<<<
Chronological Index
>>> <<<
Thread Index
>>>
DNS-CERT Operational Requirements & Collaboration Analysis Workshop - Comment
- To: <dns-collab-analysis@xxxxxxxxx>
- Subject: DNS-CERT Operational Requirements & Collaboration Analysis Workshop - Comment
- From: "Bob Hutchinson" <bob@xxxxxxxx>
- Date: Fri, 2 Jul 2010 14:39:12 -0700
Dear ICANN DNS SSAC community,
I have read the DNS-CERT Operational Requirements and Collaboration Analysis
<http://www.icann.org/en/topics/ssr/dns-cert-collaboration-analysis-24may10-
en.pdf> Workshop report and wish to respectfully submit these comments
regarding the report for the benefit of the ICANN community.
The primary stakeholders in DNS Security and Stability are; ICANN/IANA Root
operations, Registries, Registrars, Registrants, ISPs and consumers. The
workshop team lacked ISPs, which would have brought to the discussion a
broader and more balanced perspective of DNS security and stability gleaned
from the real-world experience of day-to-day DNS resolver operations.
Over the next two years, DNS will undergo significant changes with the
introduction new gTLDs, IDNs, IPv6 and DNSSEC.
At ICANN 38 DNS Vulnerabilities and Risk Management: A Discussion with the
<http://brussels38.icann.org/meetings/brussels2010/transcript-dns-vulnerabil
ities-_21jun10-en.txt> Experts [Crocker, Diffie, Kaminsky et al] pointed
out; the accelerating speed of threat innovation cannot be held in check
with manual twenty-year old technology. We need new thinking, solid
long-term fixes to known attack vectors and effective response to
newly-discovered/emerging threats.
DNS Security and Stability must be defined with a set of measurable metrics.
Anecdotal scenario-based study, as was done in this workshop, is useful in
qualitative understanding of the potential failures of DNS - but does not
yield the quantitative data needed to prioritize a counter-attack. For
example, several of the scenarios examined are not related to DNS security
or stability [malware distribution and containing Conficker]- but instead
are based upon using DNS as a policing mechanism to thwart internet
bad-actors. If DNS Security and Stability were defined in measureable
metrics - like Name-Resolution-Error-Rate[ the % of invalid domain-name to
IP resolutions received by a client] the severity of different scenarios
could be measured using the accepted DNS S&S metrics.
I support ICANN pursuing the development of CERT capabilities in conjunction
within DNS-OARC with the following objectives:
1) instrument DNS to record real-time metrics which reflect an
accurate picture of the health of the DNS system.
2) document the current support channels for each primary
stake-holder group.
3) organize the trusted contacts in each stakeholder group.
4) organize the "interested-parties" contacts in each stakeholder
group.
These measures will help ensure DNS remains healthy through the challenges
of introducing new gTLDs, IDNs, IPv6 and DNSSEC.
Best Regards,
Robert C. Hutchinson
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|