ICANN boss creates a stir with DNS security warning
Rod Beckstrom, head of the Internet Corporation for Assigned Names and Numbers (ICANN), the body which administers the internet, has warned of attacks on the domain name system (DNS), attracting criticism from domain owners in the process. Beckstrom warned government representatives at the 37th ICANN meeting in Nairobi that the DNS is currently experiencing a never-before seen level of attacks and that blackouts are a possibility. The ICANN CEO was underlining the necessity of ICANN-led initiatives for improving security, including a global intervention force (CERT) for the DNS. However, the warnings met with a frosty reception from operators of country address zones. Speaking on behalf of the group of country domain operators (ccTLDs), Chris Disspain from Australian registry auDA, judged Beckstrom's warnings to be alarmist and even incitement.
Country registries (ccNSO) also see no particular danger at present. In response to a commentary from US company NeuStar, ICANN director Steve Crocker stated that there had even been a slight fall in distributed denial of service attacks (dDoS). Kurtis Lindkvist from the Swedish root operator netnod reported no particular incidents. What has particularly angered the country address registries which make up ICANN and which include Denic, is that Beckstrom presented his alleged horror scenario directly to governments.
According to Disspain, ccTLD managers fear that Beckstrom's warning could cause governments to get the wrong end of the stick. Disspain reckons that In the worst case, this could affect the operation of country domains. ccTLD managers are worried that regulation may be imposed from above. Disspain also warns that Beckstrom's talk will be grist to the mill of those who disagree with the concept of self-regulation embodied by ICANN. Beckstrom has justified his approach by citing informed sources as indicating that some governments wanted to block the DNS-CERT idea right from the start.
The global Computer Emergency Response Team for DNS operators (DNS CERT) will, according to ICANN's proposal, provide a universally accessible contact point and take responsibility for a range of monitoring and warning services. In the event of attacks on the DNS, the CERT will coordinate and where necessary offer direct support to affected providers. The role is more or less that of a standard CERT. Lindkvist has therefore suggested that the oversight of threats on the web offered by existing CERTs might be seen as rendering a specific DNS-CERT unnecessary.
Crocker, head of ICANN security committee (SSAC) also warned his CEO to concentrate on working together to fix various weaknesses in the DNS, rather than blabbing out security warnings. Crocker had earlier announced a meeting to discuss concrete progress in DNSSEC at the forthcoming ICANN meeting in Brussels. According to Crocker's statistics, by the end of the year, at least 19 country registries will have fully implemented the protocol, which is used to authenticate DNS responses.
Jim Galvin announced that .org will officially start using DNSSEC in June, but that initially only two providers will offer signing of their domains. It is still not clear how secure transfer of signed domains can be implemented. A bug in Bind which causes serious problems with obsolete key material also remains unfixed.
(Monika Ermert / djwm)