Latest news of the domain name industry

Recent Posts

ICANN dumps the “Whois” in new Whois tool

Kevin Murphy, July 31, 2019, Domain Tech

Of all the jargon regularly deployed in the domain name industry and ICANN community, “Whois” is probably the one requiring the least explanation.

It’s self-explanatory, historically doing exactly what it says on the tin. But it’s on its way out, to be replaced by the far less user-friendly “RDAP”.

The latest piece of evidence of this transition: ICANN has pushed its old Whois query tool aside in favor of a new, primarily RDAP-based service that no longer uses the word “Whois”.

RDAP is the Registration Data Access Protocol, the IETF’s standardized Whois replacement to which gTLD registries and registrars are contractually obliged to migrate their registrant data.

Thankfully, ICANN isn’t branding the service on this rather opaque acronym. Rather, it’s using the word “Lookup” instead.

The longstanding whois.icann.org web site has been deprecated, replaced with lookup.icann.org. Visitors to the old page will be bounced to the new one.

The old site looked like this:

Whois

The new site looks like this:

Whois

It’s pretty much useless for most domains, if you want to find out who actually owns them.

If you query a .com or .net domain, you’ll only receive Verisign’s “thin” output. This does not included any registrant information.

That’s unlike most commercial Whois services, which also ping the relevant registrar for the full thick record.

For non-Verisign gTLDs, ICANN will return the registry’s thick record, but it will be very likely be mostly redacted, as required under ICANN’s post-GDPR privacy policy.

While contracted parties are still transitioning away from Whois to RDAP, the ICANN tool will fail over to the old Whois output if it receives no RDAP data.

Under current ICANN Whois policy, registries and registrars have until August 26 to deploy RDAP services to run alongside their existing Whois services.

ICANN’s new conferencing software has a webcam security bug

Kevin Murphy, July 10, 2019, Domain Tech

ICANN can’t catch a break when it comes to remote participation security, it seems.

Having just recently made the community-wide switch away from Adobe Connect to Zoom, partly for security reasons, now Zoom has been hit by what many consider to be a critical zero-day vulnerability.

Zoom (which, irrelevantly, uses a .us domain) pushed out an emergency patch for the vulnerability yesterday, which would have allowed malicious web sites to automatically turn on visitors’ webcams without their consent.

Only users of the installable Mac client were affected.

According to security researcher Jonathan Leitschuh, who discovered the problem, Zoom’s Mac client was installing a web server on users’ machines in order to bypass an Apple security feature that requires a confirmatory click before the webcam turns on.

This meant a web site owner could trick a user into a Zoom session, with their camera turned on by default, without their knowledge or consent.

If you’re in the habit of keeping your webcam lens uncovered, that’s potentially a big privacy problem, especially if you do most of your remote coverage of ICANN meetings from the toilet.

It appears that Leitschuh, who reported the problem to Zoom three months ago, took issue with what he saw as the company’s ambivalent attitude to fixing it in a timely fashion.

When he finally blogged about it on Monday, after giving Zoom a 90-day “responsible disclosure” period to issue a patch, the problem still hadn’t been fully resolved, he wrote.

But, following media coverage, Zoom’s new patch apparently removes the covert web server completely. This removes the vulnerability but means Apple users will have to click a confirmation button before joining Zoom meetings in future.

Zoom is used now for all of ICANN’s remote participation, from sessions of its public meetings to discussions of its policy-making working groups.

I really like it. It feels a lot less clunky than Adobe, and it’s got some nifty extra features such as the ability to skip around in recordings based on an often-hilarious machine-transcription sidebar, which makes my life much easier.

One of the reasons ICANN made the switch was due to a bug found in Adobe Connect last year that could have been used to steal confidential information from closed meetings.

ICANN actually turned off Adobe Rooms for remote participants halfway through its public meeting in Puerto Rico due to the bug.

The switch to Zoom was hoped to save ICANN $100,000 a year.

What time is it? For ICANN, even that can be a controversial question

Kevin Murphy, June 21, 2019, Domain Tech

ICANN has found itself involved in a debate about whether Russia’s 2014 annexation of Crimea should be recognized.

It’s not unusual for ICANN to find itself in geopolitical controversies — see .amazon for the most recent example — but this time, it’s not about domain names.

It’s about time zones.

One of the little-known functions ICANN provides via its IANA division is the hosting of the so-called TZ Database, which keeps track of all international time zones, daylight savings time practices, and so on.

The database is referenced by scores of operating systems, web sites, libraries and software development kits. It’s used by MacOS, many major Unix/Linux distributions, Java and PHP.

IANA took over the database in 2011, after the original administrator, David Olson, was hit with a bogus lawsuit from an astrology company.

It’s currently managed by University of California computer scientist Paul Eggert. He’s not an ICANN employee. He’s responsible for making changes to the database, which IANA hosts.

There are no complex layers of policy-making and bureaucracy, just an ICANN-hosted mailing list. it very much harks back to the pre-ICANN/Jon Postel/Just A Guy model of international database administration.

But because time zones are set by the governments of territories, and the ownership of territories is sometimes in dispute, the TZ Database often finds itself involved in political debates.

The latest of these relates to Crimea.

As you will recall, back in 2014 the Russian Federation annexed Crimea — part of Ukraine and formerly part of the Soviet Union.

The United Nations condemned the move as illegal and still refuses to recognize the region as part of Russia. The de facto capital city of Crimea is now Simferopol.

As part of the takeover, Russia switched its new territories over to Moscow Time (MSK), a time zone three hours ahead of UTC that does not observe daylight savings.

The rest of Ukraine continues to use Eastern European Time, which is UTC+2, and Eastern European Summer Time (UTC+3).

This means that in the winter months, Crimea is an hour out of whack with the rest of Ukraine.

Currently, the TZ Database’s entry for Simferpol contains the country code “RU”, instead of “UA”.

This means that if you go to Crimea and try to configure your Unix-based system to the local time, you’ll see an indication in the interface that you’re in Russia, which understandably pisses off Ukrainians and is not in line with what most governments think.

You can check this out on some time zone web sites. The services at time.is and timeanddate.com both refer to Europe/Simferopol as being in Ukraine, while WorldTimeServer says it’s in Russia.

The TZ Database mailing list has recently received a couple of complaints from Ukrainians, including the head of the local cyber police, about this issue.

Serhii Demediuk, head of the Cyberpolice Department of the National Police of Ukraine, wrote in December:

by referring Crimea with the country code “RU”, your organization actually accepts and supports the aggressive actions of the Russian Federation who’s armed forces annexed this part of Ukraine. Such recognition may be considered as a criminal offense by the Ukrainian criminal law and we will be obliged to start formal criminal proceedings

It’s the longstanding principle of the TZ Database administrators that they’re not taking political positions when they assign country-codes to time zones, they’re just trying to be practical.

If somebody shows up for a business meeting in Crimea in December, they don’t want their clock to be an hour behind their local host’s for the sake of political correctness.

But Eggert nevertheless has proposed a patch that he believes may address Ukrainian concerns. It appears to have Simferopol listed as both RU and UA.

ICANN got hacked by crypto bots

Kevin Murphy, April 16, 2019, Domain Tech

ICANN had to take down its community wiki for several hours last week after it got hacked by crypto-currency miners.

The bad guys got in via one of two “critical” vulnerabilities in Confluence, the wiki software that ICANN licences from Atlassian Systems, which ICANN had not yet patched.

ICANN’s techies noticed the wiki, which is used by many of its policy-making bodies to coordinate their work, was running slowly April 11.

They quickly discovered that Atlassian had issued a vulnerability warning on March 20, but ICANN was not on its mailing list (doh!) so hadn’t been directly notified.

They also determined that a malicious “Crypto-Miner” — software that uses spare CPU cycles to attempt to create new cryptocurrency coins — had been installed and was responsible for the poor performance.

ICANN said it took the wiki down, restored it to a recent backup, patched Confluence, and brought the system back online. It seems to have taken a matter of hours from discovery to resolution.

The organization said it has now subscribed to Atlassian’s mailing list, so it will be notified of future vulnerabilities directly.

Root servers whacked after crypto change

Kevin Murphy, March 27, 2019, Domain Tech

The DNS root servers came under accidental attack from name servers across the internet following ICANN’s recent changes to their cryptographic master keys, according to Verisign.

The company, which runs the A and J root servers, said it saw requests for DNSSEC data at the root increase from 15 million a day in October to 1.15 billion a day a week ago.

The cause was the October 11 root Key Signing Key rollover, the first change ICANN had made to the “trust anchor” of DNSSEC since it came online at the root in 2010.

The KSK rollover saw ICANN change the cryptographic keys that rest at the very top of the DNSSEC hierarchy.

The move was controversial. ICANN delayed it for a year after learning about possible disruption at internet endpoints. Its Security and Stability Advisory Committee and even its own board were not unanimous that the roll should go ahead.

But the warnings were largely about the impact on internet users, rather than on the root servers themselves, and the impact was minimal.

Verisign is now saying that requests to its roots for DNSSEC key data increased from 15 million per day to 75 million per day, a five-fold increase, almost overnight.

It was not until January, when the old KSK was marked as “revoked”, did the seriously mahooosive traffic growth begin, however. Verisign’s distinguished engineer Duane Wessels wrote:

Everyone involved expected this to be a non-event. However, we instead saw an even bigger increase in DNSKEY queries coming from a population of root server clients. As of March 21, 2019, Verisign’s root name servers receive about 1.15 billion DNSKEY queries per day, which is 75 times higher than pre-rollover levels and nearly 7 percent of our total steady state query traffic.

Worryingly, the traffic only seemed to be increasing, until March 22, when the revoked key was removed from the root entirely.

Wessels wrote that while the root operators are still investigating, “it would seem that the presence of the revoked key in the zone triggered some unexpected behavior in a population of validating resolvers.”

The root operators hope to have answers in the coming weeks, he wrote.

The next KSK rollover is not expected for years, and the root traffic is now returning to normal levels, so there’s no urgency.