Recent Posts
- Com Laude buys Fairwinds
- Unstoppable wants to be a registry back-end
- Sixteen new gTLD bids could face the firing squad
- Registry to release one-letter domains tomorrow
- New ICANN funding rules will cost smaller ccTLDs more
- .ai rival lines up gTLD bid
- Team Internet lays off 200
- Sixteen more orgs vie for cheap gTLDs, but…
- So who’s registering sunrise domains these days?
- Cloud gTLD gets launch dates
- Governments say new gTLD program “credibility” at stake
- NIXI planning doomed new gTLD bids
- AI experts replace Chapman on ICANN board
- RDRS may not be dead
- Single-letter .com lawsuit thrown out of court
- Golding challenges McCarthy for Nominet board seat
- Three applicants qualify for cheapo gTLDs
- Blockchain crisis looming for new gTLD next round
- Two more dot-brands leave Verisign for GoDaddy
- ICANN looking at new bulk reg rules
- Reseller loss hits Tucows’ DUM but not revenue
- GoDaddy counts cost of losing .co deal
- Wine producers worried about new gTLDs
- Goodyear tires of its dot-brand
- Team Internet loses Radix to Tucows
- ICANN’s “review of reviews” kicks off
- Huge registrars flee from RDRS
- Namecheap loses attempt to bring back .org price caps
- Registrar shamed for alleged crypto abuse neglect
- Poblete’s ICANN board seat safe
- .com off to strong start in Q3
- .my is growing like crazy
- ICANN settles $77 million sexual harassment suit
- Chinese domain spikiness ends in first half
- Registrars agree to higher ICANN fees
- ICANN to review reviews after review review request fails
- Got junk? June’s biggest gTLD growers do
- ICANN ditches Oman due to Middle-East conflicts
- ICANN’s mighty overlord flexes on transparency
- ICANN faces first pushback over DEI U-turn
- Loads of firms flunk out of next-round gTLD back-end program
- presidenttrump.xxx among thousands of dead .xxx domains suddenly springing to life
- One of the dumbest gTLDs just switched back-ends
- GoDaddy loses .co to Team Internet
- Governments erect bulk-reg barrier to new gTLD next round
- Little interest in cheapo gTLD program
- US government opposes most new gTLDs
- GoDaddy loses last Amazon business to Identity Digital
- Third Amazon gTLD launch dates revealed
- .TOP promises to play nice on DNS abuse
- Court denies ICANN’s #MeToo “cover up” attempt
- Launch dates for two more Amazon gTLDs revealed
- An end to “Club Med for geeks” ICANN?
- Some people paid premiums for .hot domain hacks
- .io questions in sharp focus as UK signs Chagos treaty
- Big .gdn registrar at risk
- ICANN “reaffirms its commitment to diversity and inclusion”
- ICANN kills off diversity and inclusion
- Kaufmann picked for ICANN board
- Conflicted? STFU under new ICANN rules
- .hot is for hookers? Amazon’s first premium regs revealed
- Gname adds another 200 registrars
- New Pope’s .com domain was registered the day Francis died
- Two deadbeat registrars get their ICANN marching orders
- DotMusic has sold a lot of names, but not many are turned on
- .med is a deeply weird gTLD, but it wants to be more normal
- ICANN cuts off money to UASG
- Web.com getting dumped
- .es and .pt riding out massive power outage
- .com is back as Verisign discounts bear fruit
- Dot-brand actually being used to get deleted
- Verisign gave Trump $100,000
- Private Whois requests hit new low after Tucows quits RDRS
- Zoom says GoDaddy took it down for hours
- The Soviet Union might be safe after all
- Google says its ccTLDs “are no longer necessary”
- Facebook thinks ICANN is a bit rubbish
- ICANN spending $365,000 a year on coffee and booze
- Regulator going after suicide site that even Epik banned
- .ai sees $600,000 auction sales in a month
- Pru trims its dot-brand portfolio
- UK’s Nigel Hickson has died
- .blog registry ordered to change name to Knock Knock RDAP There
- WordPress buys Canadian, swaps CentralNic for CIRA
- Latest ICANN salary porn ruins my terrible pun
- .co deal worth $77 million up for grabs
- I get a wrongful kicking as .su registry denies turn-off plan
- Sales and profits dip at Team Internet
- Four deadbeat registrars get terminated
- “No timeline” to retire Soviet Union from the DNS
- ICANN to kill off 60-day domain transfer lock
- Lancaster bags up its dot-brand
- Google readying its next batch of gTLD launches?
- NomCom confirms Americans rejected from ICANN board
- Nova announces $45 million of new gTLD applications
- Registry makes .ai an option for Koreans
- it.com now bigger than Guatemala
- ICANN turns to AI and crowdsourcing for new gTLD program
- Amazon lawyer DiBiase elected to ICANN board
- Is .io safe now? Identity Digital now running Mauritian ccTLD
- Tucows quits ICANN’s Whois disclosure pilot
- Toshiba goes all-in on its dot-brand
- Google scuppers Team Internet acquisition after profit warning
- .ai channel doubles under new management
- Trump inclined to back deal that threatens .io
- As .com shrinks, China adds another 1.2 million domains
- Second new gTLD contention set revealed
- UK intros global domain takedown law
- No more Americans as Holland wins ICANN board seat
- Registries have started shutting down Whois
- ICANN wins IRP because complainant literally doesn’t exist
- .com could return to growth this quarter
- Could Musk’s DOGE kill off D3’s .doge?
- $2 million Christmas bonus for ICANN
- Another VW car dot-brand crashes out
- Largest back-end switch EVER as GoDaddy loses deal
- Yeah, we got phished, ICANN admits after crypto hack
- ICANN hacked to promote crypto scam
- Super Bowl a bit of a dud for .com?
- More gloom predicted for .com
- These are the .gov domains Trump has deleted so far
- Did Trump just create the world’s next ccTLD?
- $3,000 to do a Whois lookup?
- PIR to join GlobalBlock, but its crown jewel won’t
- LA wildfire victims get domain deletes delay
CentralNic buys .fans for peanuts
CentralNic has acquired the flailing new gTLD .fans for an undisclosed sum.
The value of the deal was low enough that publicly traded CentralNic was not obliged to disclose the purchase to the market, CEO Ben Crawford confirmed.
The ICANN contract seems to have changed hands — transferred to a CentralNic subsidiary call Fans TLD Ltd — back in August.
We revealed back in May that CentralNic was acting as a caretaker for .fans, and sister TLD .fan, after original registry Asiamix Digital failed to make enough money to keep the business going.
.fan, which Asiamix bought from Donuts but never launched, was sold back to Donuts in June.
Donuts took .fan to sunrise last week and plans to take it to general availability in December.
.fans domains, meanwhile, have been in registrar storefronts since 2015, but the current tally of registered domains is barely above 1,600.
Domains are still selling for around the $100 mark, roughly double the expected retail price of .fan.
Here’s what ICANN’s boss is saying about Whois access now
Should ICANN become the sole source for looking up private domain registrant data? That’s one of the options for the post-GDPR world of Whois currently being mulled over on Waterfront Drive.
ICANN CEO Goran Marby laid out some of ICANN’s current thinking on the future of Whois last week at an occasionally combative meeting in Los Angeles.
One idea would see ICANN act as a centralized gatekeeper for all Whois data. Another could risk ICANN becoming much more tightly controlled by governments.
I’ve listened to the recordings, read the transcripts, chatted to participants, and I’m going to attempt to summarize what I believe is the current state of play.
As regular DI readers know, post-GDPR Whois policy is currently being debated to a tight deadline by an Expedited Policy Development Process working group.
The work has been a tough slog, and there seems to be little hope of the EPDP closing all of its outstanding issues before its first conclusions are due under three weeks from now.
One of the outstanding issues not yet addressed in any depth by the group is the potential creation of a “unified access model” — a standardized way cops, trademark owners, cybersecurity professionals and others could look at the same Whois data they could look at just a few months ago.
While the EPDP has carried on deferring discussion of such a model, ICANN Org has in parallel been beavering away trying to figure out whether it’s even going to be legally possible under the new European privacy law to open up Whois data to the people who want to see it, and it’s come up with some potentially game-changing ideas.
After weeks of conference calls, the EPDP working group — made up of 30-odd volunteers from all sections of the ICANN community — met in LA for three days last week to get down to some intensive face-to-face arguments.
I gather the meeting was somewhat productive, but it was jolted by the publication of an ICANN blog post in which Marby attempted to update the community on ICANN’s latest efforts to get clarity on how GDPR legally interacts with Whois.
Marby wrote that ICANN “wants to understand whether there are opportunities for ICANN, beyond its role as one of the ‘controllers’ with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.”
What did ICANN mean by this? While “controller” is a term of art defined in mind-numbing detail by the GDPR, “coordinating authority” is not. So ICANN’s blog post was open to interpretation.
It turns out I was not the only person confused by the post, and on Tuesday afternoon last week somebody from the EPDP team collared Marby in the corridor at ICANN HQ and dragged him into the meeting room to explain himself.
He talked with them for about an hour, but some attendees were still nonplussed — some sounded downright angry — after he left the room.
This is what I gleaned from his words.
No End-Runs
First off, Marby was at pains to point out, repeatedly, that ICANN is not trying to bypass the community’s Whois work.
It’s up to the community — currently the EPDP working group, and in a few weeks the rest of you — to decide whether there should be a unified access model for Whois, he explained.
What ICANN Org is doing is trying to figure out is whether a unified access model would even be legal under GDPR and how it could be implemented if it is legal, he said.
“If the community decides we should have a policy about a unified access model, that’s your decision,” he told the group. “We are trying to figure out the legal avenues if it’s actually possible.”
He talked about this to persons unknown at the European Commission in Brussels last month.
Whatever ICANN comes up with would merely be one input to the community’s work, he said. If it discovers that a unified access model would be totally illegal, it will tell the community as much.
Marby said ICANN is looking for “a legal framework for how can we diminish the contracted parties’ legal responsibility” when it comes to GDPR.
So far, it’s come up with three broad ideas about how this could happen.
The Certification Body Idea
GDPR sections 40 to 43 talk about the concepts of “codes of conduct” and “certification bodies”.
It’s possible that ICANN was referring to the possibility of itself becoming a certification body when it blogged about being a “coordinating authority”. Marby, during the EPDP meeting, unhelpfully used the term “accreditation house”.
These hypothetical entities (as far as I know none yet exist) would be approved by either national data protection authorities or the pan-EU European Data Protection Board to administer certification schemes for companies that broadly fall into the same category of data processing businesses.
It seems to be tailor-made for ICANN (though it wasn’t), which already has accreditation of registries and registrars as one of its primary activities.
But this legal avenue does not appear to be a slam-dunk. ICANN would presumably have to persuade a DPA or two, or the EDPB, that giving third parties managed access to citizens’ private data is a good thing.
You’d think that DPAs would be dead against such an idea, but the EU members of ICANN’s Governmental Advisory Committee have put their names to advice stating that Whois should remain accessible under certain circumstances, so it’s not impossible they could see it ICANN’s way.
The C.R.A.P. Idea
Marby’s second idea for taking some of the GDPR burden off the shoulders of contracted parties is to basically make ICANN a proxy, or man-in-the-middle, for Whois queries.
“What would happen if ICANN Org legally is the only place you can ask a question through?” he said. “And the only ones that the contracted parties actually can answer a question to would be ICANN Org? Would that move the legal responsibility away from the contracted parties to ICANN Org?”
In many ways, this is typical domain industry tactics — if there’s a rule you don’t want to follow, pass it off to a proxy.
This model was referred to during the session by EPDP members as the “hub and spoke” or “starfish”. I think the starfish reference might have been a joke.
Marby, in a jocular callback to the “Calzone” and “Cannoli” Whois proposals briefly debated in the community earlier this year, said that this model had a secret ICANN-internal code-name that is “something to do with food”.
Because whenever I’ve tried to coin a phrase in the past it has never stuck, I figure this time I may as well go balls-out and call it the “Cuisine-Related Access Plan” for now, if for no other reason than the acronym will briefly annoy some readers.
Despite the name I’ve given it, I don’t necessarily dislike the idea.
It seems to be inspired by, or at least informed by, side-channel communications between Marby and the Intellectual Property Constituency and Business Constituency, which are both no doubt mightily pissed off that the EPDP has so far proven surprisingly resilient to their attempts to get Whois access into the policy discussions as early as possible.
Two months ago, a few influential IP lawyers proposed to Marby (pdf) a centralized Whois model in which registrars collect data from registrants then pass it off to ICANN, which would be responsible for deciding who gets to see it.
Forget “thin” versus “thick” Whois — this one would be positively, arguably dangerously, obese. Contracted parties would be relegated to “processors” of private data under GDPR, with ICANN the sole “controller”.
Benefits of this would include, these lawyers said, reducing contracted parties’ exposure to GDPR.
It’s pretty obvious why the IP lobby would prefer this — ICANN is generally much more amenable to its demands than your typical registry or registrar, and it would very probably be easier to squeeze data out of ICANN.
While Marby specifically acknowledged that ICANN has taken this suggestion as one of its inputs — and has run it by the DPAs — he stopped well short of fully endorsing it during last week’s meeting in LA.
He seemed to instead describe a system whereby ICANN acts as the gatekeeper to the data, but the data is still stored and controlled at the registry or registrar, saying: “We open a window for access to the data so the data is still at the contracted parties because they use that data for other reasons as well”.
The Insane Idea
The third option, which Marby seemed to characterize as the least “sane” of the three, would be to have Whois access recognized by law as a public interest, enabling the Whois ecosystem to basically ignore GDPR.
Remember, back on on GDPR Day, I told you about how the .dk ccTLD registry is carrying on publishing Whois as normal because a Danish law specifically forces it to?
Marby’s third option seems to be a little along those lines. He specifically referred to Denmark and Finland (which appears to have a similar rule in place) during the LA session.
If I understand correctly, it seems there’d have to be some kind of “legal action” in the EU — either legislation in a member state, or perhaps something a little less weighty — that specifically permitted or mandated the publication of otherwise private Whois data in gTLD domains.
Marby offered trademark databases and telephone directories as examples of data sets that appear to be exempt from GDPR protection due to preexisting legislation.
One problem with this third idea, some say, is that it could bring ICANN policy under the direct jurisdiction of a single nation state, something that it had with the US government for the best part of two decades and fought hard to shake off.
If ICANN was given carte blanche to evade GDPR by a piece of legislation in, say, Lithuania, would not ICANN and its global stakeholders forever be slaves to the whims of the Lithuanian legislature?
And what if that US bill granting IP interests their Whois wet dream passes onto the statute books and ICANN finds itself trapped in a jurisdictional clusterfuck?
Oh, my.
Fatuous Conclusion For The Lovely People Who Generously Bothered To Read To The End
I’m not a lawyer, so I don’t pretend to have a comprehensive understanding of any of this, but to be honest I’m not convinced the lawyers do either.
If you think you do, call me. I want to hear from you. I’m “domainincite” on Skype. Cheers.
Chinese registrars on the decline
Having been on a growth trajectory for some years, the number of ICANN-accredited registrars based in China appears to be on the decline.
According to my records, so far this year 26 registrar contracts have been terminated, voluntarily or otherwise, 11 of which were Chinese. I’m excluding the mass drop of Pheenix accreditations from these numbers.
The country with the next-highest number of terminations was the USA, with three.
ICANN has terminated nine registrars for breaches of the RAA this year, six of which were Chinese.
All the Chinese notices included non-payment of ICANN fees as a reason for termination, though it appears that most of them had a negligible number of gTLD domains under management.
ICANN Compliance tells me there’s no particular focus of China at the moment, this is all a result of regular day-to-day enforcement.
ICANN has sent breach notices to 28 companies this year, seven of which were to Chinese registrars.
Meanwhile, 22.cn has moved 13 of its accredited shell registrars to Hong Kong. Another registrar moved its base from China to Australia.
Seven Chinese registrars have been newly accredited this year,
Net, this has all reduced the number of accredited registrars based in China to 91.
The country still has the second-most registrars ahead of the US, with its almost 2,000 registrars, and a clear 31 registrars ahead of third-place India.
It’s Drazek vs Dammak for GNSO Council chair
The chair of ICANN’s Generic Names Supporting Organization Council is contested this year, with a registry veep facing off against a software engineer.
The nomination from the contracted parties house is US-based Keith Drazek, Verisign’s VP of policy and government relations.
He’ll be opposed by non-contracted parties nominee and current vice-chair Rafik Dammak, a Tunisian working as a software engineer for NTT Communications (which is technically a contracted party due its dot-brand gTLD) in Japan.
Both men are long-time, active members of the ICANN community and GNSO.
The Council will pick its new chair about a month from now at the ICANN 63 meeting in Barcelona.
The winner will replace lawyer Heather Forrest, the non-contracted party who took the seat after an unopposed vote a year ago.
Cloudflare selling all domains at cost: “All we’re doing is pinging an API”
Content delivery network provider Cloudflare has promised to sell domains in all TLDs at the wholesale cost, with no markup, forever.
The company made the commitment yesterday as it announced its intention to get into the registrar business.
Founder Matthew Price used the announcement to launch a blistering attack on the current registrar market, which he said is charging “crazy” prices and endlessly upselling their customers with unwanted, worthless products. He blogged:
why should registrars charge any markup over what the TLDs charge? That seemed as nutty to us as certificate authorities charging to run a bit of math. When we see a broken market on the Internet we like to do something about it.
…
we promise to never charge you anything more than the wholesale price each TLD charges. That’s true the first year and it’s true every subsequent year. If you register your domain with Cloudflare Registrar you’ll always pay the wholesale price with no markup.
For instance, Verisign, which administers the .com TLD, currently charges $7.85 per year to register a .com domain. ICANN imposes a $0.18 per year fee on top of that for every domain registered. Today, if you transfer your .com domain to Cloudflare, that’s what we’ll charge you per year: $8.03/year. No markup. All we’re doing is pinging an API, there’s no incremental cost to us, so why should you have to pay more than wholesale?
There are catches, of course.
For starters, the service is not available yet.
Price wrote that Cloudflare will roll it out gradually — for inbound transfers only — to its “most loyal” customers over an unspecified period. Even customers on its cheapest plans will get access to the queue, he wrote.
Eventually, he said, it will be available “more broadly”.
It will be interesting to see if the no-markup pricing could become available to non-customers too, and whether it sticks to its business model when its support lines start ringing and it becomes apparent the business is actually big ole cash vampire.
Cloudflare has been ICANN-accredited for several years, but it’s only been offering registrations to high-value enterprise customers so far.
My records show that it has not much more than 800 domains under management, all in .com, .net, .org and .info.
The announcement was made, perhaps not coincidentally, a couple days after CRM software provider Zoho made headlines when its 40 million customers were taken offline because its former registrar suspended zoho.com over a trivial level of abuse. In response to the screw-up, Zoho transferred the domain to Cloudflare.
Chutzpah alert! DotKids wants ICANN handout to fight gTLD auction
New gTLD applicant DotKids Foundation has asked ICANN for money to help it fight for .kids in an auction against Amazon and Google.
The not-for-profit was the only new gTLD applicant back in 2012 to meet the criteria for ICANN’s Applicant Support Program, meaning its application fee was reduced by $138,000 to just $47,000.
Now, DotKids reckons ICANN has a duty to carry on financially supporting it through the “later stages of the process” — namely, an auction with two of the world’s top three most-valuable companies.
The organization even suggests that ICANN dip into its original $2 million allocation to support the program to help fund its bids.
Because .kids is slated for a “last resort” auction, an ICANN-funded winning bid would be immediately returned to ICANN, minus auction provider fees.
It’s a ludicrously, hilariously ballsy move by the applicant, which is headed by DotAsia CEO Edmon Chung.
It’s difficult to see it as anything other than a delaying tactic.
DotKids is currently scheduled to go to auction against Google’s .kid and Amazon’s .kids application on October 10.
But after ICANN denied its request for funding last month, DotKids last week filed a Request for Reconsideration (pdf), which may wind up delaying the auction yet again.
According to DotKids, the original intent of the Applicant Support Program was to provide support for worthy applicants not just in terms of application fees, but throughout the application process.
It points to the recommendations of the Joint Applicant Support working group of the GNSO, which came up with the rules for the support program, as evidence of this intent.
It says ICANN needs to address the JAS recommendations it ignored in 2012 — something that could time quite some time — and put the .kids auction on hold until then.
KSK vote was NOT unanimous
ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.
Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.
I understand there was also a single abstention to Sunday’s vote.
Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.
The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.
She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.
Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).
These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.
Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.
The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.
The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.
Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.
ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.
ICANN turns 20 today (or maybe not)
ICANN is expected to celebrate its 20th anniversary at its Barcelona meeting next month, but by some measures it has already had its birthday.
If you ask Wikipedia, it asserts that ICANN was “created” on September 18, 1998, 20 years ago today.
But that claim, which has been on Wikipedia since 2003, is unsourced and probably incorrect.
While it’s been repeated elsewhere online for the last 15 years, I’ve been unable to figure out why September 18 has any significance to ICANN’s formation.
I think it’s probably the wrong date.
It seems that September 16, 1998 was the day that IANA’s Jon Postel and Network Solutions jointly published the organization’s original bylaws and articles of incorporation, and first unveiled the name “ICANN”.
That’s according to my former colleague and spiritual predecessor Nick Patience (probably the most obsessive journalist following DNS politics in the pre-ICANN days), writing in now-defunct Computergram International on September 17, 1998.
The Computergram headline, helpfully for the purposes of the post you are reading, is “IANA & NSI PUBLISH PLAN FOR DNS ENTITY: ICANN IS BORN”.
Back then, before the invention of the paragraph and when ALL CAPS HEADLINES were considered acceptable, Computergram was published daily, so Patience undoubtedly wrote the story September 16, the same day the ICANN proposal was published.
A joint Postel/NetSol statement on the proposal was also published September 17.
The organization was not formally incorporated until September 30, which is probably a better candidate date for ICANN’s official birthday, archived records show.
Birthday meriments are expected to commence during ICANN 63, which runs from October 20 to 25. There’s probably free booze in it, for those on-site in Barcelona.
As an aside that amused me, the Computergram article notes that Jones Day lawyer Joe Sims very kindly provided Postel with his services during ICANN’s creation on a “pro bono basis”.
Jones Day has arguably been the biggest beneficiary of ICANN cash over the intervening two decades, billing over $8.7 million in fees in ICANN’s most recently reported tax year alone.
Van der Laan to leave ICANN board
Former Dutch politician Lousewies van der Laan is to leave the ICANN board of directors next month and be replaced with the former CEO of the Serbian ccTLD.
ICANN said yesterday that Danko Jevtovic, who headed RNIDS from 2013 until July last year, has been selected to occupy van der Laan’s seat following the Annual General Meeting in Barcelona.
Van der Laan, who had been selected by the Nominating Committee for a second term, has had to decline the offer “due to unforeseen family obligations”, ICANN said.
Jevtovic will take his seat at the same time as fellow NomCom appointee, Tripti Sinha of the University of Maryland, who oversees management of the DNS D-root server and replaces term-limited George Sadowsky.
El Salvadorean ccTLD founder Rafael “Lito” Ibarra is the third NomCom appointee this year, starting his second term next month.
Set buttocks to clench! ICANN approves risky KSK rollover
ICANN has approved the first rollover of the domain name system’s master security key, setting the clock ticking on a change that could cause internet access issues for millions.
The so-called KSK rollover, when ICANN deletes the key-signing key that has been used as the trust anchor for the DNSSEC ecosystem since 2011 and replaces it with the new one — will now go ahead as planned on October 11.
The decision was made yesterday at the ICANN board of directors’ retreat in Brussels.
ICANN chief technology officer David Conrad posted this to an ICANN mailing list this morning:
The Board voted to approve the resolution for ICANN org to move forward with the revised KSK rollover plan. So barring unforeseen circumstances, the KSK-2017-signed ZSK will be used to sign the root zone on 11 October 2018.
The rollover was due to happen October 11 last year, but ICANN delayed it when it emerged that many DNS resolvers weren’t yet configured to use the new key.
That’s still a problem, and nobody knows for sure how many endpoints will stop functioning properly when the new KSK goes solo.
While most experts weighing in on the rollover, including Conrad, agreed that the risk of more delay outweighed the risk of rolling now, that feeling was not unanimous.
Five members of the 22-member Security and Stability Advisory Committee — including top guys from Google and Verisign — last month dissented from the majority view and said ICANN should delay again.
The question now is not whether internet users will see a disruption in the days following October 11, but how many users will be affected and how serious their disruptions will be.
Based on current information, as many as two million internet users could be affected.
ICANN is likely to take flak for even relatively minor disruptions, but the alternative was to continue with the delays and risk an even bigger impact, and even more flak, in future.
The text of ICANN’s resolution and the rationale behind it will be published in the next day or so.
Recent Comments