At Large Briefing on FY 11 SSR Plan - Q & A

[Patrick Jones <patrick.jones@xxxxxxxxx>]

At Large Briefing on FY 11 SSR Plan - 18 October 2010
Questions from the Adobe Connect Chat & Responses from Staff
26 Oct 2010

During the briefing with At Large on the FY 11 SSR Plan, I indicated that I 
would try to answer questions raised in the Adobe Connect chat and responses 
would be posted on the comment forum for the FY 11 SSR Plan. The questions 
received are below:

Sivasubramanian Muthusamy: Q: What are the targets for the DNSSEC program? Root 
Servers + Registry Servers ? Also National Internet Exchanges ? What else?

Response: DNSSEC for the root zone is a joint effort between ICANN and 
VeriSign, with support from the U.S. Department of Commerce. Final deployment 
of DNSSEC has been completed in the root zone, meaning, all root server 
operators are serving the production signed root zone). ICANN is supporting 
efforts by all registry operators to sign TLD zones, and efforts to extend the 
chain of trust through to registrars. Information on DNSSEC for the root zone 
is available at http://www.root-dnssec.org/. In addition, DNSSEC is a 
requirement for delegation in the draft Applicant Guidebook for the new gTLD 
process.

Sivasubramanian Muthusamy: DNSSEC program appears to have made a good 
beginning, but isn't there a long way to go before it becomes a thorough 
exercise? For Network Security measures to be thorough, there shouldn't be any 
weak links left. DNSSEC in the root might involve implementing DNSSEC in ALL 
the mirrors and redundant servers of the root. The program has to be implmented 
in EVERY Registry's Servers, in the servers of Registry Service Providers, in 
gTLDs and ccTLDs, then move on to include ISP's servers and their Cache servers 
which are the ones closer to the user. Some of these 'targets' -if all of
them are targets- are considered beyond ICANN's zone of influence, but 
nevertheless this has to be a complete exercise. Has the Security and Stability 
program looked at all targets and is there a plan to make this an all inclusive 
exercise?

Response: Implementation of DNSSEC in the root zone was a major step, involving 
substantial work from the technical community, VeriSign & the U.S. Department 
of Commerce. There is more work to be done, and ICANN staff (particularly 
ICANN's DNS Operations team, http://dns.icann.org/ksk/) will be working to 
educate, provide support and facilitate the adoption of DNSSEC across the 
spectrum by registries, registrars, and end users. While particular targets for 
DNSSEC adoption have not been set in the FY 11 SSR Plan, that is a suggestion 
that can be made in ICANN's upcoming 2011-2014 Strategic Plan and the FY 12 
Operating Plan cycle. You correctly note that some of these targets may be 
beyond ICANN's relationships with registries and registrars, but ICANN intends 
to conduct outreach to promote DNSSEC adoption by the broader community.

Eric Brunner-Williams: if there is a conficker variant off of last year's .c 
variant (used the dns for rendevouz points), letting last years -dns list know 
is an option. a lot of the -dns people dropped off, so jc [John Crain] may need 
to do something more than just pick up the phone.

Response: A table showing Conficker variants is included in the Conficker 
Summary & Analysis, which was published on 7 May 2010 
(http://www.icann.org/en/security/conficker-summary-review-07may10-en.pdf). 
There are not just Conficker variants but also other malware that uses the same 
domain name generation idea. John Crain is leading ICANN's participation in the 
Conficker Working Group, and the working group is supposed to be discussing 
goals for 2011. Staff agrees that picking up the phone won't be enough, and 
further discussions with the working group and TLD operators will continue on 
best mechanisms for dealing with Conficker.

Dev Anand Teelucksingh: Just a thought : Regarding ICANN Contractural 
Compliance, previous briefings from Contractural Compliance at ICANN meetings 
that Contractural Compliance appears to be understaffed to adequately perform 
compliance of the 20+ gTLD registries and the 900+ registrars of gTLDs. How/Can 
the Contractural Complance Dept. be able to implement the increased scope of 
compilance activities due to the SSR plan?

Response: ICANN is currently seeking interested candidates for several 
positions on the Contractual Compliance team. You raise a good point about 
Compliance and this is a focus area for ICANN. Compliance will be working 
collaboratively with the law enforcement community and Internet community as a 
whole to identify contracted parties that may be engaged in malicious activity.
--

--
Patrick L. Jones
Senior Manager, Continuity & Risk Management
Internet Corporation for Assigned Names & Numbers
1101 New York Avenue, NW, Suite 930
Washington, DC 20005
patrick.jones@xxxxxxxxx