Home / Blogs

Verisign Doesn't Think the Net Is Ready for a Thousand New TLDs

John Levine

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about.

It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems.

The simplest issues are administrative ones for ICANN. In the olden days updates to the root zone were all handled manually, signed email from ICANN to Verisign, who manages the root zone, with a check at NTIA, who oversees it under longstanding contracts. As the number of changes increased, more due to added IPv6 and DNSSEC records than increased numbers of TLDs, the amount of email got unwieldy so they came up with a new system where the change data is handled automatically with people looking at secure web sites rather than copy and paste from their mailboxes. This system still in testing and isn't in production yet; Verisign would really prefer that it was before ICANN starts adding large numbers of new TLDs.

The new domains all have to use the Trademark Clearinghous (TMCH), a blacklist of names that people aren't allowed to register. Due to lengthy dithering at ICANN, the the TMCH operator was just recently selected, and they haven't even started working out the technical details of how registry operators will query it in real time as registrations arrive.

There are other ICANN issues as well, the process for transferring a failed registry's data to a backup provider isn't ready, nor is zone file access for getting copies of zone data, nor are the pre-delegation testing reqiurements done, and the GAC (the representatives from various governments) could still retroactively veto new domains even after they'd been placed in service.

All of these issues are well known, and the technical requirements have been listed in the applicant guidebook for several years, so it does reflect poorly on ICANN that they're so far from being ready to implement the new domains.

Most importantly, Verisign notes that the root servers, who are run by a variety of fiercely independent operators, have no coordinated logging or problem reporting system. If something does go wrong at one root server, there's no way to tell whether it's just them or everyone other than making phone calls. Verisign gives some examples of odd and unexpected things that happened as DNSSEC was rolled out, and again their concerns are quite reasonable.

An obvious question is what is Verisign's motivation in publishing this now. Since they are the registry for .COM and .NET and a few smaller domains, one possibility is FUD, trying to delay all the new domains to keep competitors out of the root. I don't think that's it. Over 200 of the applications say that they'll use Verisign to run their registries, so Verisign stands to make a fair amount of money from them. And everyone expects that to the extent the new TLDs are successful at all, it'll be additional, often defensive registrations, not people abandoning .COM and .NET.

So my take on this is that Verisign means what they say, the root isn't ready for all these domains, nor are ICANN's processes ready, and Verisign as the root zone manager is justifiably worried that if they go ahead anyway, the root could break.

Update: Thu April 4, 2013
A follow up to the discussed Verisign's white paper, New gTLD Security and Stability Considerations, in which they listed a bunch of reasons that ICANN isn't ready to roll out lots of new TLDs. Among the reasons were that several of the services the new GTLDs are required to use aren't available yet, including the Emergency Back End Registry Operators (EBEROs), who would take over the registry functions for a TLD whose operator failed. They were supposed to have been chosen in mid-2012. By complete coincidence, ICANN has announced that they had chosen the three Emergency End Registry Operators. I can't wait to see what happens next week.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybersecurity, DNS, DNS Security, ICANN, Top-Level Domains


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


TMCH Kevin Murphy  –  Mar 29, 2013 9:30 PM PDT

Probably not accurate to call the TMCH a "a blacklist of names that people aren't allowed to register".

The TMCH gives trademark holders the right to register domains in sunrise periods (but only if they pay and are eligible under the registry's rules) and sends potentially worthless EULA-style warnings to people who attempt to register domains that match trademarks.

It doesn't stop anyone registering anything.

TMCH John Levine  –  Mar 29, 2013 9:38 PM PDT

You're right, but VRSN's point, that registries have to query the TMCH in real time and nobody has a clue how that's going to work, was the main issue.

And it's a good point. The TMCH Kevin Murphy  –  Mar 29, 2013 9:52 PM PDT

And it's a good point. The TMCH is an unknown quantity for new gTLD registries and their potential customers at this point.

The pertinent question, however, is whether it threatens the security and stability of the DNS we all know and love. That's a much harder case to argue.

If the TMCH catastrophically fails, what does that mean to anyone other than companies trying to sell new gTLD domain names, and people trying to buy them, during the first 90 days of GA?

Not much, I'd say.

software is hard John Levine  –  Mar 29, 2013 9:59 PM PDT

The TMCH will need some kind of EPP extension, that then has to be coded into everyone's registry software and debugged. Having written my share of client/server software I'm acutely aware of all of the strange and flaky ways that stuff can fail.

If they're lucky, everything will be just dandy. If they're not, they'll get strange bugs like TMCH lookups randomly changing the strings that people are trying to register.

Do read the report. The TMCH is just one example of the parts of the new gTLD program that are not even within hailing distance of being ready for prime time.

Also remember the incentivies John Levine  –  Mar 29, 2013 10:02 PM PDT

There are over 200 new TLD applications with VRSN as the back end, mostly closed dot-brand stuff. That's got to represent several million dollars per year of revenue to VRSN, with little incremental cost since it'll run on the same infrastructure that runs .NAME and .JOBS and so forth. They must be pretty nervous to be willing to forego that kind of revenue.

Not necessarily. They could just as easily Kevin Murphy  –  Mar 30, 2013 7:15 AM PDT

Not necessarily. They could just as easily be nervous, some say, about new gTLDs cutting into their $800 million .com business.

"several million dollars per year of revenue" Andrew Allemann  –  Mar 30, 2013 7:27 AM PDT

That's nothing to VRSN. Look at their income statement.

Just checking John Levine  –  Mar 30, 2013 9:19 AM PDT

So are you both saying you've read VRSN's paper and you think the issues are all bogus?  How about the root zone automation issue?

I'm not saying the issues are bogus. Kevin Murphy  –  Mar 30, 2013 10:02 AM PDT

I'm not saying the issues are bogus. On the contrary, most of them have been discussed for years.

Why now? Avtal Meren  –  Mar 30, 2013 2:41 PM PDT

I'm still trying to understand: Why did Verisign wait until so late to publish these concerns?  Couldn't they have raised the alarm six months or a year ago?


ICANN announced a few days ago that John Levine  –  Mar 30, 2013 3:18 PM PDT

ICANN announced a few days ago that they've approved about 30 TLD applications, which means that they may actually have some intention of putting them into the root.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Domain Registrations Reach 331.9 Million, 6.7 Million Growth Year over Year

.brands Spotlight: Banking and Finance Industries

Google Buys Business.Site Domain for 'Google My Business'

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Startup League Reports from WebSummit, Lisbon

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast