DNS-Community Emergency Response Team, or CERT

Uncategorized3 Comments

In my blog last week, I gave you some of my initial impressions of the 37th ICANN meeting held in Nairobi, Kenya. More to the point, I wrote about how ICANN’s CEO, Rod Beckstrom, managed to raise quite a few eyebrows with some of the comments he made at the meeting.

This week, I’d like to talk about some specific comments he made around the security of the DNS. As I stated last week, DNS security, stability and resiliency (SSR) is a core part of my business – it’s what CIRA and the other ccTLDs do and is one of our top priorities. At a meeting of the Governmental Advisory Committee,  Beckstrom stated that the DNS is fragile and vulnerable and subject to more attacks than ever before. He also said the DNS “can stop any time”, therefore we have to make a greater effort to protect it.  This effort, he argued, should be concentrated on supporting ICANN’s business case to create a DNS-Community Emergency Response Team (CERT), open for comment until April 14, 2010.

Most folks in the room who actually manage DNS on a day-to-day basis were quite surprised by the tone and the way this was brought to the community’s attention.  Many people in the room felt that Beckstrom was speaking out of turn and disregarding the work the community is already undertaking to ensure the stability and the security of the DNS. His comments sparked a swift response from the Country Code Names Supporting Organization (ccNSO), an organization within the ICANN structure of which CIRA is a member. The ccNSO pointed out that Beckstrom is straying from ICANN’s bottom-up, consensus-based multi-stakeholder model. Some have even expressed the opinion that Beckstrom might be fear mongering, perhaps hoping to gain support for the DNS-CERT Business case.

A CERT is not a unique idea; many exist around the world and fulfill a number of different functions.   There are lots of bodies in many countries that currently handle CERT functions for the Internet, each in a very localized manner.

Basically, those of us in the DNS business are all for whatever maintains, or improves, the security and stability of the DNS.  But before we all run off and develop a whole new structure/bureaucracy, lets make sure we clearly understand what the gaps are, if any, in the numerous CERTs and security structures that already exist.  Before ICANN adds another $5M~ of (unfunded) expenses to its already large budget.

In a recent blog post, Paul Vixie called upon all of the stakeholders in Internet governance to support DNS-OARC Inc. in furthering the development of a global DNS-CERT. I tend to agree with Vixie, and I believe DNS-OARC is better positioned than ICANN to provide CERT functions, as outlined in Vixie’s blog post .

The fact is the Internet itself was built from many localized networks coming together to create one international network. The overlap and redundancy inherent in this type of organic growth is what enabled the Internet to be the robust entity it is today. I’ve said it before: the Internet is, by its very nature, generative, creative, and organic.  This is one of the reasons I believe a more effective approach to the development of a DNS-CERT would involve spending time and effort looking at what already exists. If gaps exist they can be identified and plugged.

What the Internet does not need, in my opinion, is a top-down bureaucratic approach to anything. These approaches simply do not work for the Internet; they do not respect the very ‘spirit’ of the Internet.  And I do not think ICANN should be imposing a solution on its stakeholders that we will all end up having to pay for, without adequately examining existing and possibly better suited DNS-CERT options.

Do you agree?

While at the meeting in Nairobi, Kathryn Reynolds, Legal and Policy Council at CIRA, took some pictures. We’ve posted them to our Picasa page. Enjoy!

ICANN Nairobi – It’s not what you say, it’s how you say it.

Uncategorized3 Comments

More than one person has said to me that attending an ICANN meeting is like watching paint dry, grass grow, etc.  Basically, pick your metaphor, but the point is not much happens and what does happen, happens slowly.  While there is some truth to this, I would argue that the better metaphor might be a duck, not much happening above the waterline, paddling like mad below.  You just need to know what to look for to see the activity.  But that’s a blog for another day.

The ICANN meeting last week was anything but dull, with a lot of activity happening around the latest round of gTLD introduction updates and the whole Expression of Interest (EOI) issue.

The other element that added a spark to this meeting was the new CEO himself, Rod Beckstrom.  Rod pressed a number of hot button issues, some on purpose, and some I am sure, came as a surprise even to him.

It all started at the opening ceremonies for the conference when Rod opened with an interfaith prayer…yes, a prayer.  This caught the very international gathering quite off guard.  This is after all an Internet technology and policy conference.  And it did not go well; from the Imam not showing up to the power going off during the prayer, it was an awkward few minutes.  From there Rod lambasted African telcos for their high prices (a little insensitive given most of them are state sanctioned, and we were the guests of Kenya), indicated that Kenya was no longer in the Commonwealth (it is), and invited six Presidents of the east African region, who were meeting nearby, to drop by and join with ICANN.  The one small wrinkle is that group includes the President of Sudan, an indicted war criminal – not a politically sensitive choice of guests.  And all this within about the first 15 minutes!

Two other more substantive areas that concern country code TLD operators like .CA that Rod stepped into are around financial contributions to ICANN as well as the requirement for a global DNS CERT.

ICANN is a not-for-profit corporation, which has a number of constituency groups within it.  Some of these groups are contracted parties, like the gTLDs (such as the commercial entities that run .com).  Others, like the various government participants and the country code operators (like CIRA) participate to be involved in the policy process and the coordination and governance of the Internet, but are not contracted parties with ICANN.  Many of the ccTLDs make a voluntary contribution of funds to support ICANN, but some don’t.   Rod has made a point that the ccTLDs need to start paying more, in fact he made this point clearly when the first ccTLD CEO stood up to speak.  Before he could get a word out, Rod demanded to know if that ccTLD made contributions, the implication feeling like if they had not, that the forthcoming question would not be as “valuable”.

While the question of ccTLD contributions is one that needs to be addressed, the way it was delivered and the innuendo did not win Rod any friends.    My sense of the room was that Rod left with fewer supporters than he arrived with.  You know the old saying, it’s not what you say; it’s how you say it.

The other issue, that I will blog on more expansively at a later date, is the notion of a global DNS CERT.  DNS security, stability, and resiliency (SSR) is a core part of my business, of any ccTLD’s business.  There are a number of organizations that that also do this and work in the security space.  Also, some form of cyber CERTs exist at the national level in many countries.  Many in the community would consider CERTs to be in their wheelhouse.  If there any gaps, let’s plug them rather than create a whole new ICANN bureaucracy, with a $5M US price tag, to administer it.  Again, SSR is near and dear to the operators’ hearts and anything that can make it better will be welcomed in the community.  But the tone of the message could be considered somewhat inflammatory.

Again, like your mother told you, it’s often not what you say; it’s how you say it.


UncategorizedOne Comment

The deadline for the ShowUsYour.CA contest is fast approaching. So far, we’ve received videos from a musician, graphic designers and artists, and even a class of grade five students who produce their own podcast. If you haven’t watched the video submissions yet, I encourage you to go to our YouTube Channel to do so.

More importantly, if you haven’t created a video and entered the contest yet, why not? You can win a great prize, and possibly be rewarded with everlasting fame! After all, the grand prize winner will receive a 15 inch MacBook Pro and be featured in a future .CA marketing campaign.

Go ahead, get your video camera and tell us your .CA story. Make it quick, though. The deadline to enter is March 15!

DNS Redirection

Uncategorized2 Comments

When you type an address into a web browser, many things happen ‘behind the scenes’. Most of the time you get the website you were looking for. But what happens if you make a mistake typing in the address, or the address you are looking for doesn’t exist? Ideally (at least from a technical point of view), you get this:


Sometimes, however, you don’t.  Instead, when there is no exact match for the query name and/or the query type, DNS synthesis, or re-direction, may take place. In short, if your request can’t be resolved, your request gets redirected to another webpage by someone in the middle – often your Internet Service Provider (ISP) or the Top Level Domain (TLD). This is a hotly contested issue in some circles, and it’s making a lot of people quite upset.

Some organizations try to legitimize this activity by citing the need to redirect traffic away from websites that exist for the sole purpose of illegal activity, such as child pornography or sites that are known to be pushing out malware. I’m not so sure this argument is accurate.  DNS redirection does not remove harmful or illegal content from websites; it just makes it more difficult to access using a particular network.  In all likelihood, law enforcement organizations would contact the hosting provider (or authority) for a domain used for illegal activity to have it shut down or redirected. They would not likely resort to asking potentially thousands of ISPs around the world to individually take steps to block or otherwise redirect the ill-intentioned sites.

There are many reasonable and more effective methods for filtering such content, including web browser plug-ins, anti-virus software, child protection software, proxy servers, and firewalls that do not require breaking the fundamental protocols on which the Internet relies.  Further, these continue to enable personal choice.

There is another reason, however, that ISPs engage in DNS synthesis: it can be quite profitable. ISPs are increasingly redirecting requests to pages that they have created themselves, and serve to market their products and services. Ads can be sold on these pages, and the ISP can control the traffic that goes to the website.

I take issue with ISPs engaging in this practice for several reasons.  The following are just a few examples of the problems that can be encountered with DNS redirection:

- There are many undesirable problems that may result from interfering with the way DNS protocol was intended to work, including difficulty troubleshooting, spam filters not working, embedded tools being confused, and more.

- The user may or may not end up connecting to the page he or she was attempting to visit.  As a user, if your intent is to visit www.widgetxyz.ca, should your ISP be able decide what you meant to put into your web browser?   As well, this may mean existing domains and their owners may lose out on traffic because of the interference of the ISP.

- ISPs charge you for bandwidth – when you type in an address correctly, you are using bandwidth to go to a page that you intended to go to. If you type it in incorrectly, you should expect to not use bandwidth.  However, if an ISP redirects you request to a page of their choosing, you’re using bandwidth to get to a page you didn’t choose to go to.

CIRA was recently given the opportunity to comment on proposed “best practices” for the use of DNS redirection by ISPs by the Internet Engineering Task Force, or IETF. I’ve submitted my comments and will continue to keep an eye on any further developments and future opportunities to comment.

ISPs are not the only ones in on this action however.  This is also a concern at the Registry level (the business that CIRA is in).  The Security and Stability Advisory Committee (SSAC – including many of the “high priests” of the DNS) of ICANN has reported over the past few years that redirection and synthesizing of DNS responses by TLDs (or “wildcarding”) poses a clear and significant danger to the security and stability of the domain name system.   They have advised ICANN to prohibit the use of redirection and synthesized responses by new TLDs, including gTLDs and ccTLDs, stating that:

“The redirection and synthesizing of DNS responses by TLDs poses a clear and significant danger to the security and stability of the domain name system. The consequences of synthesized DNS responses range from erosion of trust relationships to the creation of new opportunities for malicious attacks, without the ability of the affected party(ies) to mitigate these problems.”

In June 2009, the ICANN Board of Directors called on the Country Code Names Supporting Organisation (ccNSO) to provide the TLD community with a report that summarises the issues associated with wildcarding.  The ccNSO established an Ad-hoc Wildcard Study Working Group to study the issue and prepare this report.

Incidentally, CIRA is a member of this Working Group, so, we’ll have an opportunity to stay on top of this issue (definitely a topic for a future blog post).

What do you think about ISPs synthesizing DNS responses?