Home / Blogs

Perspectives on a DNS-CERT

Last week at the ICANN meeting in Nairobi, a plan was announced by ICANN staff to create a “CERT” for DNS. That’s a Community Emergency Response Team (CERT) for the global Domain Name System (DNS). There are all kinds of CERTs in the world today, both inside and outside the Internet industry. There isn’t one for DNS, and that’s basically my fault, and so I have been following the developments in Nairobi this week very closely.

As the original founder of DNS-OARC (that’s the Operations, Analysis, and Research Center for DNS, on the web at WWW.DNS-OARC.NET / see related CircleID interview), I’ve fielded a lot of questions from folks asking me what I think about all this. The original DNS-OARC plan (written in 2002 or so) called for a 24x7 monitoring and response and coordination function very similar to what’s now being proposed by ICANN. Everybody I talked to in 2002 understood the need for this, based on the excellent track record of US-CERT and JP-CERT and even the IT-ISAC. We knew it had to be done by the DNS industry itself, rather than added to the remit of some existing government-supported CERT or ISAC.

Somewhere along the way we got distracted. Or to more accurately place the blame, I got distracted. DNS-OARC was a huge undertaking, and one that I significantly underestimated.  Internet Systems Consortium (ISC) started DNS-OARC using NSF research money, and I think NSF was happy with our results—but producing those results used up a lot of ISC’s management bandwidth. DNS-OARC has received unprecedented participation and support from members of the DNS industry, who had never done anything quite like this—but the cycle time for bringing in new members was six to 18 months rather than the six to 18 weeks I planned on. Much has been achieved, but building the data and resources needed to develop OARC’s necessary “critical mass” was something that ISC had to rely on partners and members for, and those folks have busy lives and long to-do lists even without this kind of stuff.

Eight years on, ISC has successfully spun DNS-OARC out as a separate non-profit corporation with its own board of directors. DNS-OARC has some fifty (50) members, comprising an unprecedented community of the key technical people from major DNS TLD registries, root operators, vendors and service providers. It has created a set of tools, experience and infrastructure vital for monitoring and analyzing the health of the DNS, and has accumulated an unparalleled set of DNS data captured from the live Internet.

But all this took years longer than I expected, and may have been a more dramatic time investment than DNS-OARC’s elected trustees were expecting.

So the reason there is nothing like a “DNS CERT” in the world today is that I, as the founder of DNS-OARC, said that DNS-OARC would handle it, and then I didn’t follow through. I plead ignorance and ambition—we got a lot of other great stuff done, including the existence and independence of DNS-OARC itself, so I’m not exactly weeping with guilt. But, when Rod Beckstrom (President of ICANN) got up at the microphone in Nairobi and said, the world needs something like this, and if nobody else is going to build it, he would, I thought, he’s absolutely right, it’s still 2002 in here, and it’s time we—the DNS industry—got this done. We need a 24x7 monitoring and response and coordination function, with full time analysts looking at real time DNS events and participating in a global mesh of DNS NOCs.

Beckstrom’s vision that some $4.5M is needed to get DNS-CERT properly off the ground is to be commended, and is one familiar to us at DNS-OARC, where our reach has regularly exceeded our grasp. But we’ve also learned some lessons over the years, not least that the DNS community guards its autonomy fiercely, and will react adversely to anything that smacks to them of unilaterally imposed central control. Something like a DNS-CERT can only be done at the grass roots level, which is both a constraint and a boon. This explains some of what we’ve been hearing in the hallways at how, despite its merits, there is some disquiet about the way the DNS-CERT proposal was presented. It is exactly why we went for an autonomous, neutral, membership governance model for DNS-OARC. We have to work cooperatively to ensure that DNS remains 100% available to serve as the Internet’s map.

I call upon the world’s governments, and upon the gTLD and ccTLD operators, and upon ICANN itself as well as other Internet governance organizations including CENTR, to support DNS-OARC Inc. in finishing what I started; and I call upon DNS-OARC Inc.‘s trustees and members to use ICANN’s excellent “gap analysis” for the “DNS-CERT” as the starting point to make this happen.

So, the next phone call all of those folks get may be from me, making this appeal personally. Let’s make 2010 the year we (all) finally get this done.

By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under


Do we need another CERT? Paul Roberts  –  Mar 23, 2010 2:51 PM

Is it really necessary to have a dedicated DNS CERT? The existing cert.org seems to work well from what I can tell, and having another CERT type body to monitor is just going to increase confusion, especially if cert.org/cve.mitre.org etc. continue to issue alerts all with their own vuln id’s. So now when we are trying to track issues, there’s yet another vuln id to track?

If a DNS CERT is created, where will it end? Will we see an SSH CERT, DHCP CERT or [insert protocol here] CERT?

I just don’t really see the point. Maybe I’m missing something? (It does happen) :-)

Paul Roberts
Technical Services Manager

Systems created those other (SSH, DHCP, etc) Paul Vixie  –  Mar 23, 2010 4:36 PM

Systems created those other (SSH, DHCP, etc) protocols are unilateral or bilateral, whereas DNS creates a multilateral interdependent system. the folks at CERT/CC and Mitre are great at what they do but it is not this. To protect a system you also have to study it and monitor it, to help define what "normal" and "healthy" mean. otherwise we fall back to a weak definition like "things are healthy if nobody is complaining" and that's just not true. DNS-OARC was launched to be an expertise center on the global DNS system as an operational entity. membership includes operators, implementors, researchers and protocol people, law enforcement and existing CERTs, and meatspace governments. DNS-OARC's remit is much larger than just "be a CERT for DNS", but we always intended to include "be a CERT for DNS" in our operating plan because that function is important to the health and safety of the global domain name system as an operational entity. the gaps that are showing up through ICANN's analysis really are gaps -- greg rattray and yurie ito have done some very high quality work in identifying these gaps and bringing them to the world's attention.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC