|
Recent comments on the name collisions issue in the new gTLD program raise a question about the differences between established and new gTLDs with respect to name collisions, and whether they’re on an even playing field with one another.
Verisign’s latest public comments on ICANN’s “Mitigating the Risk of DNS Namespace Collisions” Phase One Report, in answering the question, suggest that the playing field the industry should be concerned about is actually in a different place. The following points are excerpted from the comments submitted April 21.
In a previous comment, Eric Osterweil summarized key differences between established and new gTLDs as they affect name collision risks. Namespaces associated with established TLDs, he observed, represent “well known and measurable real estate” that system administrators can plan for. In contrast, namespaces associated with applied-for strings including new gTLDs, Osterweil continued, “inherently have no well-known policies and structure”—other than the assumption that they weren’t expected to be delegated in the future foreseeable to system administrators.
Osterweil’s points are important to keep in mind, because they apply just as much to one of the comments in this public review period as they did to comments in the previous period.
A better understanding of the situation starts with clear definitions. A name collision occurs when one system assumes that a name is in one name space, another system assumes that the name is in another name space, and the two systems interact unaware of their difference in assumptions. One of the reasons they may not be aware is that the assumptions of both systems were historically the same, and then the assumptions of one of the systems changed.
ICANN’s Security and Stability Advisory Committee (SSAC) expresses the definition as follows in SAC062:
“The term ‘name collision’ refers to the situation in which a name that is properly defined in one operational domain or naming scope may appear in another domain (in which it is also syntactically valid), where users, software, or other functions in that domain may misinterpret it as if it correctly belonged there.”
With this definition in mind, it’s useful to highlight two situations that are not the same as name collisions.
So it should be clear that periodic changes in registrants as well as evidence of NXDOMAIN activity should not be confused with actual name collision risks, which depend on analysis of the queries themselves. Rather, one must look on the other side of the ecosystem, at the installed systems that interact with the global DNS and the evolution of their assumptions about internal vs. external name spaces. The difference between established gTLDs and new gTLDs becomes obvious in light of the differences in “expectations of their usage and policies,” as illustrated by the three examples below:
As noted in Verisign’s preliminary comments, the combinational complexity of changes in certificate practices, installed system configuration, the public suffix list and other system components to support new gTLDs, dramatically increases the risk to users and system administrators for new gTLDs compared to established TLDs, where each of these controls have been worked out over time.
The potential risks are real, as Osterweil further observed, citing a well-known recipe for mounting a man-in-the-middle attack by exploiting name collisions and internal-name certificates that was offered by an audience member at a TLD Security Forum meeting in August 2013 (see the video transcript at 1:27:20).
If there’s any unevenness in the domain name landscape, then, it’s a result of the tectonic interruptions that are requiring users, system administrators, network operators, infrastructure providers and platform and application developers across the globe to update their installed systems to accommodate 1,400 or more new gTLDs. The parties who rely on the global DNS are the ones whose playing field is out of balance due to the largest operational change to the global DNS in its 30-year history.
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API