Comments on Global DNS-CERT Business Case
- To: dns-cert-proposal@xxxxxxxxx
- Subject: Comments on Global DNS-CERT Business Case
- From: HiroHOTTA <hotta@xxxxxxxxxx>
- Date: Thu, 25 Mar 2010 20:08:54 +0900
Please find comments to "Global DNS-CERT Business Case" below.
Thank you for giving us this opportunity.
Hiro Hotta, JPRS (.JP ccTLD)
===== comments =====
We appreciate and welcome the opportunity for the community to
consider closely about upgrading DNS-related SSR (security,
stability, and resiliency). We agree to the view in the
proposed document that no highly-established framework excel at
DNS SSR exists, especially response to incidents involving DNS.
We agree that DNS SSR should be enhanced continuously as threat
grows. To that end, we generally agree on the concept of
DNS-CERT, if it refers to a "concept" not to an "organization or
functions within an organization."
Let us comment on some points regarding the implementation of
(1) organizational framework
Currently there exist organizations/teams for security
maintenance such as DNS-OARC and national CERTs. Their
activities are trusted by the community in general, at least to
some extent. So, we think enhancing capabilities of existing
organizations should be considered first, rather than creating
yet another organization. Generally, it's not a good idea to
make information channel structure complex from the viewpoint of
avoiding confusion and cost. In addition, organization too
specialized in DNS cannot play an appropriate role, since
incidents usually result from not a single cause but from
combination of multiple causes. Therefore, cooperated analysis,
discussion, and drafting of organizational framework among
existing organizations including ICANN are highly expected to
come up with a good framework.
(2) operational cost
Efficiency of the structure to maintain DNS SSR should be
pursued, since we believe $4M is a huge amount. Again, this
leads us to the image that DNS-CERT function should be overlaid
onto the existing organizational framework such as current
CERTs. Using domain name registrants' money means taking
responsibility for the security of registrants at the level of
registrants' satisfaction in compensation for their money.
(3) outreach effort
CERT-like frameworks are different country by country, and
organization by organization. In addition, there are various
kinds of players in network operation including DNS operation.
Therefore, outreach is essential for all these players to trust
the framework and implementation of the DNS-CERT concept.
Current proposal document seems to give less focus on resolver
DNS side than authoritative DNS side. There are quite a few
organizations/groups such as *NOGs and local DNS operators
groups that are closely-related to DNS operation. More outreach
effort is expected in the current consulting phase and in the
implementation phase of DNS-CERT concept.