Latest news of the domain name industry

Recent Posts

ICANN’s name collision plan “creates risk of abuse”

Kevin Murphy, August 27, 2013, Domain Services

One of ICANN’s proposed methods of reducing the risk of name collisions in new gTLDs actually may create its own “significant risk for abuse”, according to RIPE NCC.

Asking registry operators to send a notification to the owner of IP address blocks that have done look-ups of their TLD before it is delegated risks creating a “backlash” against ICANN and registry operators, RIPE said.

Earlier this month, ICANN said that for the 80% of applied-for strings that are categorized as low risk, “the registry operator will notify the point of contacts of the IP addresses that issue DNS requests for an un-delegated TLD or names under it.”

The proposal is intended to reduce the risk of harms caused by the collision of new gTLDs and matching names that are already in use on internal networks.

For example, if the company given .web discovers that .web already receives queries from 100 different IP blocks, it will have to look up the owners of those blocks with the Regional Internet Registries and send them each an email telling them than .web is about to hit the internet.

RIPE is the RIR for Europe, responsible for allocating IP addresses in the region, so its view on how effective a mitigation plan this is cannot be easily shrugged off.

Chief scientist Daniel Karrenberg told ICANN today that the complexity of the DNS, with its layers of recursive name servers and such, makes the approach pointless:

The notifications will not be effective because they will typically not reach the party that is potentially at risk.

In addition, it will be trivial for mischief-makers to create floods of useless notifications by conducting deliberately erroneous DNS queries for target TLDs, he said:

anyone can cause the registry operator to send an arbitrary amount of mandatory notifications to any holder of IP address space. It will be highly impractical to detect such attacks or find their source by technical means. On the other hand there are quite a number of motivations for such an attack directed at the recipient or the sender of the notifications. The backlash towards the registry operator, ICANN and other parties in the chain will be even more severe once the volume increases and when it turns out that the notifications are for “non-existing” queries.

With a suitably large botnet, it’s easy to see how an attacker could generate the need for many thousands of mandatory notifications.

If the registry has a manual notification process, such a flood would effectively DDoS the registry’s ability to send the notices, potentially delaying the gTLD.

Even if the process were to be automated, you can imagine how IP address block owners (network admins at ISPs and hosting companies, for example) would respond to receiving notifications, each of which creates work, from hundred of affected gTLD operators.

It’s an interesting view, and one that affected new gTLD applicants (which is most of them) will no doubt point to in their own comments on the name collisions mitigation plan.

Nuclear Iran campaign group sends ICANN list of demands (and they’re really, really stupid)

Kevin Murphy, September 19, 2012, Domain Policy

The campaign group United Against Nuclear Iran has called on ICANN to switch off internet access to Iran, due to an apparent misunderstanding of what it is ICANN does.

In a letter sent earlier this month and published yesterday, UANI told ICANN to “immediately cease and desist” from providing “ICANN/IANA access” to Iranian entities covered by US and EU sanctions.

The group is worried that these organizations are using the internet to help Iran with its goal of creating nuclear weapons.

The letter states:

Absent access to ICANN/IANA, the dictatorial regime of Iran would be severely impeded in pursuing its illegal and amoral activities. For each day that you knowingly continue to provide Iran sanction-designated persons and entities access to the worldwide web, ICANN/IANA will be increasingly complicit in the IRGC and Iranian regime’s nefarious behavior. ICANN/IANA must stop transacting with such Iranian entities and persons and deny them access to Unique Web Identifiers, and therefore, the worldwide web.”

The letter is stupid on so many levels it’s difficult to know where to begin.

It appears to assume that ICANN has the power and ability to shut down certain individual .ir and .com domain names, which are registered to and used by sanctioned entities.

The letter (pdf) states:

Prominent sanction-designated Iranian entities have acquired .ir Unique Internet Identifiers from ICANN/IANA through the RIPE NCC. For example, Iran’s nuclear brain trust, Malek Ashtar University holds the http://www.mut.ac.ir/ address. Major Iranian banks, including the country’s central bank, maintain active websites (e.g. http://www.cbi.ir, http://www.bank-maskan.ir, http://www.bmi.ir and http://www.banksepah.ir). Further, Khatam al-Anbia, which serves as the IRGC’s engineering arm with over 812 subsidiaries and is heavily involved in the construction of the Qom/Fordow nuclear weapons facilities, holds the web address of http://www.khatam.com. These sanction-designated entities could not gain such web access without ICANN/IANA.

You’ll immediately notice that UANI seems to think that RIPE NCC hands out .ir addresses, which it does not. RIPE is a Regional Internet Registry that deals exclusively with IP address blocks.

ICANN doesn’t have the power to shut down individual domains either. It has powers over the root zone — top-level domains — not second-level domains in individual TLDs.

Nor does ICANN appear to work with any of the organizations on the US list of sanctioned entities.

The .ir ccTLD is delegated to the Tehran-based Institute for Research in Fundamental Sciences, which is not sanctioned.

ICANN could, feasibly, shut down the whole of .ir, as long as Verisign and the US Department of Commerce — which have ultimate control over the root — played along, but that seems like overkill.

Is UANI asking ICANN to shut down the whole of the .ir space?

Apparently not. In fact, the group condemns censorship and appears to support the ability of regular Iranian citizens to access a free, unfettered internet. The letter states:

Unfortunately, ICANN/IANA and the Unique Internet Identifiers that it provides are misused by the sanction-designated Iranian entities and persons to facilitate their illicit operations, activities and communications including support for Iran’s rogue nuclear weapons program, Iran’s sponsorship of terrorism around the world, and the Iranian regimes brutal crackdown against its own people. Disturbingly, that crackdown includes the ruthless censorship of the Internet and other communication access, and the use of tracking technology to monitor, torture and kill freedom seeking dissidents.

Simply put, ICANN/IANA should not provide the internet communications means that the Iranian regime and the IRGC misuses to censor and deny Internet freedoms to its people, much less to support Iran’s illicit nuclear program or its sponsorship of terrorism.

A second, more or less identical letter (pdf) sent to RIPE NCC accused the organization of being the country-code manager for .ir, apparently based on a misunderstanding of this web page.

Netherlands-based RIPE has already responded, saying:

The RIPE NCC is in contact with the Dutch Ministry of Foreign Affairs to ensure that we operate in accordance with Dutch law and all applicable international sanctions. Our advice from the Ministry has been that the RIPE NCC is not in violation of these sanctions. However, we will investigate in cases where new information is provided to us and we will ensure that changing circumstances do not place the RIPE NCC in violation of sanctions.

UANI could have avoided embarrassing itself with a couple of phone calls, and I have to wonder why it did not.

Possibly because it can get New York Times column inches simply by throwing around accusations.