Summary & Analysis of Comments [updated]

[Marc Salvatierra <marc.salvatierra@xxxxxxxxx>]

Summary & Analysis of Comments [updated]

Submitted by ICANN staff on behalf of Patrick L. Jones, Senior Manager, 
Continuity & Risk Management, ICANN

----------

The Summary & Analysis of Comments on the DNS-CERT Operational Requirements & 
Collaboration Analysis is being updated to include comments submitted by the 
gTLD Registries Stakeholder Group (RySG) as a supermajority statement from the 
stakeholder group on 8 July 2010. The RySG noted during the ICANN Brussels 
meeting that it would be submitting comments on the DNS-CERT Operational 
Requirements & Collaboration Analysis comment period. For completeness and 
transparency, these comments are being included.

----------

Summary & Analysis of Comments for:
DNS-CERT Operational Requirements & Collaboration Analysis

The comment period ran from 24 May to 2 July 2010. Two comments were received, 
and an additional comment from received from the gTLD Registries Stakeholder 
Group on 8 July and included for completeness and transparency. All comments 
can be viewed at 
http://forum.icann.org/lists/dns-collab-analysis/.<http://forum.icann.org/lists/dns-collab-analysis/>

Summary: Bob Hutchinson provided lengthy comments, noting that DNS security and 
stability must be defined with a set of measurable metrics, and that he 
supported ICANN pursuing development of CERT capabilities in conjunction within 
DNS-OARC. Tadeusz Golonka noted that ICANN should not spend money in its 2011 
Budget to create a "cybercrime emergency unit, DNS CERT." The gTLD Registries 
Stakeholder Group (RySG) congratulated ICANN for highlighting DNS stability and 
security to the Internet and DNS security communities as important issues, and 
noted developments at the ICANN Brussels meeting. The RySG also indicated 
several key steps that the Internet community should take before a DNS-CERT is 
contemplated.

Analysis:

Bob Hutchinson noted that the April 2010 DNS-CERT Operational Requirements & 
Collaboration Analysis Workshop lacked representation from Internet Service 
Providers, "which would have brought which would have brought to the discussion 
a broader and more balanced perspective of DNS security and stability gleaned 
from the real-world experience of day-to-day DNS resolver operations."

Hutchinson stated that DNS security and stability must be defined with a set of 
measurable metrics, such as "Name-Resolution-Error-Rate [the % of invalid 
domain-name to
IP resolutions received by a client]." He indicated that "Anecdotal 
scenario-based study, as was done in this workshop, is useful in qualitative 
understanding of the potential failures of DNS - but does not yield the 
quantitative data needed to prioritize a counter-attack. For example, several 
of the scenarios examined are not related to DNS security or stability [malware 
distribution and containing Conficker]- but instead are based upon using DNS as 
a policing mechanism to thwart Internet bad-actors."

Hutchinson also noted that he supported "ICANN pursuing the development of CERT 
capabilities in conjunction within DNS-OARC with the following objectives:

1) instrument DNS to record real-time metrics which reflect an accurate picture 
of the health of the DNS system.
2) document the current support channels for each primary stake-holder group.
3) organize the trusted contacts in each stakeholder group.
4) organize the "interested-parties" contacts in each stakeholder group.

These measures will help ensure DNS remains healthy through the challenges of 
introducing new gTLDs, IDNs, IPv6 and DNSSEC."

Tadeusz Golonka of BPD.pl noted that "I am concerned to hear that ICANN's 2011 
Budget could create a new cybercrime emergency unit, DNS CERT. I am proud of 
what the special polish cybercrime police has accomplished in Poland over last 
few years. These investigators move instantly to track down originators of 
fraud and cyber-attacks.
But now I very worried if ICANN is going to get into the business of 
investigating cyber attacks. You should not try to put ICANN between victims 
and investigators. Let the victims go directly to our Polish special police 
without delay. Do not spend money for these activities with that ICANN's 2011 
Budget."

As noted in the FY2011 Operating Plan & Budget, and in sessions during the 
ICANN meeting in Brussels, ICANN has not provided funding for a DNS-CERT. The 
DNS-CERT Business Case was published in February 2010 for community comment, 
and based on input received, ICANN staff is engaged in collaborative 
discussions with the DNS community to develop a deeper understanding of 
systematic risks and threats to the DNS before a collaborative response 
capability is developed.

The RySG congratulated ICANN for highlighting DNS stability and security to the 
Internet and DNS security communities as important issues, and noted 
developments at the ICANN Brussels meeting, where:

* ICANN Staff indicated that ICANN is not interested in operating the DNS-CERT,
* ICANN reiterated that it has not allocated any funds for the DNS-CERT in the 
FY2011 budget, and
* Important discussions are now taking place about how an industry-led DNS-CERT 
(or CERTs) for Internet and DNS security might be created in and with the 
broader Internet community.

The RySG also cited to the Birds of a Feather session (BOF) in Brussels as "a 
useful step for building and furthering communication, outreach and work" on 
DNS stability and security (Note - the BOF session was community-led and not 
organized by ICANN staff).

The RySG also noted that "the Internet community needs to take a number of key 
steps as an industry-led DNS-CERT or (CERTs) is contemplated:

* There need to be clear statements and substantiation regarding what problems 
need to be solved. There is currently no agreement or documentation regarding 
the threats to DNS security that a DNS-CERT would be established to address.
* There needs to be a proper scoping of the Internet and DNS security problems 
and their potential solutions. The ICANN DNS-CERT Business Case's scope and 
mission was unclear and overly broad. It also remains unclear whether and how 
security needs are already covered by existing entities, how and where any 
unfulfilled needs should be filled, and what ICANN's role should be versus 
industry-led organizations that already exist for response operations.
* There is the problem of buy-in and trust from the various stakeholders that 
own and operate relevant resources across the DNS and Internet.
* A full and balanced gap analysis should be performed, to help understand not 
only the operational work performed by existing institutions, but also their 
scope and mission.

The RySG noted that "these fundamental scope and mission issues must be better 
understood before operational requirements and gap analyses for a DNS-CERT can 
be finalized. The DNS-CERT workshop, to which these particular comments are 
directed, did not address these pre-requisite issues, and while some of the 
discussions in the workshop were helpful, the exercise was premature in some 
ways."

Next Steps:

ICANN staff recognize that community prefers that ICANN not be the operator of 
a DNS-CERT, and the community may prefer other structures. ICANN seeks to 
engage with proposals that another body be considered if funding and 
appropriate guidelines can be developed. The principal role of ICANN going 
forward is to work with others to facilitate the broad-based community 
discussion on the requirement for and best approaches to establishing necessary 
capabilities. ICANN staff will work with the Board and ICANN community to 
establish the approach to most effectively play its facilitating role.

ICANN staff conducted several sessions in Brussels on DNS Security and the 
Strategic Initiatives for a DNS Risk Assessment and DNS-CERT. Community 
representatives also met in a "birds of a feather" discussion to consider 
approaches for a collaborative response capability. The ccNSO, GNSO, SSAC and 
ALAC supported the creation of a cross-constituency working group on ICANN's 
Security Strategic Initiatives.

During the ICANN Brussels meeting, the Governmental Advisory Committee (GAC) 
noted "the GAC supports the ccNSO's decision to work jointly with the GNSO, 
SSAC and ALAC to draft a charter for a potential cross-constituency WG to 
consider further ICANN's proposals regarding the security and stability of the 
DNS. The GAC notes that these issues are of significant public policy interest 
and indicates its willingness to collaborate with other parts of the ICANN 
community on this important issue." See Brussels Communique at 
http://gac.icann.org/system/files/Brussels-communique.pdf.

As suggested by the RySG, ICANN staff is working to compile clear statements 
and substantiation regarding threats to DNS security that a DNS-CERT would be 
established to address. As noted in the Security Strategic Initiatives paper 
published in February 2010, ICANN encourages interested experts and 
stakeholders to participate in gap analysis and DNS Risk Assessment, to help 
understand not only the operational work performed by existing institutions, 
but also their scope and mission.

Commenters:
Bob Hutchinson - http://forum.icann.org/lists/dns-collab-analysis/msg00002.html
Tadeusz Golonka - http://forum.icann.org/lists/dns-collab-analysis/msg00003.html
gTLD Registries Stakeholder Group - 
http://forum.icann.org/lists/dns-collab-analysis/msg00005.html
--
Patrick

--
Patrick L. Jones
Senior Manager, Continuity & Risk Management
Internet Corporation for Assigned Names & Numbers
1101 New York Avenue, NW, Suite 930
Washington, DC 20005
Tel: +1 202 570 7115
patrick.jones@xxxxxxxxx<mailto:patrick.jones@xxxxxxxxx>
patrickjones.tel