're taking great pains to foster an environment of cooperation and consensus so people feel comfortable with working together to solve common problems.
CircleID: OARC has specified five key functions at its core. Can you tell us about these functions?
Paul Vixie: The most visible function is our Incident Response System. That's the crisis coordination part of the OARC. But, we want this center to be more than just a knee-jerk response to attacks, so we're taking a long-term perspective. That's where the other four areas come in.
OARC's Operational Characterization program is collecting data about the performance and functionality of key nameservers during both normal and abnormal periods of operation. This let's us understands how these servers operate and what the stress points are. We're working with other data collection efforts around the Internet, such as the RIPE NCC's DNSMON program.
The OARC Analysis program attempts to understand the data we collect. In this program, we're partnering with key researchers around the Internet who have been conducting long-term studies of DNS operation in the real-world. Some of those groups are CAIDA, which is well-known for pioneering studies about many different aspects of Internet operation, and ISTS at Dartmouth College, well-known for their DNS work.
The fourth program is our OARC Testing Laboratory. Here, we're establishing a real-world test environment, with a sophisticated network infrastructure and representative systems on different hardware and software platforms and all of the key DNS software. This allows us to test, for example, patches that are developed in response to an attack.
Finally, OARC has an Outreach & Education Program, a vital program that allows us to reach out to non-members and communicate whatever is learned as a result of OARC's activities.
CircleID: Several types of participants have been named as being part of OARC including top-level domain (TLD) operators. What type of role, if any, would OARC play in issues such as VeriSign's recent controversial introduction of "Site Finder" made possible by placing a wildcard name in the root of COM and NET top-level domains. As you are very well aware, this action, now under review by ICANN, has raised a varying range of concerns over the stability of DNS and the Internet.
Paul Vixie: VeriSign's SiteFinder was a political and business decision. That's ICANN's ballpark. OARC is an operations center. We're worried about threats to security and things that impact performance and functionality. I think OARC would have had a minimal role to play during the recent SiteFinder controversy.
CircleID: Given OARC's potentially significant role in enhancing performance, stability, and security of the DNS, what factors will play a key role in ensuring OARC's long-term success?
Paul Vixie: Our long-term success will be determined by how effective we are in solving real problems for people who are operating DNS servers in the real world.
CircleID: And now that OARC has been officially launched, what is its first priority task?
Paul Vixie: Our first priority task is the same priority we've had for the year it has taken to make OARC a reality: making the ISC OARC for DNS a useful, vital operations center that helps improve the security, stability, and performance of the global DNS.
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
Minds + Machines