[discuss] ICANN & "security of the DNS" Re: cgi.br release regarding Brazil Global MSM on Internet Governance

Mon Jan 20 17:03:03 UTC 2014

On Jan 20, 2014, at 7:10 AM, David Cake <dave at difference.com.au> wrote:

> 
> On 13 Jan 2014, at 9:38 pm, Louis Pouzin (well) <pouzin at well.com> wrote:
>> ICANN is an essential cog in the US gov mass surveillance operation. It is supposedly responsible of internet security. It never informed users of NSA's spying instrumentation of internet. Thus, it is untrustworthy by design, and will remain so, whatever gimmicks it resorts to for revamping its face.
> 
> 	This seems to be simply uninformed conspiracy theory.
> 	I know the ICANN security functions well (I was part of the Security, Stability and Resiliency review team, chaired by Alejandro Pisanty, that comprehensively reviewed ICANNs performance of those functions). ICANN absolutely is NOT responsible for all Internet security, it is responsible for security of the DNS, but the DNS is not the internet  (and it is absolutely not ICANNs responsibility to secure content carried by other protocols, except in so far as the DNS is part of the security infrastructure). While there are legitimate concerns about privacy and surveillance that are within ICANNs remit, such as increasing demands by law enforcement regarding registrant contact data, ICANNs role being restricted to the DNS means it is simply of very limited relevance to NSA surveillance scandals. 
> 	There are number of us very concerned about privacy and security issues within the ICANN community (and not just from civil society), but there really are a limited number of ways in which ICANNs role directly relates to NSA surveillance issues. 

It might be helpful to clarify terms here, since different people mean different things when they speak of "the DNS" and in discussions like this, the differences in perspective can be quite important. From an operational perspective-- in terms of what ICANN is actually in a position to view or change in the functioning of the DNS infrastructure of the internet-- ICANN's role is quite limited.

ICANN is not responsible for "security of the DNS", if you mean the protocol, or what most operators of DNS servers do to provide the service, or really anything very far outside the particulars of the root. It is responsible for certain specific activities regarding the contents of the root zone and certain activities and practices of some DNS TLD registries and registrars (those who operate under contract to ICANN). 

ICANN has a lot of influence over other TLD registry operators, and root and TLD authoritative name server operators.

ICANN has some influence, in collaboration with others (ccTLD operators, network operator groups, security groups, other participants in the IETF, etc.) over DNS protocol and operations on a slightly wider scale.

ICANN has no influence at all over the operations and decisions of the vast majority of enterprise DNS operators, ISP DNS operators, vendors of DNS software and services, or authorities those operators answer to day-to-day, in regards to security or anything else. It's important to note that this includes the overwhelming majority of network transactions, names that appear or don't in any zones besides the root and TLDs, servers that see DNS queries, the software they run, or the decisions operators make about what names to provide or what practices they use for whatever services they're providing or using….including who sees their network traffic or on what terms.

ICANN is involved in some pretty important pieces of the DNS infrastructure, but they're just that: pieces, of the infrastructure for one protocol, touching a very small fraction of many billions of transactions daily. There are many players and many activities involved in assessing or improving "security of the DNS", and holding ICANN responsible for all of them would be a serious miscalculation of what can actually be done or by whom. 

Asserting that ICANN is responsible for "internet security" is even further from reality.

Suzanne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://1net-mail.1net.org/pipermail/discuss/attachments/20140120/b871b768/attachment.html>