Proposal for Computer Emergency Response Team for Domain Name System Said Unjustified
An ICANN proposal for a domain name system computer emergency response team got a thumbs-down from most sectors of its community. In responses to a consultation that ended Wednesday, generic top-level domain (gTLD) registries, country-code top-level domain (ccTLD) managers, business interests and others branded the plan premature, overreaching, expensive and unnecessary. The strongest support came from two national CERTs.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
ICANN envisages the DNS-CERT as a body “devoted to both proactive and reactive measures related to DNS security, stability and resiliency” that would reduce the impact of future attacks against or failures of the system, its discussion paper said. Although existing organizations and activities already deal with those issues, there should be a dedicated staff to orchestrate them and to handle services and stakeholder needs not being addressed now, it said. The entity “may be launched with ICANN support” but its structure should allow it to operate as a free-standing organization based on a community dialogue about the best approach, it said. An effective DNS-CERT will cost around $4.2 million annually, it said.
There’s no consensus on the definition of the problem, its dimension or the actors involved, said Bertrand de La Chapelle, French Ministry of Foreign and European Affairs special envoy for the information society. ICANN must avoid confusion between global and local security issues related to DNS infrastructure, distinguish between preparedness and reaction measures, and identify the gap between what already exists and what’s needed, he said.
France joined ICANN’s Generic Names Supporting Organization, country-code Names Supporting Organization (ccNSO) and At-Large Advisory Committee in calling for a joint working group to provide input on the broad concept of a DNS-CERT, current work being done to mitigate DNS-related threats, the actual level and severity of the threats and gaps in current responses to DNS issues. ICANN’s role in all this “remains unclear,” the ICANN organizations said.
Registries also panned the idea. NeuStar, which manages .us and .biz, said the proposals “overreach” and are based on assumptions not yet supported by concrete data. The concept of a DNS-CERT has value and is worth further consideration, but ICANN’s idea is half-baked and top-down, said Keith Drazek, industry and government relations director.
The Registries Stakeholder Group, whose members are ICANN-approved registry operators, said the proposal is based on the assumptions that operators that provide DNS services “often react to emerging threats in a largely uncoordinated and under-resourced fashion” and that there’s a need for a system-wide approach to DNS security, stability and resiliency. Responses to the Kaminsky bug and the Conficker worm showed an extremely effective level of coordination, information-sharing and action, it said. ICANN’s initiative goes way beyond its mission and addresses issues that don’t threaten the DNS, the group said.
ccTLD managers also opposed the proposal. ICANN “has made a number of assumptions regarding perceived weaknesses in current network security measures, the level and frequency of threats, the need for a new coordination body, and the position this body will assume,” said the ccNSO. Members aren’t aware of any “ground-swell of concern” over security measures, it said. New Zealand registry Internet New Zealand questioned the presumption that lack of a DNS-CERT is allowing vulnerabilities to slip through, and said the Internet body failed to look at alternative solutions. Despite statements by ICANN President Rod Beckstrom that the DNS is in crisis, “it is clear that the urgency has been significantly exaggerated,” it said.
The Council of European National Top Level Domain Registries said the initiative overlaps with the work and goals of existing organizations such as national CERTs and the DNS Operations, Analysis and Research Center (DNS-OARC). .UK registry Nominet and .fr operator AFNIC criticized the proposal’s lack of focus and community support. The Asia Pacific Top Level Domain Association said ICANN should facilitate communication and cooperation within the DNS network and leave incident response operations to existing players. The DNS-OARC noted several potential areas of duplication with its work and that of other global CERT-like organizations. While ICANN might think extending its jurisdiction in the DNS security arena “could be a means to create a stick for the new gTLDs to participate in DNS-CERT,” there’s no comparable carrot for the ccTLDs, the OARC said.
Business groups were also critical of the proposal. The U.S. Council for International Business backed calls for a working group to gauge the need for a DNS-CERT. AT&T said ICANN should instead build on its Security and Stability Advisory and Risk Committees. The Internet Society worried that ICANN may be trying to expand in “new and peripheral operational functions.” Even if more centralized DNS security is needed, “we should not automatically assume that ICANN is the best organization to do it,” said NetChoice Executive Director Steve DelBianco. But ICANN staff is apparently already committed to building an in-house CERT structure, he said.
Two national response organizations applauded ICANN’s idea. A DNS-CERT could boost response time in incidents with DNS implications, said Adli Wahid, head of Malaysia CERT. DNS security is a “specific area which individual CERTS in the world can’t handle by themselves alone,” said Rohana Palliyaguru, Sri Lanka CERT senior information security engineer.