Hi Chris and all, Below is the comments I'm drafting to be posted to ICANN's public comment forum on DNS-CERT. === We appreciate and welcome the opportunity for the community to consider closely about upgrading DNS-related SSR (security, stability, and resiliency). We share the view with the proposed document that no highly-established framework excel at DNS SSR exists, especially response to incidents involving DNS. We agree that DNS SSR should be enhanced continuously as threat grows. To that end, we generally agree on the concept of DNS-CERT, if it refers to a "concept" not to an "organization or functions within an organization." Let us comment on some points regarding the implementation of DNS-CERT concept. (1) organizational framework Currently there exist organizations/teams for security maintenance such as DNS-OARC and national CERTs. Their activities are trusted by the community in general, at least to some extent. So, we think enhancing capabilities of existing organizations should be considered first, rather than creating yet another organization. Generally, it's not a good idea to make information channel structure complex from the viewpoint of avoiding confusion and cost. In addition, organization too far specialized in DNS cannot play an appropriate role, since incidents usually result from not a single cause but from combination of multiple causes. Therefore, cooperated analysis, discussion, and drafting of organizational framework among existing organizations including ICANN are highly expected to come up with a good framework. (2) organizational cost Efficiency of the structure to maintain DNS SSR should be pursued, since we believe $4M is a huge amount. Again, this leads us to the image that DNS-CERT function should be overlaid onto the existing organizational framework such as current CERTs. Using domain name registrants' money means taking responsibility for the security of registrants at the level of registrants' satisfaction in compensation for their money. (3) outreach effort CERT-like frameworks are different country by country, and organization by organization. In addition, there are various kinds of players in network operation including DNS operation. Therefore, outreach is essential for all these players to trust the framework and implementation of the DNS-CERT concept. Current proposal document seems to give less focus on resolver DNS side than authoritative DNS side. There are quite a few organizations/groups such as *NOGs and local DNS operators groups that are tightly-related to DNS operation. More outreach effort is expected in consulting phase and in development phase of DNS-CERT concept. === Hiro On Tue, 23 Mar 2010 12:44:08 +1100 (EST) "Chris Disspain" <ceo@auda.org.au> wrote:
All,
We are currently collating and drafting cc public comments re DNSCERT etc.
Meanwhile, the Chairs of the gNSO, ALAC and I would like to send the attached letter to Peter and Rod. Are there any objections?
Cheers,
Chris Disspain
CEO - auDA
au Domain Administration Ltd
<mailto:ceo@auda.org.au> ceo@auda.org.au
<http://www.auda.org.au/> www.auda.org.au
Important Notice - This email may contain information which is confidential and/or subject to legal privilege, and is intended for the use of the named addressee only. If you are not the intended recipient, you must not use, disclose or copy any part of this email. If you have received this email by mistake, please notify the sender and delete this message immediately. Please consider the environment before printing this email.