Home / Blogs

Verisign Doesn't Think the Net Is Ready for a Thousand New TLDs

John Levine

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about.

It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems.

The simplest issues are administrative ones for ICANN. In the olden days updates to the root zone were all handled manually, signed email from ICANN to Verisign, who manages the root zone, with a check at NTIA, who oversees it under longstanding contracts. As the number of changes increased, more due to added IPv6 and DNSSEC records than increased numbers of TLDs, the amount of email got unwieldy so they came up with a new system where the change data is handled automatically with people looking at secure web sites rather than copy and paste from their mailboxes. This system still in testing and isn't in production yet; Verisign would really prefer that it was before ICANN starts adding large numbers of new TLDs.

The new domains all have to use the Trademark Clearinghous (TMCH), a blacklist of names that people aren't allowed to register. Due to lengthy dithering at ICANN, the the TMCH operator was just recently selected, and they haven't even started working out the technical details of how registry operators will query it in real time as registrations arrive.

There are other ICANN issues as well, the process for transferring a failed registry's data to a backup provider isn't ready, nor is zone file access for getting copies of zone data, nor are the pre-delegation testing reqiurements done, and the GAC (the representatives from various governments) could still retroactively veto new domains even after they'd been placed in service.

All of these issues are well known, and the technical requirements have been listed in the applicant guidebook for several years, so it does reflect poorly on ICANN that they're so far from being ready to implement the new domains.

Most importantly, Verisign notes that the root servers, who are run by a variety of fiercely independent operators, have no coordinated logging or problem reporting system. If something does go wrong at one root server, there's no way to tell whether it's just them or everyone other than making phone calls. Verisign gives some examples of odd and unexpected things that happened as DNSSEC was rolled out, and again their concerns are quite reasonable.

An obvious question is what is Verisign's motivation in publishing this now. Since they are the registry for .COM and .NET and a few smaller domains, one possibility is FUD, trying to delay all the new domains to keep competitors out of the root. I don't think that's it. Over 200 of the applications say that they'll use Verisign to run their registries, so Verisign stands to make a fair amount of money from them. And everyone expects that to the extent the new TLDs are successful at all, it'll be additional, often defensive registrations, not people abandoning .COM and .NET.

So my take on this is that Verisign means what they say, the root isn't ready for all these domains, nor are ICANN's processes ready, and Verisign as the root zone manager is justifiably worried that if they go ahead anyway, the root could break.

Update: Thu April 4, 2013
A follow up to the discussed Verisign's white paper, New gTLD Security and Stability Considerations, in which they listed a bunch of reasons that ICANN isn't ready to roll out lots of new TLDs. Among the reasons were that several of the services the new GTLDs are required to use aren't available yet, including the Emergency Back End Registry Operators (EBEROs), who would take over the registry functions for a TLD whose operator failed. They were supposed to have been chosen in mid-2012. By complete coincidence, ICANN has announced that they had chosen the three Emergency End Registry Operators. I can't wait to see what happens next week.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: DNS, DNS Security, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

TMCH Kevin Murphy  –  Mar 29, 2013 9:30 PM PDT

Probably not accurate to call the TMCH a "a blacklist of names that people aren't allowed to register".

The TMCH gives trademark holders the right to register domains in sunrise periods (but only if they pay and are eligible under the registry's rules) and sends potentially worthless EULA-style warnings to people who attempt to register domains that match trademarks.

It doesn't stop anyone registering anything.

TMCH John Levine  –  Mar 29, 2013 9:38 PM PDT

You're right, but VRSN's point, that registries have to query the TMCH in real time and nobody has a clue how that's going to work, was the main issue.

And it's a good point. The TMCH Kevin Murphy  –  Mar 29, 2013 9:52 PM PDT

And it's a good point. The TMCH is an unknown quantity for new gTLD registries and their potential customers at this point.

The pertinent question, however, is whether it threatens the security and stability of the DNS we all know and love. That's a much harder case to argue.

If the TMCH catastrophically fails, what does that mean to anyone other than companies trying to sell new gTLD domain names, and people trying to buy them, during the first 90 days of GA?

Not much, I'd say.

software is hard John Levine  –  Mar 29, 2013 9:59 PM PDT

The TMCH will need some kind of EPP extension, that then has to be coded into everyone's registry software and debugged. Having written my share of client/server software I'm acutely aware of all of the strange and flaky ways that stuff can fail.

If they're lucky, everything will be just dandy. If they're not, they'll get strange bugs like TMCH lookups randomly changing the strings that people are trying to register.

Do read the report. The TMCH is just one example of the parts of the new gTLD program that are not even within hailing distance of being ready for prime time.

Also remember the incentivies John Levine  –  Mar 29, 2013 10:02 PM PDT

There are over 200 new TLD applications with VRSN as the back end, mostly closed dot-brand stuff. That's got to represent several million dollars per year of revenue to VRSN, with little incremental cost since it'll run on the same infrastructure that runs .NAME and .JOBS and so forth. They must be pretty nervous to be willing to forego that kind of revenue.

Not necessarily. They could just as easily Kevin Murphy  –  Mar 30, 2013 7:15 AM PDT

Not necessarily. They could just as easily be nervous, some say, about new gTLDs cutting into their $800 million .com business.

"several million dollars per year of revenue" Andrew Allemann  –  Mar 30, 2013 7:27 AM PDT

That's nothing to VRSN. Look at their income statement.

Just checking John Levine  –  Mar 30, 2013 9:19 AM PDT

So are you both saying you've read VRSN's paper and you think the issues are all bogus?  How about the root zone automation issue?

I'm not saying the issues are bogus. Kevin Murphy  –  Mar 30, 2013 10:02 AM PDT

I'm not saying the issues are bogus. On the contrary, most of them have been discussed for years.

Why now? Avtal Meren  –  Mar 30, 2013 2:41 PM PDT

I'm still trying to understand: Why did Verisign wait until so late to publish these concerns?  Couldn't they have raised the alarm six months or a year ago?

Avtal

ICANN announced a few days ago that John Levine  –  Mar 30, 2013 3:18 PM PDT

ICANN announced a few days ago that they've approved about 30 TLD applications, which means that they may actually have some intention of putting them into the root.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

General Availability Period for New .RED Top-Level Domain Opens

General Availability Period for New .BLUE Top-Level Domain Opens

General Availability Period for New .PINK Top-Level Domain Opens

New Chinese "Mobile" Top-Level Domain Now Available

New .KIM Domain Goes Live

Welcome .SHIKSHA! General Availability Now Open

Adrian Kinderis Appointed as Chair of Domain Name Association

Internet Reaches 271 Million Domain Names in the Fourth Quarter of 2013

Why We Decided to Stop Offering Free Accounts

The Future of Chinese Domain Names (a Panel Discussion)

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Tony Kirsch Announced As Head of Global Consulting of ARI Registry Services

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

Afilias Chairman Appointed to Domain Name Association Board

.BUILD Enters Landrush with Support of ARI Registry Services

Dyn Acquires Managed DNS Provider Nettica

Radix Awards Contracts for .website, .host, .space, and .press to CentralNic plc

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Welcomes "Dot Chinese Online" and "Dot Chinese Website" Top-Level Domains to the Internet

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Sponsored Topics