Latest news of the domain name industry

Recent Posts

Up to 20 million people could get broken internet in domain security rollover

Kevin Murphy, November 9, 2017, Domain Tech

Twenty million people losing access to parts of the internet is considered an acceptable level of collateral damage for ICANN’s forthcoming DNS root security update.

That’s one of a number of facts and figures to emerge from recent updates from the organization, explaining its decision to delay the so-called “KSK rollover” from October 11 to some time in the first quarter next year.

The rollover will see a new Key Signing Key, used as the trust anchor for all DNSSEC-signed domains, replace the seven-year-old original.

DNSSEC protects internet users and registrants from domain-based man-in-the-middle attacks. It’s considered good practice to roll keys at each level of the DNS hierarchy periodically, to reduce the risk of successful brute-force attacks.

The root KSK update will affect hundreds of millions of people who currently use DNSSEC-compatible resolvers, such as Google DNS.

ICANN delayed the rollover after it, rather fortuitously, spotted that not all of these resolvers are configured to correctly handle the change.

The number of known incompatible servers is quite small — only about 500 of the 11,982 DNSSEC-using recursive servers initially surveyed (pdf). That represents only a very small minority of the world’s internet users, as most are not currently using DNSSEC.

Subsequent ICANN research, presented by principal researcher Roy Arends at ICANN 60 last week, showed that:

  • There are currently about 4.2 million DNS resolvers in the world.
  • Of those, 27,084 are configured to tell the root servers which KSKs they support (currently either the KSK-2011 or KSK-2017).
  • Of those, 1,631 or 6.02% do not support KSK-2017

It was only possible to survey servers that have turned on a recent update to DNS software such as BIND and Unbound, so the true number of misconfigured servers could be much higher.

Matt Larson, ICANN’s VP of research, told DI that ICANN has identified 176 organizations in 41 countries that are currently not prepared to handle the new KSK. These organizations are fairly evenly spread geographically, he said.

Since making the decision to delay the rollover, ICANN has hired a contractor to reach out to these network operators to alert them to potential problems.

ICANN’s CEO Goran Marby has also been writing to telecommunications regulators in all countries to ask for assistance.

After the rollover, people using an incompatible resolver would be unable to access DNSSEC-signed domains. Again, that’s still quite a small minority of domains — there are only about 750,000 in .com by some accounts and apparently none of the top 25 site support it.

ICANN could roll back the change if it detects that a sufficiently large number of people are negatively affected, but that number turns out to be around 20 million.

According to its published rollover plan:

Rollback of any step in the key roll process should be initiated if the measurement program indicated that a minimum of 0.5% of the estimated Internet end-user population has been negatively impacted by the change 72 hours after each change has been deployed into the root zone.

According to InternetWorldStats, there were around 3,885,567,619 internet users in the world this June. It’s very likely more people now.

So a 0.5% threshold works out to about 19 million to 20 million people worldwide.

Larson agreed that in absolute terms, it’s a big number.

“The overall message to take away from that number, I suggest, is that a problem would have to be pretty serious for us to consider rolling back,” Larson, who was not on the team that came up with the threshold, said.

“I think that’s a reasonable position considering that, in the immediate aftermath of the rollover, there are two near-immediate fixes available to any operator experiencing problems: update their systems’ trust anchors with the new key or (less desirable from my perspective but still effective) simply disable DNSSEC validation,” he said.

He added that the 0.5% level is not a hard and fast rule, and that ICANN could be flexible in the moment.

“For example, if when we roll the key, we find out there’s some critical system with a literal life or death impact that is negatively affected by the KSK roll, I think I can pretty confidently state that we wouldn’t require the 0.5% of Internet user threshold to be met before rolling back if it looked like there would be a significant health and safety risk not easily mitigated,” he said.

The chances of such an impact are very slim, but not impossible, he suggested.

It’s not ICANN’s intention to put anyone’s internet access at risk, of course, which is why there’s a delay.

ICANN’s plan calls for any rollover to happen on the eleventh day of a given calendar quarter, so the soonest it could happen would be January 11.

Given the complexity of the outreach task in hand, the relative lack of data, and the holiday periods approaching in many countries, and ICANN’s generally cautious nature, I’d hazard a guess we might be looking at April 11 at the earliest instead.

Corwin joins Verisign

Kevin Murphy, November 6, 2017, Domain Policy

Phil Corwin, the face of the Internet Commerce Association for over a decade, today quit to join Verisign’s legal team.

He’s now “policy counsel” at the .com giant, he said in a statement emailed to industry bloggers.

He’s also closed down the consulting company Virtualaw, resigned from ICANN’s Business Constituency and from his BC seat on the GNSO Council.

But he said he would continue as co-chair of two ICANN working groups — one looking at rights protection for intergovernmental organizations (which is kinda winding down anyway) and the other on general rights protection measures.

“I have no further statement at this time and shall not respond to questions,” Corwin concluded his email.

He’s been with ICA, which represents the interests of big domain investors, for 11 years.

As well as being an ICANN working group volunteer, he’s produced innumerable public comments and op-eds fighting for the interests of ICA members.

One of his major focuses over the years has been UDRP, which ICA believes should be more balanced towards registrant rights.

He’s also fought a losing battle against ICANN “imposing” the Uniform Rapid Suspension process on pre-2012 gTLDs, due to the fear that it one day may be forced upon Verisign’s .com and .net, where most domain investment is tied up.

ICANN terminates 450 drop-catch registrars

Kevin Murphy, November 6, 2017, Domain Registrars

Almost 450 registrars have lost their ICANN accreditations in recent days, fulfilling predictions of a downturn in the domain name drop-catch market.

By my reckoning, 448 registrars have been terminated in the last week, all of them apparently shells operated by Pheenix, one of the big three drop-catching firms.

Basically, Pheenix has dumped about 90% of its portfolio of accreditations, about 300 of which are less than a year old.

It also means ICANN has lost about 15% of its fee-paying registrars.

Pheenix has saved itself at least $1.2 million in ICANN’s fixed accreditation fees, not including the variable and transaction-based fees.

It has about 50 registrars left in its stable.

The terminated registrars are all either numbered LLCs — “Everest [1-100] LLC” for example — or named after random historical or fictional characters or magic swords.

The move is not unexpected. ICANN predicted it would lose 750 registrars when it compiled its fiscal 2018 budget.

VP Cyrus Namazi said back in July that the drop-catching market is not big enough to support the many hundreds of shell registrars that Pheenix, along with rivals SnapNames/Namejet and DropCatch.com, have created over the last few years.

The downturn, Namazi said back then, is material to ICANN’s budget. I estimated at the time that roughly two thirds of ICANN’s accredited registrar base belonged to the three main drop-catch firms.

Another theory doing the rounds, after Domain Name Wire spotted a Verisign patent filing covering a system for detecting and mitigating “registrar collusion” in the space, is that Verisign is due to shake up the .com drop-catch market with some kind of centralized service.

ICANN reckoned it would start losing registrars in October at a rate of about 250 per quarter, which seems to be playing out as predicted, so the purge has likely only just begun.

ICANN heading back to Morocco in 2019

Kevin Murphy, November 6, 2017, Domain Policy

ICANN has picked Morocco for its mid-year meeting in 2019.

The June 24-27 meeting, ICANN 65, will be hosted by the Mediterranean Federation of Internet Associations at the Palmeraie Resort in Marrakech. That’s the same venue as ICANN 55 in March 2016.

It’s a Policy Forum meeting, meaning it has an abridged agenda, an expected lower attendance, and a tighter focus on policy work than the other two annual meetings.

It will be sandwiched between the March meeting in Kobe, Japan and the November meeting in Montreal, Canada.

More pressingly, it now seems all but certain that ICANN is heading to Puerto Rico in March 2018 for ICANN 61, despite the extensive damage caused by Hurricane Maria in September.

During the public forum at ICANN 60 in Abu Dhabi last week, the customary spot where the next meeting’s hosts get five minutes to plug their city or nation was notably different.

Shots of landscapes, sunsets and cultural attractions were instead replaced by a series of government and local tourism officials encouraging ICANNers to visit. The message was basically: everything’s okay, it’s safe for you to come.

The convention center venue for ICANN 61 was so lightly damaged by Maria that it was actually used as the headquarters of the recovery effort immediately after the storm. You may have seen news footage of it when President Trump showed up.

ICANN said October 7 that it was monitoring the situation but that it still intended to have the March meeting in San Juan as planned.

The city would no doubt welcome the modest economic boost that a few thousand tech professionals and lawyers showing up for a week will provide.

I’m planning on attending.

Refund “options” for in-limbo gTLD applicants?

Kevin Murphy, November 6, 2017, Domain Policy

ICANN may just be a matter of weeks away from giving applicants for the .mail, .corp and .home gTLDs an exit strategy from their four years in limbo.

Its board of directors on Thursday passed a resolution calling for staff to “provide options for the Board to consider to address the New gTLD Program applications for .CORP, .HOME, and .MAIL by the first available meeting of the Board following the ICANN60 meeting in Abu Dhabi”.

It’s possible this means the board could consider the matter before the end of the year.

Twenty remaining applications for the three strings have been on hold since they were identified as particularly risky in August 2013.

A study showed that all three — .home and .corp in particular — already experience vast amounts of erroneous DNS traffic on a daily basis.

This is due to so-called “name collisions”, which come about when a newly delegated TLD is actually already in use on corporate or public networks.

Many companies use .corp and .mail already behind their firewalls, a practice sometimes historically encouraged by commercial technical documentation, and .home is known to be used by some ISPs in residential and business routers.

Both of these scenarios and others can lead to DNS queries spilling out onto the public internet, which could cause breakage or data leakage.

The solution for all new gTLDs delegated to date has been to wildcard the entire zone with the message “Your DNS needs immediate attention” for a period before registrations are accepted.

This has led to some new gTLDs with far less collision traffic seeing small but notable pockets of outrage when delegated — Google’s .prod (used by some as an internal shorthand for “production”) in 2014.

Studies to date have concentrated on the volume of error traffic to applied-for gTLDs, but last Thursday the ICANN board kicked off a study that will look at what the real-world impact of name collisions in .mail, .corp and .home could be.

It’s tasked the Security and Stability Advisory Committee with carrying out the study in conjunction with related groups such as the IETF.

But this is likely to take quite a long time, so the board also resolved to think up “options” for the 20 affected applications.

Could the applicants be offered a full refund, as opposed to the partial one they currently qualify for? Could there be some kind of deferment option, such as that offered to unsuccessful 2000-round applicants? Either seems possible.