Latest news of the domain name industry

Recent Posts

Root hits 1,500 live TLDs as US oversight ends

Kevin Murphy, October 4, 2016, Domain Registries

The DNS root saw its 1,500th concurrent live TLD come into existence on Friday, just hours before the US relinquished its oversight powers.

Amazon received its delegation for .通販 (.xn--gk3at1e, Japanese for “online shopping”) and satellite TV company Hughes got .dvr, meaning “digital video recorder”.

That took the number of TLDs in the root to exactly 1,500, which is where it still stands today.

Both went live September 30, which was the final day of ICANN’s IANA contract with the US National Telecommunications and Information Administration, which expired that night.

An ICANN spokesperson confirmed that the two new gTLDs “were the last ones requiring NTIA’s approval.”

From now on, the small clerical role NTIA had when ICANN wanted to make changes to the root is no more.

The fact that it hit a nice round number the same day as ICANN oversight switched to a community-led approach is probably just a coincidence.

Amazon’s .通販 was almost banned for being too confusingly similar to “.shop”, but that ludicrous decision was later overturned.

Hughes’ .dvr was originally intended as a single-registrant “closed generic”, but is now expected to operate as a restricted but multi-registrant space.

ICANN to flip the secret key to the internet

Kevin Murphy, July 20, 2016, Domain Tech

ICANN is about to embark on a year-long effort to warn the internet that it plans to replace the top-level cryptographic keys used in DNSSEC for the first time.

CTO David Conrad told DI today that ICANN will rotate the so-called Key Signing Key that is used as the “trust anchor” for all DNSSEC queries that happen on the internet.

Due to the complexity of the process, and the risk that something might go wrong, the move is to be announced in the coming days even though the new public key will not replace the existing one until October 2017.

The KSK is a cryptographic key pair used to sign the Zone Signing Keys that in turn sign the DNS root zone. It’s basically at the top of the DNSSEC hierarchy — all trust in DNSSEC flows from it.

It’s considered good practice in DNSSEC to rotate keys every so often, largely to reduce the window would-be attackers have to compromise them.

The Zone Signing Key used by ICANN and Verisign to sign the DNS root is rotated quarterly, and individual domain owners can rotate their own keys as and when they choose, but the same KSK has been in place since the root was first signed in 2010.

Conrad said that ICANN is doing the first rollover partly to ensure that the procedures in has in place for changing keys are effective and could be deployed in case of emergency.

That said, this first rotation is going to happen at a snail’s pace.

Key generation is a complex matter, requiring the physical presence of at least three of seven trusted key holders.

These seven individuals possess physical keys to bank-style strong boxes which contain secure smart cards. Three of the seven cards are needed to generate a new key.

Each of the quarterly ZSK signing ceremonies — which are recorded and broadcast live over the internet — takes about five hours.

The first step in the rollover, Conrad said, is to generate the keys at ICANN’s US east coast facility in October this year. A copy will be moved to a facility on the west coast in February.

The first time the public key will appear in DNS will be July 11, 2017, when it will appear alongside the current key.

It will finally replace the current key completely on October 11, 2017, by which time the DNS should be well aware of the new key, Conrad said.

There is some risk of things going wrong, which could affect domains that are DNSSEC-signed, which is another reason for the slowness of the rollover.

If ISPs that support DNSSEC do not start supporting the new KSK before the final switch-over, they’ll fail to correctly resolve DNSSEC-signed domains, which could lead to some sites going dark for some users.

There’s also a risk that the increased DNS packet sizes during the period when both KSKs are in use could cause queries to be dropped by firewalls, Conrad said.

“Folks who have things configured the right way won’t actually need to do anything but because DNSSEC is relatively new and this software hasn’t really been tested, we need to get the word out to everyone that this change is going to be occurring,” said Conrad.

ICANN will conduct outreach over the coming 15 months via the media, social media and technology conferences, he said.

It is estimated that about 20% of the internet’s DNS resolvers support DNSSEC, but most of those belong to just two companies — Google and Comcast — he said.

The number of signed domains is tiny as a percentage of the 326 million domains in existence today, but still amounts to millions of names.

1,000th new gTLD goes live

The 1,000th new gTLD from the 2012 application round was delegated yesterday.

It was either .shop or .realestate, appropriately enough, which both appear to have been added to the DNS root zone at about the same time.

Right now, there are actually only 999 new gTLDs live in the DNS. That’s because the unwanted .doosan was retired in February.

During its pre-launch planning for the new gTLD program, ICANN based its root zone stability planning on the assumption that fewer than 1,000 TLDs would be added to the root per year.

In reality, it’s taken much longer to reach that threshold. The first few new gTLDs were added in late October 2013, 945 days ago.

On average, in other words, a new gTLD has been added to the root slightly more than once per day.

Over that same period, nine ccTLDs — internationalized domain names applied for via a separate ICANN program — have also gone live.

The 1,000th new gTLD to be added to the IANA database was .blog.

There are 1,314 TLDs in the root all told.

US gives ICANN an extra year to complete transition

Kevin Murphy, August 18, 2015, Domain Policy

US government oversight of ICANN and the domain name system will end a year later than originally expected.

The National Telecommunications and Information Administration said last night that it has extended ICANN’s IANA contract until September 30, 2016, giving the community and others more time to complete and review the transition proposals.

NTIA assistant secretary Larry Strickling wrote that “it has become increasingly apparent over the last few months that the community needs time to complete its work, have the plan reviewed by the U.S. Government and then implement it if it is approved.”

Simultaneously, NTIA has finally published a proposal — written by ICANN and Verisign — for how management of the DNS root will move away from hands-on US involvement.

The extension of the IANA contract from its September 30, 2015 end date was not unexpected. The current contract allows for such extensions.

As we recently reported, outgoing ICANN CEO Fadi Chehade had guessed a mid-2016 finalization of the transition.

Regardless, expect op-eds in the coming days to claim this as some kind of political victory against the Obama administration.

Part of the reason for the extension, beyond the fact that the ICANN community hasn’t finished its work yet, is legislation proposed in the US.

The inappropriately named DOTCOM Act, passed by the House but frozen for political reasons in the Senate by Tea Party presidential hopeful Sen Ted Cruz, would give Congress 30 legislative days (which could equal months of real time) to review the IANA transition proposals.

There are basically three prongs to the transition, each with very long names.

The “Proposal to Transition the Stewardship of the Internet Assigned Numbers Authority (IANA) Functions from the U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) to the Global Multistakeholder Community” is the first.

That was created by the multistakeholder IANA Stewardship Transition Coordination Group (ICG) and deals with how the IANA contract will be managed after the US government goes away.

The second prong comes from the Cross Community Working Group on Enhancing ICANN Accountability, which deals with how ICANN itself can improve its accountability to the internet community without the Damoclean sword of US intervention hanging over it.

The CCWG’s latest draft report would strengthen the ICANN board against capture by, for example, making certain bylaws harder to amend and giving the community the right to fire directors.

Both of these proposals are currently open for public comment here.

The third prong, which only appears to have been published this week, deals with the nuts and bolts of how changes to the DNS root zone are made.

The current system is a tripartite arrangement between IANA, NTIA and Verisign.

When a TLD operator needs a change to the DNS root — for example adding a name server for its TLD — the request is submitted to and processed by IANA, sent to NTIA for authorization, then actually implemented on the primary root server by Verisign.

Under the new proposal (pdf) to phase the NTIA out of this arrangement, the NTIA’s “authorization” role would be temporarily complemented by a parallel “authentication” role.

The proposal is not written in the clearest English, even by ICANN standards, but it seems that the current Root Zone Management System would be duplicated in its entirety and every change request would have to be processed by both systems.

The output of both would be compared for discrepancies before Verisign actually made the changes to the root.

It seems that this model is only being proposed as a temporary measure, almost like a proof of concept to demonstrate that the NTIA’s current authorization role isn’t actually required and won’t be replaced in this brave new world.

TLD to be removed from the DNS next week

The DNS has been growing by, on average 1.1 top-level domains per day for the last 18 months or so, but that trajectory is set to change briefly next week when a TLD is removed.

The ccTLD .an, which represented the former Netherlands Antilles territories, is expected to be retired on July 31, according to published correspondence between ICANN and the Dutch government.

Three territories making up the former Dutch colony — Sint Maarten, Curaçao, and Bonaire, Sint Eustatius and Saba — gained autonomy in 2010, qualifying them for their own ccTLDs.

They were granted .sx, .cw and .bq respectively. While the first two are live, .bq has not yet been delegated, though the Dutch government says it is close to a deal with a registry.

The Dutch had asked ICANN/IANA for a second extension to the removal deadline, to October 31, but this request was either turned down or retracted after talks at the ICANN Buenos Aires meeting.

Only about 20 registrants are still using .an, according to ICANN.

The large majority of .an names still showing up in Google redirect to other sites in .nl, .com, .sx or .cw.

.an is the second ccTLD to face removal this year after .tp, which represented Portuguese Timor, the nation now known as East Timor or Timor Leste (.tl).