Home / Blogs

DNS Gets A Formal Coordination System

CircleID recently interview Paul Vixie, Founder & Chairman of Internet Software Consortium (ISC), to discuss ISC’s newly formed Operations, Analysis, and Research Center (OARC).

OARC is launched in response to DDoS attacks at the Internet’s core infrastructure and the vital requirement for a formal coordination system. OARC is also a part of US homeland security initiatives, such as the formation of Information Sharing and Analysis Centers (ISACs).


CircleID: Can you give us an overview of what OARC is?

Paul Vixie: OARC is ISC’s new Operations, Analysis, and Research Center, a crisis coordination system for the global DNS. We’re trying to help our members better understand how the DNS operates and respond to incidents and threats.

CircleID: We have also heard the term DNS-OARC, any difference?

Paul Vixie: You heard about it pre-launch when the working title was “ISC DNS-OARC”. The official title as of launch is “ISC OARC for DNS”.

CircleID: OARC has mentioned, “The Domain Name System (DNS), born 20+ years ago, has become the primary governor of traffic flows on the Internet. When the DNS stops working, so do all applications: no email, no web browsing, no instant messaging, no FTP, no e-commerce.” Can you give us an overview of the state of DNS, and consequentially the Internet, as it stands today? What kind of critical point, if any, have we reached that has necessitated the formation of OARC?

Paul Vixie: The DNS has, quite simply, outgrown the informal coordination system we’ve always used. Root operators, TLDs, and other operators of critical pieces of infrastructure have always worked closely together. But, as the DNS has grown up, and as the threats have also grown up, there has arisen a crying need for better mechanisms for working together.

The OARC allows our members to coordinate closely in a secure, trusted environment. We have taken great pains to set up an on-line system that allows competitors to share critical information in a way that allows them to cooperate together to solve problems.

CircleID: OARC has pointed out that “Despite the critical nature of the DNS, responses to attacks have been handled informally, testing of software is not coordinated, and long-term analysis to better performance, stability, and security is sorely lacking.” Considering that DNS is now 20+ years old, one can’t help question why an essential collaborative organization, such as OARC, has taken so long to be created?

Paul Vixie: Twenty years ago, we didn’t need these kinds of mechanisms. Ten years ago, we still didn’t need them. And, you could argue that even five years ago, we still didn’t need them.

It always takes time to build the consensus it takes to make an organization like OARC work. We’ve spent a year talking to key players, listening to what they wanted to see, and iterating towards a framework that works for everybody.

CircleID: Can you share with us a little about the type of members and countries that have joined OARC. Who is encouraged to join?

Paul Vixie: We’ve had a great reception to the system. Most of the root operators have signed up (or have indicated that they will shortly sign up), as have all four regional registries (RIPE, APNIC, ARIN, and LACNIC). The research community has also been well represented with organizations such as ISTS at Dartmouth College, CAIDA, and InternetPerils. We’re also getting good representation from big registry operators such as Afilias. And, the big industrial players have also been signing up: companies such as Cisco, MCI, XO Communications, and Telehouse USA.

As to who should sign up, I think that is anybody who feels they have a mission-critical need to know what is happening with the global DNS. Registries and registrars, ccTLD operators, large corporate NOCs, ISPs and ecommerce companies that host many domain names are all likely candidates. This is also a natural for law enforcement groups that are worried about attacks on the Internet.

CircleID: Can you tell us a little more about “Root Servers Advisory Group” and “OARC Policy Council”—the two “governance mechanisms” within OARC? Who elects them and what are their roles?

Paul Vixie: The Root Servers Advisory Group (RSAG) is open to the root operators. They play a critical role in the global DNS and we wanted to have a formal mechanism to make sure we hear any concerns they have.

The OARC Policy Council determines policy for the OARC. It consists of one person elected by the membership of OARC, one elected by the RSAG, and one representative from ISC, the OARC secretariat.

CircleID: What about the involvement of other Internet bodies and organizations? Would ICANN, IANA, IETF, or ITU, for instance, have any roles within OARC?

Paul Vixie: Of course. ICANN and ITU members are natural candidates for membership and we’ve spent considerable time briefing officials from those organizations. The IETF doesn’t have an operational role, so it doesn’t make sense for it, though we’re really pleased the Internet Society is a founding member.

CircleID: OARC describes its role as “a neutral forum that allows competitors to share potentially confidential information and thus coordinate their response to incidents that affect the entire industry.” Can you explain how a “neutral forum” and co-operation is established, given the fact that some members of OARC will potentially be direct competitors of each other?

Paul Vixie: We’ve got a variety of mechanisms. First, there is legal: everybody signs a membership agreement that has stringent confidentiality requirements. Second is technical: we’ve built a system that allows our members to securely upload confidential data and then choose with whom it is shared. Third is the most important: social. We’re taking great pains to foster an environment of cooperation and consensus so people feel comfortable with working together to solve common problems.

CircleID: OARC has specified five key functions at its core. Can you tell us about these functions?

Paul Vixie: The most visible function is our Incident Response System. That’s the crisis coordination part of the OARC. But, we want this center to be more than just a knee-jerk response to attacks, so we’re taking a long-term perspective. That’s where the other four areas come in.

OARC’s Operational Characterization program is collecting data about the performance and functionality of key nameservers during both normal and abnormal periods of operation. This let’s us understands how these servers operate and what the stress points are. We’re working with other data collection efforts around the Internet, such as the RIPE NCC’s DNSMON program.

The OARC Analysis program attempts to understand the data we collect. In this program, we’re partnering with key researchers around the Internet who have been conducting long-term studies of DNS operation in the real-world. Some of those groups are CAIDA, which is well-known for pioneering studies about many different aspects of Internet operation, and ISTS at Dartmouth College, well-known for their DNS work.

The fourth program is our OARC Testing Laboratory. Here, we’re establishing a real-world test environment, with a sophisticated network infrastructure and representative systems on different hardware and software platforms and all of the key DNS software. This allows us to test, for example, patches that are developed in response to an attack.

Finally, OARC has an Outreach & Education Program, a vital program that allows us to reach out to non-members and communicate whatever is learned as a result of OARC’s activities.

CircleID: Several types of participants have been named as being part of OARC including top-level domain (TLD) operators. What type of role, if any, would OARC play in issues such as VeriSign’s recent controversial introduction of “Site Finder” made possible by placing a wildcard name in the root of COM and NET top-level domains. As you are very well aware, this action, now under review by ICANN, has raised a varying range of concerns over the stability of DNS and the Internet.

Paul Vixie: VeriSign’s SiteFinder was a political and business decision. That’s ICANN’s ballpark. OARC is an operations center. We’re worried about threats to security and things that impact performance and functionality. I think OARC would have had a minimal role to play during the recent SiteFinder controversy.

CircleID: Given OARC’s potentially significant role in enhancing performance, stability, and security of the DNS, what factors will play a key role in ensuring OARC’s long-term success?

Paul Vixie: Our long-term success will be determined by how effective we are in solving real problems for people who are operating DNS servers in the real world.

CircleID: And now that OARC has been officially launched, what is its first priority task?

Paul Vixie: Our first priority task is the same priority we’ve had for the year it has taken to make OARC a reality: making the ISC OARC for DNS a useful, vital operations center that helps improve the security, stability, and performance of the global DNS.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Paul Vixie, VP and Distinguished Engineer, AWS Security

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC).

Visit Page

Filed Under

Comments

ShadowEyez  –  Oct 22, 2003 5:28 PM

Sounds like a good operations center for long term changes and stability to DNS, and something that is needed.  However, if this organization existed when VeriSign launched SiteFinder by implementing wild masks, if ORAC had only taken a “minimal role” in this, it might be viewed as “toothless” or irrelavant, given that the main jist seems to be “solving real problems for people who are operating DNS servers in the real world”.

I realize that a long term stability goal is noble and needed, but the “real world” in IT and Internet operations sometimes needs quick reaction to potentially service halting problems, especially given the creative attacks hackers and miscreants employ today.

Sounds like a good move for the technical community.  Just be sure to be practical as well.  I look forward to seeing the implemtation and evolution of ORAC.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API