Latest news of the domain name industry

Recent Posts

Crypto legend Diffie joins ICANN

Kevin Murphy, May 16, 2010, Domain Tech

Whitfield Diffie, one of the fathers of modern cryptography, has been hired by ICANN as its new vice president for information security and cryptography.

ICANN said Diffie, who was Sun Microsystems’ chief security officer until last November, will advise ICANN “in the design, development and implementation of security methods” for its networks.

Diffie, along with his colleague Martin Hellman, basically invented the first method of securely exchanging cryptographic keys over insecure networks, in the 1970s.

The coup comes at an appropriate time for ICANN, which intends to start signing the internet’s DNS root servers with DNSSEC security keys on July 1.

Diffie will no doubt be pushed front-and-center for the photo ops during the first signing ceremony.

Google Translate turns ccTLDs into .com

Kevin Murphy, May 12, 2010, Domain Tech

I’ve found Google Translate an invaluable tool for researching overseas news stories, but it’s a pain in the neck for reading about domain names in foreign languages.

The service seems to have developed the habit of turning all freestanding ccTLDs into “.com”.

For an example, head over to Norid and turn on Norwegian-to-English translation (or, if you don’t have the Google Toolbar, use Google Translate on the web).

Every instance of “.no”, Norway’s country-code domain, is translated into a .com, more specifically “. Com”.

Ditto for German. Translate this story about Denic’s troubles today to see all instances of “.de” translated into “. Com”.

However, the front page of Afnic sees .fr translated to “. Com”, leaving .re, for the Reuinion Islands, untouched.

I should point out that the service leaves domain names alone, so nic.fr is still nic.fr. But you’ve still got to wonder what Google’s designers were thinking.

Hostway wants non-existent domain patent

Kevin Murphy, April 29, 2010, Domain Tech

Hostway, the large web hosting company, has applied for a US patent on a system of intercepting and redirecting requests for non-existent domains names.

The application describes “A system and method for controlling internet traffic controls internet traffic directed to a non-existing domain in a centralized manner.”

It appears to cover a service that could be offered to local ISPs, enabling them to show their users monetized search pages rather than domain-not-found error messages.

Under the system, ISPs would intercept NXDOMAIN responses to their users’ DNS lookups.

Instead of passing the error on to the browser, the ISP would consult a centralized controller for the IP address of a context-appropriate landing page to redirect the user to.

It’s not at all clear to me whether Hostway is using the technology or has plans to do so. The application was filed in October 2008.

ISPs using NXDOMAIN substitution to monetize error traffic is widespread but controversial.

ICANN president Rod Beckstrom strongly complained about the practice, which also has security implications, during a rant at the Nairobi meeting last month.

VeriSign’s Site Finder, and later Cameroon’s .cm, both controversially did similar things when they “wildcarded” non-existent domains at the TLD registry level.

Other interesting US patent applications published today include:

20100106650 – covering Go Daddy’s auction services.

20100106793 and 20100106794 – covering email forwarding under Go Daddy’s private registration services.

20100106731 – assigned to VeriSign, covering a method of offering alternative domain names for registration when a buyer’s first choice is unavailable.

I-Root yanks Beijing node

Kevin Murphy, March 31, 2010, Domain Tech

Autonomica, which runs i-root-servers.net, has stopped advertising its Anycast node in Beijing, after reports last week that its responses were being tampered with.

In the light of recent tensions between China and the US, people got a bit nervous after the Chilean ccTLD manager reported some “odd behaviour” to the dns-ops mailing list last week.

It seemed that DNS lookups for Facebook, Twitter and YouTube were being censored as they returned from I-Root’s node in China, which is hosted by CNNIC.

There was no suggestion that Autonomica was complicit in any censorship, and chief executive Karl Erik Lindqvist has now confirmed as much.

“Netnod/Autonomica is 100% committed to serving the root zone DNS data as published by the IANA. We have made a clear and public declaration of this, and we guarantee that the responses sent out by any i.root-servers.net instance consist of the appropriate data in the IANA root zone,” he wrote.

While Lindqvist is not explicit, the suggestion seems to be that somebody on the Chinese internet not associated with I-Root has been messing with DNS queries as they pass across the network.

This is believed to be common practice in China, whose citizens are subject to strict censorship, but any such activity outside its borders obviously represents a threat to the internet’s reliability.

The CNNIC node is offline until further notice.

NeuStar files for patent on DNSSEC hack

Kevin Murphy, March 25, 2010, Domain Tech

NeuStar has applied for a US patent on a stop-gap technology for authenticating DNS queries without the need for DNSSEC.

The application, published today, describes a system of securing the DNS connection between authoritative name servers and recursive servers belonging to ISPs.

It appears to cover the technology underlying Cache Defender, a service it started offering via its UltraDNS brand last July.

It was created to prevent the kind of man-in-the-middle attacks permitted by the 2008 Kaminsky exploit, which let attackers poison recursive caches, redirecting users to phoney web sites.

The DNSSEC standard calls for DNS traffic to be digitally signed and was designed to significantly mitigate this kind of attack, but it has yet to be widely deployed.

Some ccTLDs are already signed, but gTLD users will have to wait until at least this summer. The .org zone will be signed in June and ICANN will sign the root in July but .com will not be signed until next year.

While Kaminsky’s vulnerability has been broadly patched, brute-force attacks are still possible, according an ISP’s experience cited in the patent filing.

“The patch that experts previously believed would provide enough time to get DNSSEC deployed literally provided the industry just a few extra weeks,” it reads.