Comments on dns-cert-business-case-19mar10-end.pdf

["Joe St Sauver" <joe@xxxxxxxxxxxxxxxxxx>]

I would like to express support for the ICANN DNS-CERT proposal described in 
http://www.icann.org/en/topics/ssr/dns-cert-business-case-19mar10-en.pdf

Many DNS issues are inherently pan-national in nature so they really
aren't a good fit for existing national/regional CERTs, and currently 
most DNS-related security issues are handled via one of a number of
semi-formal or informal mechanisms such as:

-- DNS-OARC (https://www.dns-oarc.net/)

-- The ICANN Security and Stability Advisory Committee

-- Vendor-focussed fora

-- Various open operational or DNS-focussed lists (NANOG, the IETF 
   namedroppers list, etc.)

-- Other closed/private security lists, etc.

The very diversity of fora in which these issues come up is perhaps the
most compelling reason why it would be good to have a single designated
and professional operated entity that authoritatively "owns" DNS-related 
security issues when they come up -- and they DO come up. Just to mention 
a few examples of incidents where I think it would have been nice to 
have a DNS-CERT available:

-- China's "adjustments" to I-Root data for non-Chinese audiences:
   https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html

-- DNS Changer Malware (e.g., 85.255-related shenanigans)
   http://isc.sans.org/diary.html?storyid=5434

-- The Kaminsky Vulnerability
   http://www.kb.cert.org/vuls/id/800113

-- DNS Amplification Attacks
   http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

and there are many more...

I'd really, really like to see a single entity with a high level of
professional competence available to take the lead on these incidents, 
bringing together the operational community, the standards community, 
security folks, vendors and even international law enforcement when 
cyber crimes (such as denial of service attacks) are involved.

DNS is too important, and too complex, for DNS incident handling to be 
done in a purely informal fashion rather than via a well established 
and recognized professional channel.

I'd also add that not all issues will necessarily be "headline-making"
ones -- sometimes DNS-related stuff is just broken, and it can be 
*phenomenally* hard at times to find the right person to talk to in 
order to correct problems that arise.

For example, shortly after the broadband.gov speed testing site was
widely publicized, it was noticed that broadband.gov had an expired 
DNSSEC signature, which meant that any site that has DNSSEC enabled 
for dot gov couldn't resolve that domain. Normally it would be a 
matter of checking whois for a suitable point of contact, but
of course dot gov whois is intentionally stripped of contact
information in an effort to hinder network mapping and reconnsaisance 
efforts. Because of this, even with folks within dot gov working on 
the problem and a fair amount of discussion on NANOG, a very public
mailing list, it still took FAR longer to get this issue fixed than
it should have. I'd hope that if a DNS-CERT was available, routine 
things like issues with DNSSEC signatures for major entities could 
be more expeditiously addressed.

That said, I don't think a DNS-CERT eliminates the need for any of 
the existing fora and organizations, it just complements and 
regularizes incident handling for DNS-related incidents.

I would be happy to discuss or explain these points for ICANN staff
if there are any questions.

Regards,

Joe St Sauver

Disclaimer: all opinions expressed are strictly my own and do not
necessarily reflect the opinion of any other entity or organization.