Home / Blogs

Towards a DNSCERT Definition

To mix metaphors, my e-mail has been ringing off the hook after my previous article (”Perspectives on a DNS-CERT”) and I’ve had to think deep and difficult thoughts about what we really mean by DNSCERT, and whether DNS-OARC really has the capability or really can grow the capability to operate such a thing. I’ve had some discussions with ICANN and with members of the DNS-OARC board and staff, and it’s time I checkpointed the current state of my thinking about all this.

First, DNS-OARC was convened as an operational and technical body, and they’ve stuck to that vision, and they’re likely to continue to stick to it. This means that the technical and operational functions associated with a DNSCERT seem natural and necessary to the DNS-OARC folks, and, subject to clearing it with their membership and having a viable funding model, they’re ready to march forward.

Second, ICANN has heard the community’s reaction loud and clear, that the world wants them to remain a technical coordinating body, and to not become an infrastructure operator over and above what they already do for their “L Root”. They’ve also heard my arguments about how easy it is to find seed funding for possibly unsustainable activities and that the proof of a proposal’s viability comes in its fourth year not its first year. ICANN can be of great help to a DNSCERT both in doing the “gap analysis” [PDF] as they’ve already done, and in socializing and publicizing the idea to their GTLD and CCTLD holders who would have to join and sponsor a DNSCERT activity if it’s ever going to amount to anything.

Third, DNSCERT as envisaged by the ICANN SSR “

gap analysis” [PDF] is a different goal set than DNS-OARC’s. Some things DNSCERT would do are outside of the scope of DNS-OARC, and some things DNS-OARC is doing and/or will someday do are beyond the scope of DNSCERT. There’s substantial overlap, but I was wrong earlier when I said that DNS-OARC should do it all.


I think what’s needed is a new nonprofit corporation (“The DNSCERT Foundation” or similar; let’s call it TDF here) whose members are other international nonprofit corporations representing DNS stakeholders—such as ICANN, DNS-OARC, various CERTs, CENTR, MAAWG, APWG, and a few dozen others. Current and future members of DNS-OARC will join and sponsor the DNSCERT activity through their DNS-OARC membership and additional restricted grants of money and of “like kind” resources including personnel and equipment.

DNSCERT should be a joint venture across the entire DNS industry, and the 24x7 “watch floor” should be distributed across the globe. Much of the technical and operations work should be outsourced to the participants, who by running a tool set in common and doing training in common including sending personnel to DNSCERT HQ on a quarterly or annual rotation, will form an extremely robust and redundant asset base for the DNSCERT function.

TDF’s main purpose would be to define a DNSCERT Functions Contract and then enter into a joint venture with DNS-OARC Inc. to execute that contract. TDF’s role in the JV would be governance and oversight. DNS-OARC’s role would be execution. TDF’s governance activities would include research above the raw technology level, such as system level risk assessment and contingency planning. For example, perhaps ICANN’s ill-fated “DNS Root System Scalability Study” [PDF] could be retried in this broader framework since ICANN’s track record for hiring consultants to write reports and recommendations isn’t working.

Getting There

I’ve socialized and refined the above proposal by talking to a lot of people, most of whom did not give me permission to thank them publicly. I do have permission to mention that Ondrej Filip (.CZ), Leslie Cowley (.UK), Frederico Neves (.BR), Jay Daley (.NZ), and Jeff Moss (DefCon) think that something like this is worth investigating further. My first order of business is to expand that list—if you and/or your company would like to weigh in positively on this proposal, please send me e-mail and I’ll add you to the list, or you can add a comment to this article.

Importantly, neither ICANN nor DNS-OARC wants to take the next step of making a formal public statement of support of this approach unless the community has first given the nod. Therefore I’m asking ICANN to schedule a BOF session in Brussels, and I hope it’s early in the week like Monday or Tuesday, where we can get a whole bunch of DNS stakeholders (including many DNS-OARC members) in a room and find out whether the community has a will and if so what it is.

By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under


BOF time and place Yurie Ito  –  Jun 20, 2010 8:59 AM

The BOF room is reserved on 22nd Tuesday 1800pm

At: Room 313/315 on the 3rd floor at Square Brussels Meeting Centre (ICANN meeting venue)

BOF attendence and participation Eric Brunner-Williams  –  Jun 22, 2010 6:21 PM

The room was filled with cc and g operators, non-dns security people, some ICANN staff, and the discussion was lively, interesting, but not yet conclusive of any particular thesis concerning next steps.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign