Latest news of the domain name industry

Recent Posts

ICANN staff need to get their pee tested

Kevin Murphy, June 8, 2010, Domain Tech

I imagine it’s a pretty hard job, largely thankless, working at ICANN. No matter what you do, there’s always somebody on the internet bitching at you for one reason or another.

The job may be about to get even more irksome for some staffers, if ICANN decides to implement new security recommendations made by risk management firm JAS Communications.

In a report published yesterday, JAS suggests that senior IANA staff – basically anyone with critical responsibilities over the DNS root zone – should be made to agree to personal credit checks, drug screening and even psych evaluations.

To anyone now trying to shake mental images of Rod Beckstrom peeing into a cup for the sake of the internet, I can only apologise.

This is what the report says:

JAS recommends a formal program to vet potential new hires, and to periodically re‐vet employees over time. Such a vetting program would include screening for illegal drugs, evaluation of consumer credit, and psychiatric evaluation, which are all established risk factors for unreliable and/or malicious insider activity and are routinely a part of employee screening in government and critical infrastructure providers.

I’ve gone for the cheap headline here, obviously, but there’s plenty in this report to take seriously, if you can penetrate the management consultant yadda yadda.

There are eight other recommendations not related to stoners running the root, covering contingencies such as IANA accidentally unplugging the internet and Los Angeles sinking into the Pacific.

Probably most interesting of all is the bit explaining how ICANN’s custom Root Zone Management System software, intended to reduce the possibility of errors creeping into the root after hundreds of new TLDs are added, apparently isn’t being built with security in mind.

“No formal requirements exist regarding the security and resiliency of these systems, making it impossible to know whether the system has been built to specification,” the report says.

It also notes that ICANN lacks a proper risk management strategy, and suggests that it improve communications both internally and with VeriSign.

It discloses that “nearly all critical resources are physically located in the greater Los Angeles area”, which puts the IANA function at risk of earthquake damage, if nothing else.

JAS recommends spreading the risk geographically, which should give those opposed to ICANN bloat something new to moan about.

There’s a public comment forum over here.

UPDATE (2010-06-13): As Michael Palage points out over at CircleID, ICANN has pulled the PDF from its web site for reasons unknown.

On the off-chance that there’s a good security reason for this, I shall resist the temptation to cause mischief by uploading it here. This post, however, remains unedited.

US government requests root DNSSEC go-ahead

Kevin Murphy, June 7, 2010, Domain Tech

The National Telecommunications and Information Administration, part of the US Department of Commerce, has formally announced its intent to allow the domain name system’s root servers to be digitally signed with DNSSEC.

Largely, I expect, a formality, a public comment period has been opened (pdf) that will run for two weeks, concluding on the first day of ICANN’s Brussels meeting.

NTIA said:

NTIA and NIST have reviewed the testing and evaluation report and conclude that DNSSEC is ready for the final stages of deployment at the authoritative root zone.

DNSSEC is a standard for signing DNS traffic using cryptographic keys, making it much more difficult to spoof domain names.

ICANN is expected to get the next stage of DNSSEC deployment underway next week, when it generates the first set of keys during a six-hour “ceremony” at a secure facility in Culpeper, Virginia.

The signed, validatable root zone is expected to go live July 15.

Council of Europe wants ICANN role

Kevin Murphy, June 7, 2010, Domain Policy

The Council of Europe has decided it wants to play a more hands-on role in ICANN, voting recently to try to get itself an observer’s seat on the Governmental Advisory Committee.

The Council, which comprises ministers from 47 member states, said it “could encourage due consideration of fundamental rights and freedoms in ICANN policy-making processes”.

ICANN’s ostensibly technical mission may at first seem a bit narrow for considerations as lofty as human rights, until you consider areas where it has arguably failed in the past, such as freedom of expression (its clumsy rejection of .xxx) and privacy (currently one-sided Whois policies).

The Council voted to encourage its members to take a more active role in the GAC, and to “make arrangements” for itself to sit as an observer on its meetings.

It also voted to explore ways to help with the creation of a permanent GAC secretariat to replace the current ad hoc provisions.

The resolution was passed in late May and first reported today by IP Watch.

The Council of Europe is a separate entity to the European Union, comprising more countries. Its biggest achievement was the creation of the European Court of Human Rights.

ICANN’s Draft Applicant Guidebook v4 – first reactions

Kevin Murphy, June 1, 2010, Domain Policy

As you probably already know, ICANN late yesterday released version 4 of its Draft Applicant Guidebook, the bible for new top-level domain registry wannabes.

Having spent some time today skimming through the novel-length tome, I can’t say I’ve spotted anything especially surprising in there.

IP interests and governments get more of the protections they asked for, a placeholder banning registries and registrars from owning each other makes its first appearance, and ICANN beefs up the text detailing the influence of public comment periods.

There are also clarifications on the kinds of background checks ICANN will run on applicants, and a modified fee structure that gets prospective registries into the system for $5,000.

DNSSEC, security extensions for the DNS protocol, also gets a firmer mandate, with ICANN now making it clearer that new TLDs will be expected to implement DNSSEC from launch.

It’s still early days, but a number of commentators have already given their early reactions.

Perennial first-off-the-block ICANN watcher George Kirikos quickly took issue with the fact that DAG v4 still does not include “hard price caps” for registrations

[The DAG] demonstrates once again that ICANN has no interests in protecting consumers, but is merely in cahoots with registrars and registries, acting against the interests of the public… registry operators would be open to charge $1000/yr per domain or $1 million/yr per domain, for example, to maximize their profits.

Andrew Allemann of Domain Name Wire reckons ICANN should impose a filter on its newly emphasised comment periods in order to reduce the number of form letters, such as those seen during the recent .xxx consultation.

I can’t say I agree. ICANN could save itself a few headaches but it would immediately open itself up to accusations of avoiding its openness and transparency commitments.

The Internet Governance Project’s Milton Mueller noted that the “Draconian” text banning the cross-ownership of registries and registrars is basically a way to force the GNSO to hammer out a consensus policy on the matter.

Everyone knows this is a silly policy. The reason this is being put forward is that the VI Working Group has not succeeded in coming up with a policy toward cross-ownership and vertical integration that most of the parties can agree on.

I basically agree. It’s been clear since Nairobi that this was the case, but I doubt anybody expected the working group to come to any consensus before the new DAG was drafted, so I wouldn’t really count its work as a failure just yet.

That said, the way it’s looking at the moment, with participants still squabbling about basic definitions and terms of reference, I doubt that a fully comprehensive consensus on vertical integration will emerge before Brussels.

Mueller lays the blame squarely with Afilias and Go Daddy for stalling these talks, so I’m guessing he’s basing his views on more information than is available on the public record.

Antony Van Couvering of prospective registry Minds + Machines has the most comprehensive commentary so far, touching on several issues raised by the new DAG.

He’s not happy about the VI issue either, but his review concludes with a generally ambivalent comment:

Overall, this version of the Draft Applicant Guidebook differs from the previous version by adding some incremental changes and extra back doors for fidgety governments and the IP interests who lobby them. None of the changes are unexpected or especially egregious.

DAG v4 is 312 pages long, 367 pages if you’re reading the redlined version. I expect it will take a few days before we see any more substantial critiques.

One thing is certain: Brussels is going to be fun.

ICANN’s Sword algorithm fails Bulgarian IDN test

ICANN has released version 4 of its new TLD Draft Applicant Guidebook (more on that later) and it still contains references to the controversial “Sword” algorithm.

As I’ve previously reported, this algorithm is designed to compare two strings for visual similarity to help prevent potentially confusing new TLDs being added to the root.

The DAG v4 contains the new text:

The algorithm supports the common characters in Arabic, Chinese, Cyrillic, Devanagari, Greek, Japanese, Korean, and Latin scripts. It can also compare strings in different scripts to each other.

So I thought I’d check how highly the internationalized domain name .бг, the Cyrillic version of Bulgaria’s .bg ccTLD, scores.

As you may recall, .бг was rejected by ICANN two weeks ago due to its visual similarity to .br, Brazil’s ccTLD. As far as I know, it’s the only TLD to date that has been rejected on these grounds.

Plugging “бг” into Sword returns 24 strings that score over 30 out of 100 for similarity. Some, such as “bf” and “bt”, score over 70.

Brazil’s .br is not one of them.

Using the tool to compare “бг” directly to “br” returns a score of 26. That’s a lower score than strings such as “biz” and “org”.

I should note that the Sword web page is ambiguous about whether it is capable of comparing Cyrillic strings to Latin strings, but the new language in the DAG certainly suggests that it is.