NTAG rubbishes new gTLD collision risk report

Kevin Murphy, August 15, 2013, Domain Policy

The New gTLD Applicants Group has slated Interisle Consulting’s report into the risk of new gTLDs causing security problems on the internet, saying the problem is “overstated”.

The group, which represents applicants for hundreds of gTLDs and has a non-voting role in ICANN’s GNSO, called on ICANN to reclassify hundreds of “Uncalculated” risk strings as “Low” risk, meaning they would not face as substantial a delay before or uncertainty about their eventual delegation.

But NTAG said it “agreed” that the high-risk .corp and .home “should be delayed while further studies are conducted”. The current ICANN proposal is actually to reject both of these strings.

NTAG was responding to ICANN’s proposal earlier this month to delay 523 applications (for 279 strings) by three to six months while further studies are carried out.

The proposal was based on Interisle’s study of DNS root server logs, which showed many millions of daily queries for gTLDs that currently do not exist but have been applied for.

The worry is that delegating those strings would cause problems such as downtime or data leakage, where sensitive information intended for a recipient on the same local network would be sent instead to a new gTLD registry or one of its (possibly malicious) registrants.

NTAG reckons the risk presented by Interisle has been overblown, and it presented a point-by-point analysis of its own. It called for everything except .corp and .home to be categorized “Low” risk, saying:

We recognize that a small number of applied for names may possibly pose a risk to current operations, but we believe very strongly that there is no quantitative basis for holding back strings that pose less measurable threat than almost all existing TLDs today. This is why we urge the board to proceed with the applications classified as “Unknown Risk” using the mitigations recommended by staff for “Low Risk” strings. We believe the 80% of strings classified as “Low Risk” should proceed immediately with no additional mitigations.

The group pointed to a recent analysis by Verisign (which, contrarily, was trying to show that new gTLDs should be delayed) which included data about previous new gTLD delegations.

That report (pdf) said that .xxx was seeing 4,018 look-ups per million queries at the DNS root (PPM) before it was delegated. The number for .asia was 2,708.

If you exclude .corp and .home, both of those PPM numbers are multiples larger than the equivalent measures of query volume for every applied-for gTLD today, also according to Verisign’s data.

NTAG said:

None of these strings pose any more risk than .xxx, .asia and other currently operating TLDs.

the least “dangerous” current gTLD on the chart, .sx, had 331 queries per million in 2006. This is a higher density of NXDOMAIN queries than all but five proposed new TLDs. 4 Again, .sx was launched successfully in 2012 with none of the problems predicted in these reports.

Verisign’s report, which sought to provide a more qualitative risk analysis based on some data-supported guesses about where the error traffic is coming from and why, anticipated this interpretation.

Verisign said:

This could indicate that there is nothing to worry about when adding new TLDs, because there was no global failure of DNS when this was done before. Alternately, one might conclude that traffic volumes are not the only indicator of risk, and the semantic meaning of strings might also play a role. We posit that in some cases, those strings with semantic meanings, and which are in common use (such as in speech, writing, etc.) pose a greater risk for naming collision.

The company spent most of its report making somewhat tenuous correlations between its data (such as a relatively large number of requests for .medical from Japanese IP addresses) and speculative impacts (such as “undiagnosed system failures” at “a healthcare provider in Japan”).

NTAG, by contrast, is playing down the potential for negative outcomes, saying that in many cases the risks introduced by new gTLDs are no different from collision risks at the second level in existing TLDs.

Just as the NTAG would not ask ICANN to halt .com registrations while a twelve month study is performed on these problems, we believe there is no reason to introduce a delay in diversifying the Internet’s namespace due to these concerns.

While it stopped short of alleging shenanigans this time around, NTAG also suggested that future studies of root server error traffic could be gamed if botnets were engaged to crapflood the roots.

Its own mitigation plan, which addresses Interisle’s specific concerns, says that most of the reasons that non-existent TLDs are being looked up are either not a problem or can be easily mitigated.

For example, it says that queries for .youtube that arrived in the form of a request for “www.youtube” are probably browser typos and that there’s no risk for users if they’re taken to the YouTube dot-brand instead of youtube.com.

In another example, it points out that requests for “.cisco” or “.toshiba” without any second-level domains won’t resolve anyway, if dotless domains are banned in those TLDs. (NTAG, which has influential members in favor of dotless domains, stopped short of asking for a blanket ban.)

The Interisle report, and ICANN’s proposal to deal with it, are open for public comment until September 17. NTAG’s response is remarkably quick off the mark, for guessable reasons.

First new gTLD objection scalps claimed

Employ Media has killed off the Chinese-language gTLD .招聘 in the latest batch of new gTLD objection results.

Amazon and DotKids Foundation’s respective applications for .kids also appear to be heading into a contention set with Google’s bid for .kid, following the first String Confusion Objections.

All three objections were marked as “Closed, Default” by objection handler the International Center For Dispute Resolution a few days ago. No full decisions were published.

This suggests that the objectors have won all three cases on technicalities (such as the applicant failing to file a response).

Employ Media vice president for policy Ray Fassett confirmed to DI that the company has prevailed in its objection against .招聘, which means “recruitment” in Chinese and would have competed with .jobs.

The String Confusion Objection can be filed based on similarity of meaning, not just visual similarity.

What’s more, if the objector is an existing TLD registry like Employ Media, the only remedy is for the losing applicant to have their application rejected by ICANN.

So Hu Yi Global Information Resources, the .招聘 applicant, appears to be finished as far as this round of the new gTLD program is concerned.

But because there’s no actual ICDR decision on the merits of the case, it seems possible that it, or another company, could try for the same string in a future round.

In Google’s case, it had objected to both the Amazon and DotKids applications for .kids on string confusion grounds. The company is applying for .kid, which is obviously very similar.

The String Similarity Panel, which created the original pre-objection contention sets, decided that singular and plurals could co-exist without confusion. Not everyone agreed.

Because .kid is merely an application, not an existing TLD, none of the bids are rejected. Instead, they all join the same contention set and will have to work out their differences some other way.

Applicants are under no obligation to fight objections; they may even want to be placed in a contention set.

97 new gTLD applicants get pass from ICANN

ICANN has just released this week’s batch of Initial Evaluation results, with 97 passing applications to report.

The results were published a couple of days early due to the Independence Day holiday in the US.

There were no failures this week. The following applications received passing scores and proceed to the next phase of the program.

.cloud .app .marketing .corp .llp .blog .dnb .radio .mtr .gay .gmbh .accountant .site .yodobashi .norton .rmit .host .auto .ltd .play .cafe .bosch .jaguar .realestate .cashbackbonus .plus .mobile .cityeats .uol .amica .hair .yahoo .philips .corp .beauty .schmidt .tiaa .yellowpages .alsace .gent .lds .home .auction .chat .travelersinsurance .delta .corsica .dvag .bugatti .online .living .golf .flowers .hot .sharp .guitars .store .video .discount .realestate .mozaic .club .builders .build .whoswho .vote .limited .international .hdfc .yun .sakura .ifm .group .ceb .gifts .box .hbo .dev .asda .sport .allfinanzberater .radio .sale .taobao .training .dtv .mail .sncf .rent .marriott .jpmorganchase .audio .guide .statefarm .now .gucci .work

The results bring the total number of passing bids to 1,006. Only 823 applications remain in Initial Evaluation.

The official (unrealistic) go-live date for new gTLDs is September 28

Kevin Murphy, June 6, 2013, Domain Policy

September 28 could be (won’t be) the launch date of the first new gTLD sunrise period, according to a (unrealistic) timetable released by ICANN yesterday.

During a webinar for new gTLD applicants, program head Christine Willett presented the following slide:

Timetable

As you can see, using this timetable the first registry contract would be signed one month from now and the TLD itself would hit the root around August 28. Sunrise would follow a month later.

Willett was very clear that the timetable represents the absolute shortest path an application could take, and that it’s unlikely that any application will actually make it.

What the timetable deliberately fails to include is any delay caused by Governmental Advisory Committee advice.

The GAC’s Beijing communique had advice for all applicants, remember, but the response is currently being handled by the ICANN board and not new gTLD program staff, so the outcome is unknown.

The communique contains six “Safeguards Applicable to all New gTLDs” which are controversial because they appear to duplicate or preempt existing policy work, for example on Whois rules.

If ICANN adopts the advice wholesale, it’s difficult to see how these safeguards could be enforced if not by contract, which could delay the contract approval or contracting phases of the timeline.

If ICANN does not adopt the advice wholesale, it will have to consult with the GAC to find a “mutually acceptable solution”.

Last time it deviated from GAC advice, which covered considerably less complex ground, there was a great deal of to-and-fro over the space of months along with four days of face-to-face meetings.

The only hint so far that ICANN may be creating a fast-track for applicants came in notes from its May 18 New gTLD Program Committee meeting, which said:

The Committee agreed that it would adopt a strategy that permits full consideration of the ongoing community comment forum while resolving GAC advice in a manner that permits as many applications as possible to keep making forward progress.

Speculatively, could we be looking at some kind of hack? A way for new gTLD applicants to blindly sign up to whatever future agreement the GAC and ICANN come to, in exchange for a speedy delegation?

Or is it an indication that ICANN is leaning towards approving the “safeguards” that apply to all new gTLDs?

The GAC advice is open for public comment until June 11, so we won’t find out until the second half of the month at the earliest.

Now we’re getting serious: 92 new gTLD bids pass

ICANN has stepped up the pace of its Initial Evaluation results schedule, this evening publishing the results of 92 new gTLD applications.

Applications for the following strings have passed IE this week:

.fishing, .casa, .gop, .home, .love, .budapest, .book, .kiwi, .llc, .iselect, .audible, .wedding, .cpa, .earth, .delivery, .tickets, .msd, .neustar, .ski, .lease, .salon, .monster, .immo, .oldnavy, .pin, .design, .pets, .berlin, .eco, .movistar, .rocher, .graphics, .art, .cam, .health, .wien, .technology, .pioneer, .lancia, .reviews, .grainger, .news, .deals, .mov, .solutions, .genting, .pizza, .smile, .hotmail, .pramerica, .memorial, .music, .icbc, .media, .law, .travelchannel, .akdn, .spot, .game, .wedding, .ltd, .merck, .llc, .tickets, .nyc, .lawyer, .aws, .mrmuscle, .poker, .ltd, .realestate, .fujixerox, .microsoft, .realty, .kim, .chesapeake, .gifts, .flowers, .caravan, .mini, .band, .autos, .afamilycompany, .review, .fashion, .shop, .city, .gallery, .toray, .youtube, .kindle and .now.

There were no failures, neither have there been any withdrawals this week.

This week’s batch is notable for including over a dozen applications with Minds + Machines back-ends, which had been delayed in some cases for over a month.

It also contains the first “corporate identifier” strings to pass.

ICANN’s evaluators have now passed 433 applications and failed three. We’re up to priority number 500 in the publication running order.