Comments on dns-cert-business-case-19mar10-end.pdf
I would like to express support for the ICANN DNS-CERT proposal described in http://www.icann.org/en/topics/ssr/dns-cert-business-case-19mar10-en.pdf Many DNS issues are inherently pan-national in nature so they really aren't a good fit for existing national/regional CERTs, and currently most DNS-related security issues are handled via one of a number of semi-formal or informal mechanisms such as: -- DNS-OARC (https://www.dns-oarc.net/) -- The ICANN Security and Stability Advisory Committee -- Vendor-focussed fora -- Various open operational or DNS-focussed lists (NANOG, the IETF namedroppers list, etc.) -- Other closed/private security lists, etc. The very diversity of fora in which these issues come up is perhaps the most compelling reason why it would be good to have a single designated and professional operated entity that authoritatively "owns" DNS-related security issues when they come up -- and they DO come up. Just to mention a few examples of incidents where I think it would have been nice to have a DNS-CERT available: -- China's "adjustments" to I-Root data for non-Chinese audiences: https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html -- DNS Changer Malware (e.g., 85.255-related shenanigans) http://isc.sans.org/diary.html?storyid=5434 -- The Kaminsky Vulnerability http://www.kb.cert.org/vuls/id/800113 -- DNS Amplification Attacks http://www.isotf.org/news/DNS-Amplification-Attacks.pdf and there are many more... I'd really, really like to see a single entity with a high level of professional competence available to take the lead on these incidents, bringing together the operational community, the standards community, security folks, vendors and even international law enforcement when cyber crimes (such as denial of service attacks) are involved. DNS is too important, and too complex, for DNS incident handling to be done in a purely informal fashion rather than via a well established and recognized professional channel. I'd also add that not all issues will necessarily be "headline-making" ones -- sometimes DNS-related stuff is just broken, and it can be *phenomenally* hard at times to find the right person to talk to in order to correct problems that arise. For example, shortly after the broadband.gov speed testing site was widely publicized, it was noticed that broadband.gov had an expired DNSSEC signature, which meant that any site that has DNSSEC enabled for dot gov couldn't resolve that domain. Normally it would be a matter of checking whois for a suitable point of contact, but of course dot gov whois is intentionally stripped of contact information in an effort to hinder network mapping and reconnsaisance efforts. Because of this, even with folks within dot gov working on the problem and a fair amount of discussion on NANOG, a very public mailing list, it still took FAR longer to get this issue fixed than it should have. I'd hope that if a DNS-CERT was available, routine things like issues with DNSSEC signatures for major entities could be more expeditiously addressed. That said, I don't think a DNS-CERT eliminates the need for any of the existing fora and organizations, it just complements and regularizes incident handling for DNS-related incidents. I would be happy to discuss or explain these points for ICANN staff if there are any questions. Regards, Joe St Sauver Disclaimer: all opinions expressed are strictly my own and do not necessarily reflect the opinion of any other entity or organization.