DNS-Community Emergency Response Team, or CERT


In my blog last week, I gave you some of my initial impressions of the 37th ICANN meeting held in Nairobi, Kenya. More to the point, I wrote about how ICANN’s CEO, Rod Beckstrom, managed to raise quite a few eyebrows with some of the comments he made at the meeting.

This week, I’d like to talk about some specific comments he made around the security of the DNS. As I stated last week, DNS security, stability and resiliency (SSR) is a core part of my business – it’s what CIRA and the other ccTLDs do and is one of our top priorities. At a meeting of the Governmental Advisory Committee,  Beckstrom stated that the DNS is fragile and vulnerable and subject to more attacks than ever before. He also said the DNS “can stop any time”, therefore we have to make a greater effort to protect it.  This effort, he argued, should be concentrated on supporting ICANN’s business case to create a DNS-Community Emergency Response Team (CERT), open for comment until April 14, 2010.

Most folks in the room who actually manage DNS on a day-to-day basis were quite surprised by the tone and the way this was brought to the community’s attention.  Many people in the room felt that Beckstrom was speaking out of turn and disregarding the work the community is already undertaking to ensure the stability and the security of the DNS. His comments sparked a swift response from the Country Code Names Supporting Organization (ccNSO), an organization within the ICANN structure of which CIRA is a member. The ccNSO pointed out that Beckstrom is straying from ICANN’s bottom-up, consensus-based multi-stakeholder model. Some have even expressed the opinion that Beckstrom might be fear mongering, perhaps hoping to gain support for the DNS-CERT Business case.

A CERT is not a unique idea; many exist around the world and fulfill a number of different functions.   There are lots of bodies in many countries that currently handle CERT functions for the Internet, each in a very localized manner.

Basically, those of us in the DNS business are all for whatever maintains, or improves, the security and stability of the DNS.  But before we all run off and develop a whole new structure/bureaucracy, lets make sure we clearly understand what the gaps are, if any, in the numerous CERTs and security structures that already exist.  Before ICANN adds another $5M~ of (unfunded) expenses to its already large budget.

In a recent blog post, Paul Vixie called upon all of the stakeholders in Internet governance to support DNS-OARC Inc. in furthering the development of a global DNS-CERT. I tend to agree with Vixie, and I believe DNS-OARC is better positioned than ICANN to provide CERT functions, as outlined in Vixie’s blog post .

The fact is the Internet itself was built from many localized networks coming together to create one international network. The overlap and redundancy inherent in this type of organic growth is what enabled the Internet to be the robust entity it is today. I’ve said it before: the Internet is, by its very nature, generative, creative, and organic.  This is one of the reasons I believe a more effective approach to the development of a DNS-CERT would involve spending time and effort looking at what already exists. If gaps exist they can be identified and plugged.

What the Internet does not need, in my opinion, is a top-down bureaucratic approach to anything. These approaches simply do not work for the Internet; they do not respect the very ‘spirit’ of the Internet.  And I do not think ICANN should be imposing a solution on its stakeholders that we will all end up having to pay for, without adequately examining existing and possibly better suited DNS-CERT options.

Do you agree?

While at the meeting in Nairobi, Kathryn Reynolds, Legal and Policy Council at CIRA, took some pictures. We’ve posted them to our Picasa page. Enjoy!

Share on Tumblr