Survey on the impact of software regulation on DNS systems

Victoria Risk vicky at isc.org
Wed Jan 29 13:49:45 UTC 2025 

Robert,

We will update the link for the EO to the stable link in the Federal Register. 

The SSAC report is hoping to help shape the technical implementation details of some regulations that are already in flight, including the CRA. It appears very likely that BIND, for example, will have to undergo third party process audits under the CRA, required for products with a critical role in network management. What is unknown is how often these will have to be done, and what the audits will consist of.  I am not aware of any proposed regulations that include third party validation of the software.

The question is whether users think that this type of audit, or the requirements around vulnerability reporting, or encouraging updating, will improve their cybersecurity in practice. We can tell that the CRA, for example, will certainly mean more work for ISC’s software development teams, but we cannot tell whether that is welcomed by our users. It is a serious question - industry places some value on ISO quality certifications, and the CRA is in the same vein. The US Executive Orders, by contrast, seem to mostly use the “carrot” approach, as they are intended to impact US Federal procurement guidelines.  

Vicky

> On Jan 29, 2025, at 6:57 AM, Robert Wagner <rwagner at tesla.net> wrote:
> 
> This is not a good survey...  
> The 2025 US Executive orders point to a dead links. Use the Federal Registrar link as it should be there long-term.  2025-01470.pdf <https://public-inspection.federalregister.gov/2025-01470.pdf>  CISA   Federal Register :: Improving the Nation's Cybersecurity <https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity>
>  <https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity>	
> Federal Register :: Improving the Nation's Cybersecurity <https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity>
> This site displays a prototype of a “Web 2.0” version of the daily Federal Register. It is not an official legal edition of the Federal Register, and does not replace the official print version or the official electronic version on GPO’s govinfo.gov <http://govinfo.gov/>.
> www.federalregister.gov <http://www.federalregister.gov/>
> 
> Federal Register on 01/17/2025 and available online at Nationality Act of 1952 (8 U.S.C. 1182(f)), and section 301 of https://federalregister.gov/d/2025-01470 EXECUTIVE ORDER U.S.C. 1601 et seq. 14144 <https://public-inspection.federalregister.gov/2025-01470.pdf>
> 6 develop and publish a preliminary update to the SSDF. This update shall include practices, procedures, controls, and implementation examples regarding the
> public-inspection.federalregister.gov <http://public-inspection.federalregister.gov/>
> 
> How can one determine the impact of unknown regulations??
> FYI - If the EU took it upon themselves to analyze every bit of software and provide a free rating - that may have one outcome.  However, if everyone producing open- source software was required to pay some large sum to get their software tested (and face fines if they didn't), that would have a different outcome.
> 
> Regulations can be a carrot or stick approach.
> 
> Software can be buggy but still be very useful/helpful.  Malicious software can be well written (no obvious bugs).  
> 
> RW
> 
> From: bind-users <bind-users-bounces at lists.isc.org <mailto:bind-users-bounces at lists.isc.org>> on behalf of Marc <Marc at f1-outsourcing.eu <mailto:Marc at f1-outsourcing.eu>>
> Sent: Tuesday, January 28, 2025 3:27 PM
> To: Victoria Risk <vicky at isc.org <mailto:vicky at isc.org>>; BIND Users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>>; 'CNECT-F3 at ec.europa.eu <mailto:CNECT-F3 at ec.europa.eu>' <CNECT-F3 at ec.europa.eu <mailto:CNECT-F3 at ec.europa.eu>>
> Subject: RE: Survey on the impact of software regulation on DNS systems
>  
> This email originated from outside of TESLA
> 
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> >
> > Did you know that there is significant momentum building to regulate
> > software, including open source, in at least Europe and the US (and
> > possibly elsewhere as well), in order to improve cybersecurity? Do you
> > think this regulation will improve cybersecurity for your operations?
> > What are the opportunities and pitfalls you can envision?
> >
> >
> 
> What about regulating standards? What is the point of regulation open source, when companies like apple and microsoft sabotage third party software/connectivity by not implementing software according to standards. Their upgrades miraculously only break third parties implementations and not their own.
> Think eg. of auto provisioning.
> 
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250129/f136ced4/attachment.htm>

More information about the bind-users mailing list