The Domain Name System Runs on Open Source Software
Last week, ICANN published a report on the importance of open source in the DNS.
Read post
Last week, ICANN published a report on the importance of open source in the DNS. I contributed to this report, along with people from the other open source DNS systems, DNS operators, and academic researchers with DNS expertise.
The Domain Name System Runs on Free and Open Source Software (FOSS)
As governments are becoming focused on the impact of cybersecurity on national security and business productivity, they naturally want to implement regulations to ensure some baseline security practices. In the past several years, we have seen, in the US, Executive Order 14028, NIST SSDF 1.1 - Recommendations for Mitigating the Risk of Software Vulnerabilities, The CISA Zero Trust Maturity Model), CISA’s Secure Software Development Attestation program, and Executive Order 14144, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” In the European Union, we had The NIS2 Directive, which extended reporting requirements to DNS resolver operators, followed by the Cyber Resilience Act (CRA) which aims to secure products traded in the EU which incorporate software, and the updated Product Liability Directive, which extended product liability to software products. The trend is continuing, with, in 2025 the publication in the UK of a voluntary “Software Security Code of Practice” and the work to develop regulations in countries across the EU to implement the CRA.
These regulatory efforts span a wide range of issues in software security, including:
- Maintenance and updating across a reasonable software lifecycle
- Vulnerability handling, patching and reporting vulnerabilities, exploits and system breaches
- Adherence to software development best practices
- Supply chain security, ensuring the integrity of software builds
ISC already adheres to most of the best practices that these regulations seek to enforce, although in a few areas, (e.g. SBOMS) standardized solutions are just beginning to emerge. However, in general, we are skeptical that regulations are the most effective way to improve open source sofware security and we are concerned about the disproportionate impact the cost of compliance with regulations could have on non-profits producing open source.
This report is addressing the (understandable) lack of background, on both the DNS as a core Internet system, and open source as a culture, development process, and business system, among government regulators. The report cites some examples of recent regulatory efforts to point out where they are consistent with supporting open source.
The report concludes that it is important to:
- Recognize the critical role of FOSS in the DNS
- Consult the open source community early in the process of designing new regulations or programs
- Recognize the unique sustainability challenges of open source
- Build solutions that leverage the collaborative strength of open source
- Assign the burdens of compliance on those most able to bear them
Please feel free to recommend this report to anyone who could benefit from a primer on the importance of open source in the DNS.
The Domain Name System Runs on Free and Open Source Software (FOSS)
References:
-
A Plea for Fairness for Non-profit Developers of Open Source Software
-
EO 14028 (now amended by the new administration)
-
CISA Secure Software Development Attestation (which brought the prospect of criminal penalties for false statements!)
-
NIST Special Publication 800-218 (Secure Software Development Framework(SSDF)
