メニュー

トピックス

JPRSがICANNによるコメント募集に対して意見を提出

2010/04/07

JPRSは、ICANNが2010年2月12日に発表したグローバルなDNS-CERTに関するビジネスケース案のコメント募集に対し、意見を提出しました。

Invitation for Public Comment: Proposed Strategic Initiatives for Improved DNS SSR and Global DNS-CERT Business Case(ICANN)
http://www.icann.org/en/announcements/announcement-2-12feb10-en.htm

JPRSでは、日常的にDNSを運用している立場から、複数のドメイン名レジストリとこのDNS-CERTのあり方に関する議論を進め、その結果、2010年3月25日にパブリックコメントとして、ICANNに意見を提出しました。

同コメントにおいては、DNSの安全性、安定性、障害回復力向上の必要性に対する合意を表明した後、次のような趣旨の意見を表明しました。

  1. DNSに特化した新しい組織を作ることよりも、現状で機能しているCERTなどとの融合・連動を最初に検討すべき

  2. DNS-CERTの運用コストとして提示されている400万ドルはコストが大きすぎる

  3. 更にISPや企業といったDNS参照側、あるいは、JANOGなどのDNS運用に関連する人々の意見も広く聞くべき

提出したコメントは以下の通りです。

Please find comments to "Global DNS-CERT Business Case" below.
Thank you for giving us this opportunity.

Hiro Hotta, JPRS (.JP ccTLD)


===== comments =====

We appreciate and welcome the opportunity for the community to consider closely about upgrading DNS-related SSR (security, stability, and resiliency). We agree to the view in the proposed document that no highly-established framework excel at DNS SSR exists, especially response to incidents involving DNS. We agree that DNS SSR should be enhanced continuously as threat grows. To that end, we generally agree on the concept of DNS-CERT, if it refers to a "concept" not to an "organization or functions within an organization."

Let us comment on some points regarding the implementation of DNS-CERT concept.

  1. organizational framework

    Currently there exist organizations/teams for security maintenance such as DNS-OARC and national CERTs. Their activities are trusted by the community in general, at least to some extent. So, we think enhancing capabilities of existing organizations should be considered first, rather than creating yet another organization. Generally, it's not a good idea to make information channel structure complex from the viewpoint of avoiding confusion and cost. In addition, organization too specialized in DNS cannot play an appropriate role, since incidents usually result from not a single cause but from combination of multiple causes. Therefore, cooperated analysis, discussion, and drafting of organizational framework among existing organizations including ICANN are highly expected to come up with a good framework.

  2. operational cost

    Efficiency of the structure to maintain DNS SSR should be pursued, since we believe $4M is a huge amount. Again, this leads us to the image that DNS-CERT function should be overlaid onto the existing organizational framework such as current CERTs. Using domain name registrants' money means taking responsibility for the security of registrants at the level of registrants' satisfaction in compensation for their money.

  3. outreach effort

    CERT-like frameworks are different country by country, and organization by organization. In addition, there are various kinds of players in network operation including DNS operation. Therefore, outreach is essential for all these players to trust the framework and implementation of the DNS-CERT concept. Current proposal document seems to give less focus on resolver DNS side than authoritative DNS side. There are quite a few organizations/groups such as *NOGs and local DNS operators groups that are closely-related to DNS operation. More outreach effort is expected in the current consulting phase and in the implementation phase of DNS-CERT concept.

=====

PAGE TOP