[Fwd: Re: [ncdnhc-discuss] Proposed amendments to Security resolution] (fwd)
dhc2 at dcrocker.net
Thu Nov 1 20:20:35 CET 2001
At 11:22 AM 11/1/2001 -0600, Alejandro Pisanty - CUAED y FQ, UNAM wrote:
>In the next paragraph I think you get the technology wrong. The root
>servers *are* distributed and diverse, and protecting them is a separate
>(nonetheless important) issue. What we are talking about is the DNS as a
>whole, and that in turn includes operations on it like assigning names,
>about contacts, etc.
You are correct on both counts. The root server complex is highly
distributed. Physical attack on them is probably the least interesting
security question for the DNS. There ARE some issues about the root
servers to attend to, but dangers from physical or administrative
centralization and not among them.
Further, I concur with your sense of scope. We need to worry about
security for the overall DNS. It is easy to focus only on the upper
levels, but the damage from disruption to the lower layers can be quite
damaging. Think of the effect of take out aol.com or ntia.doc.gov.
However there is a difference between the scope of ICANN's "authority" and
the scope of ICANN's purview or interest. Hence my suggestion -- also made
to ICANN staff -- is that discussions about requirements and solutions be
largely independent of the level within the DNS. Define policies and
procedures that attend to security issues throughout the DNS.
ICANN can then enforce those policies and procedures for the entities over
which it has direct responsibility. For the rest, it can pursue promotion
and education, to encourage adoption.
As to the question that Michael raises, concerning such things as technical
development that are outside of ICANN's scope: ICANN can produce
functional requirements and operational guidelines. It can choose to adopt
or reject technical work done elsewhere, such as the IETF. No, it should
not replicate work done elsewhere.
Think of ICANN as being like an IT department. They do not invent
technology or products. However they DO evaluate and adopt them. And that
is very much a technical standards effort, albeit not one of inventing
>*changed "preventative" to "preventive"
showing off, huh?
>Are we converging?
A bit scary, isn't it? Maybe we need to worry that someone is going to
jump out of the bushes and say trick or treat...
Dave Crocker <mailto:dcrocker at brandenburg.com>
Brandenburg InternetWorking <http://www.brandenburg.com>
tel +1.408.246.8253; fax +1.408.273.6464
More information about the Ncuc-discuss