Perspectives on a DNS-CERT
This week at the ICANN meeting in Nairobi, a plan was announced by ICANN staff to create a "CERT" for DNS. That's a Community Emergency Response Team (CERT) for the global Domain Name System (DNS). There are all kinds of CERTs in the world today, both inside and outside the Internet industry. There isn't one for DNS, and that's basically my fault, and so I have been following the developments in Nairobi this week very closely.
As the original founder of DNS-OARC (that's the Operations, Analysis, and Research Center for DNS, on the web at WWW.DNS-OARC.NET), I've fielded a lot of questions from folks asking me what I think about all this. (See related CircleID interview). The original DNS-OARC plan (written in 2002 or so) called for a 24x7 monitoring and response and coordination function very similar to what's now being proposed by ICANN. Everybody I talked to in 2002 understood the need for this, based on the excellent track record of US-CERT and JP-CERT and even the IT-ISAC. We knew it had to be done by the DNS industry itself, rather than added to the remit of some existing government-supported CERT or ISAC.
Somewhere along the way we got distracted. Or to more accurately place the blame, I got distracted. DNS-OARC was a huge undertaking, and one that I significantly underestimated. ISC started DNS-OARC using NSF research money, and I think NSF was happy with our results -- but producing those results used up a lot of ISC's management bandwidth. DNS-OARC has received unprecedented participation and support from members of the DNS industry, who had never done anything quite like this -- but the cycle time for bringing in new members was six to 18 months rather than the six to 18 weeks I planned on. Much has been achieved, but building the data and resources needed to develop OARC's necessary "critical mass" was something that ISC had to rely on partners and members for, and those folks have busy lives and long to-do lists even without this kind of stuff.
Eight years on, ISC has successfully spun DNS-OARC out as a separate non-profit corporation with its own board of directors. DNS-OARC has some fifty (50) members, comprising an unprecedented community of the key technical people from major DNS TLD registries, root operators, vendors and service providers. It has created a set of tools, experience and infrastructure vital for monitoring and analyzing the health of the DNS, and has accumulated an unparalleled set of DNS data captured from the live Internet.
But all this took years longer than I expected, and may have been a more dramatic time investment than DNS-OARC's elected trustees were expecting.
So the reason there is nothing like a "DNS CERT" in the world today is that I, as the founder of DNS-OARC, said that DNS-OARC would handle it, and then I didn't follow through. I plead ignorance and ambition -- we got a lot of other great stuff done, including the existence and independence of DNS-OARC itself, so I'm not exactly weeping with guilt. But, when Rod Beckstrom (President of ICANN) got up at the microphone in Nairobi and said, the world needs something like this, and if nobody else is going to build it, he would, I thought, he's absolutely right, it's still 2002 in here, and it's time we -- the DNS industry -- got this done. We need a 24x7 monitoring and response and coordination function, with full time analysts looking at real time DNS events and participating in a global mesh of DNS NOCs.
Beckstrom's vision that some $4.5M is needed to get DNS-CERT properly off the ground is to be commended, and is one familiar to us at DNS-OARC, where our reach has regularly exceeded our grasp. But we've also learned some lessons over the years, not least that the DNS community guards its autonomy fiercely, and will react adversely to anything that smacks to them of unilaterally imposed central control. Something like a DNS-CERT can only be done at the grass roots level, which is both a constraint and a boon. This explains some of what we've been hearing in the hallways at how, despite its merits, there is some disquiet about the way the DNS-CERT proposal was presented. It is exactly why we went for an autonomous, neutral, membership governance model for DNS-OARC. We have to work cooperatively to ensure that DNS remains 100% available to serve as the Internet's map.
I call upon the world's governments, and upon the GTLD and CCTLD operators, and upon ICANN itself as well as other Internet governance organizations including CENTR, to support DNS-OARC Inc. in finishing what I started; and I call upon DNS-OARC Inc.'s trustees and members to use ICANN's excellent "gap analysis" for the "DNS-CERT" as the starting point to make this happen.
So, the next phone call all of those folks get may be from me, making this appeal personally. Let's make 2010 the year we (all) finally get this done.
Note (23 Mar 2010): There is also a blog thread on the circleid.com web site relating to this article.
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC