RE: [dssa] what topics are in-scope, and why

[Greg Aaron <gaaron@xxxxxxxxxxxx>]

Dear SM:

Thanks.  Here is why those two items seem in-scope to me.

As you say, it is not ICANN's role to fix protocols.  However, we are
chartered to point out relevant problems.  Flaws in the DNS protocol are by
definition intrinsic to the DNS itself.  For example, the Kaminsky Bug
allowed attackers to perform cache poisoning on most nameservers.   A bug
like that offers a widespread exploit of the DNS.

Regarding alternate roots: a fractured DNS means that the resolvability and
predictability we currently enjoy would go away.  Queries to a domain name
could go to two or more registries each claiming to be authoritative for
that name, etc.  ICANN's core mission is about the uniqueness of identifiers
at the root and TLD levels, and maintaining it.  (See also: fast-track IDN
TLDs, and the nTLD program.)  So challenges posed to a unified root are in
scope to discuss.

Are you swayed, or can you tell us more about your thinking?

All best,
--Greg



-----Original Message-----
From: SM [mailto:sm@xxxxxxxxxxx]
Sent: Thursday, September 08, 2011 12:21 PM
To: Greg Aaron
Cc: dssa@xxxxxxxxx
Subject: Re: [dssa] what topics are in-scope, and why

On 9/5/2011 6:52 PM, Greg Aaron wrote:
> We have a large list of problems/threats on the mind map.  Our Charter
> provides some guidance that can help us decide which topics are and are
> not
> relevant, or how.  We must have a common grasp of the differences, and be
> able to articulate it outside the WG.

[snip]

> In other words:  we are not to look at every threat having to do with or
> talking place via the DNS, or that impacts some party using the DNS.   We
> are concerned with “the” DNS, i.e. threats to the system itself, and
> relevant to ICANN’s role.

[snip]

> I suggest that the following kinds of topics do not qualify.  They are not
> issues at the root and top level domains within the framework of ICANN’s
> coordinating role.  Instead they are issues that affect individual
> second-or-third-level domain names, affect parties that are not critical
> to
> root or TLD operations,  do not threaten widespread DNS disruptions or
> subversions, etc.
>
> •             domain hijacking
>
> •             cybersquatting
>
> •             phishing, spam, malware, and other malicious uses of domain
> names.  (See the RAPWG report.)
>
> •             IDN homographic attacks (this is phishing)
>
> •             Operating system vulnerabilities in general
>
> •             registrar service disruption (may affect many domains or
> hardly any depending upon which registrar it is.  gTLD registrars don’t
> have
> availability/uptime SLAs like registries do. If registrar downtime was a
> threat to the DNS, then registrars would presumably have SLAs.  Instead,
> registrars have escrow requirements, in case of failure or contract
> breach/deaccreditation.)
>
> •             protocol layers below the DNS

Yes.

> These kinds of problems seem relevant to me, among others:
>
> •             flaws in the DNS protocol itself (e.g. the Kaminsky bug)

This group is not chartered to fix the DNS protocol.  It could
contribute in term of coordination for the non-technical aspect.

> •             Alternate roots

It would be better to consider that as out of scope.

Regards,
-sm