Comments on dns-cert-business-case-19mar10-end.pdf
- To: dns-cert-proposal@xxxxxxxxx
- Subject: Comments on dns-cert-business-case-19mar10-end.pdf
- From: "Joe St Sauver" <joe@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Apr 2010 14:03:15 -0700 (PDT)
I would like to express support for the ICANN DNS-CERT proposal described in
Many DNS issues are inherently pan-national in nature so they really
aren't a good fit for existing national/regional CERTs, and currently
most DNS-related security issues are handled via one of a number of
semi-formal or informal mechanisms such as:
-- DNS-OARC (https://www.dns-oarc.net/)
-- The ICANN Security and Stability Advisory Committee
-- Vendor-focussed fora
-- Various open operational or DNS-focussed lists (NANOG, the IETF
namedroppers list, etc.)
-- Other closed/private security lists, etc.
The very diversity of fora in which these issues come up is perhaps the
most compelling reason why it would be good to have a single designated
and professional operated entity that authoritatively "owns" DNS-related
security issues when they come up -- and they DO come up. Just to mention
a few examples of incidents where I think it would have been nice to
have a DNS-CERT available:
-- China's "adjustments" to I-Root data for non-Chinese audiences:
-- DNS Changer Malware (e.g., 85.255-related shenanigans)
-- The Kaminsky Vulnerability
-- DNS Amplification Attacks
and there are many more...
I'd really, really like to see a single entity with a high level of
professional competence available to take the lead on these incidents,
bringing together the operational community, the standards community,
security folks, vendors and even international law enforcement when
cyber crimes (such as denial of service attacks) are involved.
DNS is too important, and too complex, for DNS incident handling to be
done in a purely informal fashion rather than via a well established
and recognized professional channel.
I'd also add that not all issues will necessarily be "headline-making"
ones -- sometimes DNS-related stuff is just broken, and it can be
*phenomenally* hard at times to find the right person to talk to in
order to correct problems that arise.
For example, shortly after the broadband.gov speed testing site was
widely publicized, it was noticed that broadband.gov had an expired
DNSSEC signature, which meant that any site that has DNSSEC enabled
for dot gov couldn't resolve that domain. Normally it would be a
matter of checking whois for a suitable point of contact, but
of course dot gov whois is intentionally stripped of contact
information in an effort to hinder network mapping and reconnsaisance
efforts. Because of this, even with folks within dot gov working on
the problem and a fair amount of discussion on NANOG, a very public
mailing list, it still took FAR longer to get this issue fixed than
it should have. I'd hope that if a DNS-CERT was available, routine
things like issues with DNSSEC signatures for major entities could
be more expeditiously addressed.
That said, I don't think a DNS-CERT eliminates the need for any of
the existing fora and organizations, it just complements and
regularizes incident handling for DNS-related incidents.
I would be happy to discuss or explain these points for ICANN staff
if there are any questions.
Joe St Sauver
Disclaimer: all opinions expressed are strictly my own and do not
necessarily reflect the opinion of any other entity or organization.