[Fwd: Re: [ncdnhc-discuss] Proposed amendments to Security resolution] (fwd)

Dave Crocker dhc2 at dcrocker.net
Thu Nov 1 20:20:35 CET 2001

At 11:22 AM 11/1/2001 -0600, Alejandro Pisanty - CUAED y FQ, UNAM wrote:
>In the next paragraph I think you get the technology wrong. The root
>servers *are* distributed and diverse, and protecting them is a separate 
>(nonetheless important) issue. What we are talking about is the DNS as a 
>whole, and that in turn includes operations on it like assigning names, 
>finding out
>about contacts, etc.

You are correct on both counts.  The root server complex is highly 
distributed.  Physical attack on them is probably the least interesting 
security question for the DNS.  There ARE some issues about the root 
servers to attend to, but dangers from physical or administrative 
centralization and not among them.

Further, I concur with your sense of scope.  We need to worry about 
security for the overall DNS.  It is easy to focus only on the upper 
levels, but the damage from disruption to the lower layers can be quite 
damaging.  Think of the effect of take out aol.com or ntia.doc.gov.

However there is a difference between the scope of ICANN's "authority" and 
the scope of ICANN's purview or interest.  Hence my suggestion -- also made 
to ICANN staff -- is that discussions about requirements and solutions be 
largely independent of the level within the DNS.  Define policies and 
procedures that attend to security issues throughout the DNS.

ICANN can then enforce those policies and procedures for the entities over 
which it has direct responsibility.  For the rest, it can pursue promotion 
and education, to encourage adoption.

As to the question that Michael raises, concerning such things as technical 
development that are outside of ICANN's scope:  ICANN can produce 
functional requirements and operational guidelines.  It can choose to adopt 
or reject technical work done elsewhere, such as the IETF.  No, it should 
not replicate work done elsewhere.

Think of ICANN as being like an IT department.  They do not invent 
technology or products.  However they DO evaluate and adopt them.  And that 
is very much a technical standards effort, albeit not one of inventing 
technical standards.

>*changed "preventative" to "preventive"

showing off, huh?

>Are we converging?

A bit scary, isn't it?  Maybe we need to worry that someone is going to 
jump out of the bushes and say trick or treat...


Dave Crocker  <mailto:dcrocker at brandenburg.com>
Brandenburg InternetWorking  <http://www.brandenburg.com>
tel +1.408.246.8253;  fax +1.408.273.6464

More information about the Ncuc-discuss mailing list