Global DNS-CERT Business Case

["Bob Hutchinson" <bob@xxxxxxxx>]

Comment on the Global DNS-CERT Business Case proposal 

 

Dear ICANN,

 

At the ICANN meeting in Nairobi, a proposal to create a global DNS-CERT
touched off many discussions about the future of Domain Name System (DNS)
security. If the DNS-CERT 

proposal accomplished nothing other than to jump-start this important
dialog, it will have served a useful purpose. But while the ensuing debate
has reinforced the need for 

broader engagement on DNS security, it also highlighted some serious
concerns with the DNS-CERT proposal ICANN is currently considering. Rather
than move forward with that 

flawed model, ICANN should expand the conversation it started with the goal
of developing a consensus approach to address the very real concerns of DNS
security.  

 

There is no question that DNS security and stability should be one of
ICANN's foremost concerns. Without system integrity, all other issues
related to DNS management are 

moot. That ICANN has moved these issues increasingly to the forefront is an
encouraging and welcome development. 

 

Some members of the community criticized ICANN President Rod Beckstrom's
stark commentary about the mounting threats facing the DNS, but ICANN has a
contractual 

responsibility to address issues that threaten the security and stability of
the DNS. Indeed, the global conversation spurred by Mr. Beckstrom's remarks,
serves to 

illustrate the value of ICANN's engagement on this issue. 

 

That ICANN has a critical role to play, as evangelist and convener on
matters related to DNS security should not be in dispute.   As Joe St Sauver
commented, many different 

DNS system vulnerabilities are currently exploited to compromise DNS system
integrity.  Each level of the DNS system [root, ANS, resolver, host] has its
own support 

mechanism.  Existing DNS support channels are built upon network market
needs, mutual trust and shared expertise.  Those channels have served the
internet community well.  

 

While it is clear that the global DNS community could benefit from increased
support on security matters, it is unclear whether a new CERT - whether
autonomous or housed 

within ICANN - is the right vehicle to provide that support.  

 

As I said in my comments before the ICANN Board of Directors in Nairobi,
establishing a unified CERT for the DNS System - which is comprised of more
than 3 million servers 

operated in many different configurations and languages - is a daunting
prospect. Before the community undertakes such a serious challenge, it must
make sure that a new DNS

-CERT would be not only valuable, but also necessary.   

 

Today, I believe existing CERTs are better suited to economically addressing
the issues raised in Nairobi.  ICANN's focus should not be  oriented toward
operating and 

managing the day-to-day DNS infrastructure security, but should focus on
sponsoring SSAC fellowships and long-term research designed to measure,
model and thwart 

interference with DNS.

 

If the community determines that a new CERT is needed, there would remain
serious questions both about whether it would be appropriate to house such a
function within a 

management body like ICANN and about whether ICANN is the organization most
technically suited to operating that function. 

 

Ultimately, the central problem with the DNS-CERT white paper may be that it
moved too abruptly from framing a serious, far-reaching problem to proposing
a single solution. 

The issues raised in the DNS-CERT white paper suggest a wide range of
solutions, each with its own drawbacks and advantages.  Rather than trying
to alter the DNS-CERT 

proposal, it would be better for ICANN to expand the important discussions
begun in Nairobi to consider a wider range of issues and solution sets. 

 

Best Regards,

Bob Hutchinson

Product Architect

Dynamic Ventures