[council] Domain Name Security Paper Released

[Glen de Saint Géry <Glen@xxxxxxxxx>]

[To: council[at]gnso.icann.org; liaison6c[at]gnso.icann.org]
[To: ga[at]gnso.icann.org; announce[at]gnso.icann.org]
[To: regional-liaisons[at]icann.org]

http://www.icann.org/en/announcements/announcement-24jul08-en.htm<http://click.icptrack.com/icp/relay.php?r=9826720&msgid=163486&act=9MXL&c=165637&admin=0&destination=http%3A%2F%2Fwww.icann.org%2Fen%2Fannouncements%2Fannouncement-24jul08-en.htm>
________________________________
Domain Name Security Paper Released
24 July 2008
Marina Del Rey, Calif: For many years, the Internet community has been 
developing and enhancing a Domain Name System (DNS) security technology called 
DNSSEC.
ICANN's 
strategic<http://click.icptrack.com/icp/relay.php?r=9826720&msgid=163486&act=9MXL&c=165637&admin=0&destination=http%3A%2F%2Fwww.icann.org%2Fen%2Fstrategic-plan%2F>
 and 
operating<http://click.icptrack.com/icp/relay.php?r=9826720&msgid=163486&act=9MXL&c=165637&admin=0&destination=http%3A%2F%2Fwww.icann.org%2Fen%2Ffinancials%2Fadopted-opplan-budget-v3-fy09-25jun08-en.pdf>
 [PDF, 480K] plans call for ICANN to be operationally ready to deploy DNSSEC at 
the root level and work with relevant stakeholders to determine how this should 
be implemented. With input from many stakeholders, ICANN has prepared a 
document describing this path to operational readiness for signing the root.
The purpose of this 
paper<http://click.icptrack.com/icp/relay.php?r=9826720&msgid=163486&act=9MXL&c=165637&admin=0&destination=http%3A%2F%2Fwww.icann.org%2Fen%2Fannouncements%2Fdnssec-paper-15jul08-en.pdf>
 [PDF, 342K] released today is to:
a) articulate ICANN's initiatives toward operational readiness for DNSSEC 
signing; and
b) help determine the right structures so ICANN is "…prepared to digitally sign 
the root using DNSSEC technology by late 2008", as directed in the July 2008 – 
June 2011 ICANN Strategic Plan after consultation with stakeholders and having 
sought the necessary approvals.
Specifically, this document is not a roadmap for DNSSEC deployment.
Ultimately, this roadmap will be developed by a community consultation process, 
and require relevant approvals through ICANN's IANA functions contract with the 
U.S. Department of Commerce. A public forum has been established at 
http://forum.icann.org/lists/dnssec-roadmap/<http://click.icptrack.com/icp/relay.php?r=9826720&msgid=163486&act=9MXL&c=165637&admin=0&destination=http%3A%2F%2Fforum.icann.org%2Flists%2Fdnssec-roadmap%2F>
 and ICANN actively seeks your input on this important matter. Email comments 
to dnssec-roadmap@xxxxxxxxx<mailto:dnssec-roadmap@xxxxxxxxx>
In addition recently, a prominent security researcher privately reported two 
domain name system (DNS) vulnerabilities to many DNS name server developers.
DNSSEC would be a solution to these vulnerabilities.
The details of the vulnerabilities have not yet been disclosed publicly at this 
stage so that developers can produce patches to reduce the threat these 
vulnerabilities pose. Private disclosures of this kind also give DNS operators 
an opportunity to patch systems before the vulnerabilities can be exploited for 
malicious or criminal purposes. ICANN understands there will be a public 
announcement of these vulnerabilities by the researcher in coming weeks.
This vulnerability does not affect root-level servers or services that provide 
authoritative name service at the top level. But it does represent a threat for 
domain name servers that operate between end users and the root; servers 
operated by Internet Service Providers or large enterprises. Commercial service 
providers in general are aware of this issue, and are working with vendors to 
update their software to the latest versions.
ICANN's Security Stability Advisory Committee will be examining this issue and 
may report more fully later. ICANN urges any entity operating name services to 
update to the current versions to provide greatest protection.
Glen de Saint Géry
GNSO Secretariat
gnso.secretariat@xxxxxxxxxxxxxx
http://gnso.icann.org