Latest news of the domain name industry

Recent Posts

US government requests root DNSSEC go-ahead

Kevin Murphy, June 7, 2010, Domain Tech

The National Telecommunications and Information Administration, part of the US Department of Commerce, has formally announced its intent to allow the domain name system’s root servers to be digitally signed with DNSSEC.

Largely, I expect, a formality, a public comment period has been opened (pdf) that will run for two weeks, concluding on the first day of ICANN’s Brussels meeting.

NTIA said:

NTIA and NIST have reviewed the testing and evaluation report and conclude that DNSSEC is ready for the final stages of deployment at the authoritative root zone.

DNSSEC is a standard for signing DNS traffic using cryptographic keys, making it much more difficult to spoof domain names.

ICANN is expected to get the next stage of DNSSEC deployment underway next week, when it generates the first set of keys during a six-hour “ceremony” at a secure facility in Culpeper, Virginia.

The signed, validatable root zone is expected to go live July 15.

ICANN’s Draft Applicant Guidebook v4 – first reactions

Kevin Murphy, June 1, 2010, Domain Policy

As you probably already know, ICANN late yesterday released version 4 of its Draft Applicant Guidebook, the bible for new top-level domain registry wannabes.

Having spent some time today skimming through the novel-length tome, I can’t say I’ve spotted anything especially surprising in there.

IP interests and governments get more of the protections they asked for, a placeholder banning registries and registrars from owning each other makes its first appearance, and ICANN beefs up the text detailing the influence of public comment periods.

There are also clarifications on the kinds of background checks ICANN will run on applicants, and a modified fee structure that gets prospective registries into the system for $5,000.

DNSSEC, security extensions for the DNS protocol, also gets a firmer mandate, with ICANN now making it clearer that new TLDs will be expected to implement DNSSEC from launch.

It’s still early days, but a number of commentators have already given their early reactions.

Perennial first-off-the-block ICANN watcher George Kirikos quickly took issue with the fact that DAG v4 still does not include “hard price caps” for registrations

[The DAG] demonstrates once again that ICANN has no interests in protecting consumers, but is merely in cahoots with registrars and registries, acting against the interests of the public… registry operators would be open to charge $1000/yr per domain or $1 million/yr per domain, for example, to maximize their profits.

Andrew Allemann of Domain Name Wire reckons ICANN should impose a filter on its newly emphasised comment periods in order to reduce the number of form letters, such as those seen during the recent .xxx consultation.

I can’t say I agree. ICANN could save itself a few headaches but it would immediately open itself up to accusations of avoiding its openness and transparency commitments.

The Internet Governance Project’s Milton Mueller noted that the “Draconian” text banning the cross-ownership of registries and registrars is basically a way to force the GNSO to hammer out a consensus policy on the matter.

Everyone knows this is a silly policy. The reason this is being put forward is that the VI Working Group has not succeeded in coming up with a policy toward cross-ownership and vertical integration that most of the parties can agree on.

I basically agree. It’s been clear since Nairobi that this was the case, but I doubt anybody expected the working group to come to any consensus before the new DAG was drafted, so I wouldn’t really count its work as a failure just yet.

That said, the way it’s looking at the moment, with participants still squabbling about basic definitions and terms of reference, I doubt that a fully comprehensive consensus on vertical integration will emerge before Brussels.

Mueller lays the blame squarely with Afilias and Go Daddy for stalling these talks, so I’m guessing he’s basing his views on more information than is available on the public record.

Antony Van Couvering of prospective registry Minds + Machines has the most comprehensive commentary so far, touching on several issues raised by the new DAG.

He’s not happy about the VI issue either, but his review concludes with a generally ambivalent comment:

Overall, this version of the Draft Applicant Guidebook differs from the previous version by adding some incremental changes and extra back doors for fidgety governments and the IP interests who lobby them. None of the changes are unexpected or especially egregious.

DAG v4 is 312 pages long, 367 pages if you’re reading the redlined version. I expect it will take a few days before we see any more substantial critiques.

One thing is certain: Brussels is going to be fun.

Root DNSSEC push delayed two weeks

Kevin Murphy, May 18, 2010, Domain Tech

The final rollout of DNSSEC to the internet’s root servers, a major security upgrade for the domain name system, has been pushed back two weeks to July 15.

ICANN’s DNS director Joe Abley said in an update on root-dnssec.org and in email to the dns-ops mailing list:

The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems.

The Deliberately-Unvalidatable Root Zone is a way for the root operators to test how normal DNS resolution copes with fatter DNSSEC responses coming from the root, before worrying about issues concerning DNSSEC validation itself.

The DURZ has been cautiously rolled out over the last few months and has been operational across all 13 root servers since May 5.

The original plan called for the roots to become validatable following a key signing ceremony on July 1

The schedule change from ICANN also comes with a notice that the US government will be asking for public comment before the decision is made to properly sign the root.

Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action.

I may be just a little forgetful, but I can’t remember hearing about this Commerce involvement before.

Still, DNSSEC is a big change, so there’s nothing wrong with more of the softly-softly approach.

Crypto legend Diffie joins ICANN

Kevin Murphy, May 16, 2010, Domain Tech

Whitfield Diffie, one of the fathers of modern cryptography, has been hired by ICANN as its new vice president for information security and cryptography.

ICANN said Diffie, who was Sun Microsystems’ chief security officer until last November, will advise ICANN “in the design, development and implementation of security methods” for its networks.

Diffie, along with his colleague Martin Hellman, basically invented the first method of securely exchanging cryptographic keys over insecure networks, in the 1970s.

The coup comes at an appropriate time for ICANN, which intends to start signing the internet’s DNS root servers with DNSSEC security keys on July 1.

Diffie will no doubt be pushed front-and-center for the photo ops during the first signing ceremony.

NeuStar files for patent on DNSSEC hack

Kevin Murphy, March 25, 2010, Domain Tech

NeuStar has applied for a US patent on a stop-gap technology for authenticating DNS queries without the need for DNSSEC.

The application, published today, describes a system of securing the DNS connection between authoritative name servers and recursive servers belonging to ISPs.

It appears to cover the technology underlying Cache Defender, a service it started offering via its UltraDNS brand last July.

It was created to prevent the kind of man-in-the-middle attacks permitted by the 2008 Kaminsky exploit, which let attackers poison recursive caches, redirecting users to phoney web sites.

The DNSSEC standard calls for DNS traffic to be digitally signed and was designed to significantly mitigate this kind of attack, but it has yet to be widely deployed.

Some ccTLDs are already signed, but gTLD users will have to wait until at least this summer. The .org zone will be signed in June and ICANN will sign the root in July but .com will not be signed until next year.

While Kaminsky’s vulnerability has been broadly patched, brute-force attacks are still possible, according an ISP’s experience cited in the patent filing.

“The patch that experts previously believed would provide enough time to get DNSSEC deployed literally provided the industry just a few extra weeks,” it reads.