The Domain Name System (DNS) is among the most crucial services in today’s Internet and yet is one of the most misunderstood by its operators. This has made the DNS a target for malicious activity.
Although the DNS and all the security measures that support its operation are based on open standards, getting all DNS operators and others in the DNS ecosystem to implement security features at the same level has been challenging. Smaller operators struggle to follow the continuous evolution of security measures, while large operators may choose and implement only the measures that are most helpful to their business goals. This patchwork of varying security levels leads to vulnerabilities that malicious actors leverage for their attacks.
While there are hundreds of documents available online addressing all or part of DNS operational practices, none really provide streamlined and simple guidance on the most important operational practices, which everyone running a DNS should be paying attention to.
The Knowledge-Sharing and Instantiating Norms for Domain Name System (DNS) and Naming Security (KINDNS) is a new ICANN initiative that provides a framework of best practices to help DNS operators improve the security and effectiveness of their services.
Applying best practices requires a good understanding of the DNS protocol itself
KINDNS does not make you an expert in DNS operations. Rather, KINDNS is a framework that can be used by everyone as a reference when trying to implement DNS services the right way, ensuring they are both effective and secure.
As the name suggests, the KINDNS framework has a strong focus on DNS security. To develop a baseline level of security, the KINDNS team worked closely with the DNS technical community to identify and document a small set of mutually agreed norms (best practices) that operators of any size can easily implement. We wanted to initially stick to less than 10 best practices that operators can voluntarily implement with limited impact on their day-to-day operations.
After improving the guidelines, receiving community feedback on them, and implementing them in test situations to further validate them, we published the initial version of KINDNS in September 2022 on a dedicated website. The website provides references to other tools and guidelines that can help you improve or validate your operational practices.
Moving forward, the KINDNS team will be focusing on:
- Promoting adoption, which includes actively engaging DNS operators to adopt and support the framework, translating KINDNS content into additional languages, enrolling sponsors and ambassadors as early supporters, and developing and maintaining an active community to support and evolve the initiative.
- Soliciting and gathering feedback on the KINDNS guidelines to refine them and to identify emerging best practices that may be candidates for future additions to KINDNS.
- Evolving the self-assessment tool to include technical measurement and automated reporting.
- Developing an observatory platform around key DNS security indicators that will help measure and assess the impact of KINDNS.
Participation is a voluntary commitment to the global community to provide DNS service under the KINDNS practices framework. It relies on a self-assessment tool we have launched in this version of the framework. The tool walks you through a series of questions and helps you understand where you are positioned in the scale of the practices that the framework promotes.
Participating operators will be listed on the KINDNS website and could display participant badges on their online profiles. Even if you are not ready to join the KINDNS program today, we encourage you to join the mailing list to be updated on its evolution and contribute to operational best practices discussions in general.
Assess your DNS operational practices today and join our effort to make the global DNS and the Internet a more secure place for everyone.
Adiel Akplogan is Vice President for Technical Engagement, ICANN.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.