KINDNS stands for Knowledge-Sharing and Instantiating Norms for DNS and Naming Security and is a program to develop a framework that focuses on the most important operational best practices or concrete instances of DNS security best practices. Working with the DNS technical community, we will identify and document (in form of guidelines) a set of mutually agreed norms that support a secure DNS ecosystem that both small and big operators can easily complement. Then we will actively promote their adoption by the operator community.
Background and Objectives:
ICANN’s strategic goals for the coming five years puts an emphasis on more active promotion of DNS ecosystem security and relevant best practices. Particularly Goals 1.1.c and 1.3.a, b, and c, which highlight the need to improve the security of the DNS and the adoption of global open standards and best practices. These strategic goals coupled with ICANN mission to foster a more robust DNS ecosystem we are developing a new formal framework to actively promote DNS operational best practices and encourage operators to adopt and help promote them.
The DNS itself and all the security measures that support its operation are based on open standards. As is typically the case with security in general, getting all DNS operators and others in the DNS ecosystem to implement security features at the same level has been challenging. Small operators struggle to follow the continuous evolution of security measures, while major operators choose and implement measures that only make more sense to their business goals. Through the KINDNS initiative, we will develop a simple but effective framework to which operators can voluntarily and easily commit. In particular, something simple to refer to and which will help small operators that may be typically unable to dedicate many resources to following both the evolution of the DNS protocol and the best practices larger operators identify for security and DNS operations.
The goal of KINDNS is not to lecture operators or overwhelm them with a complex list of things to do, but rather to build a framework that focuses on the most important operational best practices or concrete instances of best practices. Working with the DNS technical community, we will first identify and document a set of mutually agreed norms that support a secure DNS ecosystem. Then we will develop an active outreach and communication program to promote their adoption.
The first target of the project will be DNS Operators (of Authoritative and Resolvers service) and DNS software vendors in their respective roles. Participants in the initiative will voluntarily commit to adhere to the mutually agreed norms and act as “goodwill ambassadors” within the community. The more operators that join the initiative, the larger the footprint of a robust and secure DNS ecosystem will be.
stronger
Key Components and Milestones
- Working on identifying key DNS Operational Security best practices
- Documenting the best practices and their implementation guideline
- Develop dedicate website for the initiative (multilingual)
- Enroll sponsors and operators as early supporters
- Develop tools for self assessment
- Develop an observatory platform around key DNS security indicators
- Develop and maintain a live community to support and evolve the initiative
Timeline
Table of Contents
Presentations
- RIPE84 - Presentation
- Middle East DNS Forum (May 2022) - Presentation
- ICANN73 - Presentation
- ICANN70 - Recording
- ICANN70 - Presentation
- DSFI-TSG-APRIL-2021
To join the conversation, you can subscribe to the kindns-discuss [at] icann.org mailing list at:
https://mm.icann.org/mailman/listinfo/kindns-discuss
For more information about the initiative please email:
