Comments on Global DNS-CERT Business Case

[HiroHOTTA <hotta@xxxxxxxxxx>]

Please find comments to "Global DNS-CERT Business Case" below.
Thank you for giving us this opportunity.

Hiro Hotta, JPRS (.JP ccTLD)


===== comments =====

We appreciate and welcome the opportunity for the community to 
consider closely about upgrading DNS-related SSR (security, 
stability, and resiliency).  We agree to the view in the 
proposed document that no highly-established framework excel at 
DNS SSR exists, especially response to incidents involving DNS.  
We agree that DNS SSR should be enhanced continuously as threat 
grows.  To that end, we generally agree on the concept of 
DNS-CERT, if it refers to a "concept" not to an "organization or 
functions within an organization."

Let us comment on some points regarding the implementation of 
DNS-CERT concept. 

(1) organizational framework

Currently there exist organizations/teams for security 
maintenance such as DNS-OARC and national CERTs.  Their 
activities are trusted by the community in general, at least to 
some extent.  So, we think enhancing capabilities of existing 
organizations should be considered first, rather than creating 
yet another organization.  Generally, it's not a good idea to 
make information channel structure complex from the viewpoint of 
avoiding confusion and cost.  In addition, organization too 
specialized in DNS cannot play an appropriate role, since 
incidents usually result from not a single cause but from 
combination of multiple causes.  Therefore, cooperated analysis, 
discussion, and drafting of organizational framework among 
existing organizations including ICANN are highly expected to 
come up with a good framework.

(2) operational cost

Efficiency of the structure to maintain DNS SSR should be 
pursued, since we believe $4M is a huge amount.  Again, this 
leads us to the image that DNS-CERT function should be overlaid 
onto the existing organizational framework such as current 
CERTs.  Using domain name registrants' money means taking 
responsibility for the security of registrants at the level of 
registrants' satisfaction in compensation for their money.  

(3) outreach effort

CERT-like frameworks are different country by country, and 
organization by organization. In addition, there are various 
kinds of players in network operation including DNS operation.  
Therefore, outreach is essential for all these players to trust 
the framework and implementation of the DNS-CERT concept.
Current proposal document seems to give less focus on resolver 
DNS side than authoritative DNS side.  There are quite a few 
organizations/groups such as *NOGs and local DNS operators 
groups that are closely-related to DNS operation.  More outreach
effort is expected in the current consulting phase and in the 
implementation phase of DNS-CERT concept.

=====