|
Have some security aspects been overlooked in the rush to conclude the new gTLD program and “give birth to the baby before it starts to get really sick” as ICANN CEO Fadi Chehadé put it at a briefing jointly organised by ICANN and the European Commission a few days ago?
Ever since 2008 when the ICANN Board approved the GNSO-evolved policy that became the new gTLD program, it has been reworked so much that it’s difficult to imagine any stone has been left unturned. Yet a recent letter threatens to open up a new can of worms.
The letter was sent by ALAC. In the ICANN universe, any acronym that ends with the letters A and C denotes an Advisory Committee. As the name suggests, these exist to provide advice on their specific area of expertise. One such committee, the Governmental Advisory Committee or GAC, has been getting a lot of press since April, when it gave the ICANN Board advice so far reaching some see it as taking parts of the new gTLD program back to the drawing board.
Whilst the GAC speaks for governments, other ACs represent the Internet’s users (ALAC) or its technical community (SSAC). Even if the GAC is often perceived as carrying more weight, the truth is it would be difficult and politically dangerous for the ICANN Board to ignore any of its ACs as they weigh in on the new gTLD debate.
Weak-kneed
Yet ALAC’s June 7, 2013 letter suggest that’s exactly what the Board has been etmpted to do with advice from the SSAC, shorthand for the Security and Stability Advisory Committee. SSAC’s function is to advise “the ICANN community and Board on matters relating to the security and integrity of the Internet’s naming and address allocation systems”.
As a committee of technical experts, SSAC has naturally looked at the possible impact on the stability of the Internet of a hundred-fold increase in the size of the root zone. It has published several reports since 2008 and proponents of new gTLDs reading some of them are likely to come away feeling a little depressed.
Contrary to popular delusions, adding new Top Level Domains to a system as complex and unpredictable as the Internet is not just about giving new strings the green light at ICANN level. The possible technical side effects SSAC has looked at actually makes one weak at the knees.
Did you know, for example, that there are constant requests on the Internet for strings that don’t exist? So much so in fact, that the top 10 such requests make up 10% of the total query load sent to the root servers! SSAC’s SAC045 report calls this “DNS pollution” and tells us that right now, with the limited number of Top Level Domains, it’s easy for the system as a whole to deal with the issue. The root responds that the requested string doesn’t exist and that’s that. But what if tomorrow, the string does exist?
“It is likely that many of the same conditions that cause the current set of invalid TLD queries to appear at the root level of the DNS will persist,” says SSAC in its report. So those wrongly configured systems could start behaving differently when they are told that they are, in fact, asking for valid strings. Because the fact that the strings themselves have now become valid through someone else’s desire to operate them as new gTLDs won’t make the original request any less of a mistake. “Studies illustrate that the amount of inherited query traffic could be considerable, i.e., on the order of millions of queries per day, should the applicant’s chosen string be one that appears frequently at the root,” warns SSAC. Scary.
Ignoring the writing on the wall?
Through several studies, SSAC not only outlines a potential problem, but also recommends action to mitigate the risks. ALAC’s June 7 letter can be read as an accusation the ICANN Board is ignoring this advice and blindly pushing on with launching new gTLDs.
“An ICANN Announcement on 28 May 2013 advised that ICANN, following the direction of its Board, is commissioning two Security Studies on the Use of Non-Delegated TLDs, and Dotless Names,” writes ALAC Chair Olivier Crépin-Leblond. “While the commitment to investigate these potential conflicts is most welcome, the timing of this very necessary undertaking is regrettably late in the process of new gTLD introduction.”
ALAC references SSAC study SAC046 which recommended further studies be undertaken. “This recommendation has been repeated by the SSAC on a number of occasions since,” adds Crépin-Leblond, before turning to another technical issue.
On February 23, 2012, SAC053 recommended that dotless domains not be allowed. Simply put, dotless domains are a TLD used as a key word, without any suffix or prefix. “It has been a year since the release of that Advice and the Advice was very clear,” Crépin-Leblond says, before castigating ICANN for concluding that public comments to SAC053 suggest no clear conclusions can be drawn from the advice and that a new study is required to determine what to do with dotless domains. “The above constitutes a flagrant flaw in the public comment system and I urge you to find the reason for this flaw. I shall also ask the Accountability and Transparency Review Team to investigate this matter since this is an example of very clear cut advice from an ICANN Advisory Committee that is put into question by the ICANN Board and Staff.”
Limited launch?
So is ICANN guilty of pushing on regardless? For applicants who are already having to contend with some unexpectedly heavy GAC advice, no doubt the answer is a resounding “no!”. But they now face mounting pressure from those who are not prepared to risk the Internet starting to go all weird because new gTLDs are launched without due respect for the potential technical collateral damage they might cause.
ALAC is not the only voice suggesting caution. In March, Dot COM registry operator Verisign sent Chehadé a study on “new gTLD security and stability considerations” in which it mentions a number of possible technical hiccups.
And just days ago, on June 26, US Senate Committee on Commerce, Science and Transportation Chairman John D. Rockefeller IV grew so worried he wrote to ICANN Board Chair Steve Crocker asking him to consider doing “a limited first round of new gTLDs to allow for an effective one-year review.”
Sen. Rockefeller makes the point that those entrusted with the public interest are worried. No doubt the spate of correspondence ICANN has received lately has helped increase this anxiety level.
Some of the alarm bells include FairSearch.org’s assertion that Google is planning to operate the Dot Search TLD to its own advantage. “As the dominant online search provider, Google has a unique economic interest in stifling existing and emerging competitive threats to its position,” says FairSearch.org, an organisation formed in 2010 to promote an open search ecosystem.
FairSearch.org’s June 13 letter was actually preceded by a letter from Microsoft which used Google’s proposed Dot Search to express wider concerns about ICANN. Yahoo followed suit on June 13.
Contingency plan
The central theme in all this remains a technical one. Is ICANN moving ahead too fast for the technical good of the Internet? At this stage, the truth may actually matter less than the perception of the truth.
It seems pretty clear, especially considering the ICANN Board has already accepted some of it, that the GAC’s advice has scuppered some gTLD applicants’ hope of a quick launch. On the other hand, the new gTLD program should not be allowed to drag on indefinitely. Opening up the Internet’s top level has taken up so much of ICANN’s life force that it’s become crucial for the program to see some sort of conclusion soon.
And if part of the ICANN community or US Senators are thinking otherwise, Chehadé is behaving like the top-level manager he is: by sticking to his timeline but also by preparing a contingency plan, just in case.
“Our target date is the fall of 2013,” he said in Brussels, a couple of weeks after the creation of a new “generic domains” division, to be headed by former ICANN COO Akram Attalah, was announced. “This program has consumed huge quantities of ICANN’s resources. This is what this new division is about. It’s there to give some oxygen back to ICANN because we have a lot of other important things to do.”
Like making sure the Internet remains technically stable and functional, which is written in ICANN’s Bylaws as one of its core values and which Chehadé has repeatedly said would take precedence over the drive to launch new gTLDs.
Attalah’s already celebrated one major win as ICANN and its accredited registrars finally closed on almost two years of negotiations and agreed on a new registrar contract this week. A few days later, the registry contract was also wrapped up. But taking the concerns of ICANN’s technical community on board whilst keeping the new gTLD program on schedule may end up being an even bigger challenge.
Sponsored byCSC
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Stephane,
Most of your reasoning is based on the fact that the root gets queries for strings that currently do not exist as names in TLDs.
But you do not describe such strings.
1) What if these queries were for “mshome”, for example? This is a TLD that has not been applied for. So the introduction of other new TLDs is not a problem.
2) What if they were for unregistered .com names, for example? They will be unaffected by the introduction of new TLDs.
3) What if all of them were for the name “xyzzy.corp”, for example? .Corp (and all other new TLDs) could still be introduced without a problem, if “xyzzy.corp” remained unregistered (just one of the many solutions to this). So again, not a problem
You mention various letters written by Senators and large corporations (Verisign and Microsoft are two) to ICANN, and the economic interest of Google. You are right. This trumped up so called technical issue is all about economic interest. These letters demonstrate (to me at least), the very large incumbent interest to the status quo. Its not a surprise that by far the largest registry does not want new registry entrants to the market and has gotten their friends in DC to send a letters to ICANN. Competition and innovation (what Google is doing with “.search”, IMO) need to trump incumbent interests.
The technical impact of new TLDs has been studied by numerous experts for many years. The internet will not “go all weird because new gTLDs are launched” no matter how much these incumbents wish the ICANN board to think it will (in the incumbents’ attempt to delay or stop the process). If they do not already, the ICANN board (the GAC, and ALAC) needs to see them for what they really are - incumbents trying to keep the status quo by using trumped-up last minute technical “issue” and political pressure to restrict competition and innovation.
Paul
Paul and other readers, Reading the source always helps. Here it is - SSAC report 053: http://www.icann.org/en/news/public-comment/sac053-dotless-domains-24aug12-en.htm SSAC document is about stability - not economic issues. Disallowing hostnames of form "domain" (or links alike to http://tldname/) is not going to make registry operators, or registrars, less profitable. And here a list of top queried domain names, taken from ICANN-operated DNS server, called L-root. http://dns.icann.org/cgi-bin/dsc-grapher.pl?window=86400&plot=qtype_vs_all_tld&server=L-root In particular, strings home, belkin, corp, dlink, domain, router, med are not currently delegated in root.
Dmitry,
You are correct, the SSAC report is not about economic issues, but the motivation for dotless domains is economic.
As that SSAC053 report states, there are already dotless domains - and the report does not state that those dotless domains cause any instability or security issues at all.
And as we are all aware, the internet did not crash with the presence of those dotless TLDs.
I do not agree with you that disallowing dotless domains will not make registries/registrars less profitable.
And certain competing registries do not want their competitors stronger, hence (IMO) some oppose it.
Obviously Google wants to have a dotless domain for some reason - its either economic or they believe it has other benefits (such as, for example, a public benefit).
Microsoft (and their partner Yahoo) do not want what Google wants, probably by default, as they too, are competitors.
As for your L-root TLDs list:
1) Most of those names you list have not been applied as TLDs (belkin, drink, domain, router, as examples) so they cannot possibly be “dotless” at this time, or likely in the near future, in any case.
2) This issue (queries to the root) had been discussed many years ago (“Reserved Names Working Group” - where this, to my recollection, first came up - final report came out in May 2007, and also see SSAC045 “Invalid TLD queries at the Root Level of the DNS system” which was in 2010 - at least a 3-year warning for folks to fix their local-network errors in querying the root). Both of those reports came out before the SSAC053 report, which even the SSAC053 report, I’d also like to point out, came out before the window opened and the AG was finalized, and relied upon. The result of all these reports and studies, “.local”, “.localhost” (which are on the L-root list), and other TLDs were added to the list of TLDs for which ICANN would not accept applications. That list is in section 2.2.1.2.1 “Reserved Names” in the AG.
3) The L-root list does not list the subdomains that are being queried (says “no data to display at this time”). As I said above, for all we know, *ALL* the .corp queries (as an example) could be for one subdomain - for example, xyzzy.corp - or for a number of subdomains, and none of them are for the dotless “corp”, in which case problem solved for that TLD because the TLD operator can reply with NxD (even at 1,000 q/s rate or higher) just as well as the root can for those “error” subdomains.
Finally, all the other applied-for new TLDs not receiving root traffic, such as “.yandex” or “.lanxess”, you would agree then, since they are not on the list of dotless names that currently get queries to the root, they would pose no problem as dotless TLDs. Which is why this needs to be looked at on a case-by-case (RSEP) basis, if not an outright whitelist of applied-for TLDs that can be dotless.
Happy to discuss this (and looking forward to it) with yourself, Stephane, and anyone else in Durban next week,
Paul
Paul, I think the real missing link in your article is this statement from the IAB:
http://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/