Home / Blogs

Verisign Doesn't Think the Net Is Ready for a Thousand New TLDs

John Levine

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about.

It's worth reading the whole thing, but in short, their well-supported opinion is that the net isn't ready for all the new TLDs, and even if they were, ICANN's processes or lack thereof will cause other huge problems.

The simplest issues are administrative ones for ICANN. In the olden days updates to the root zone were all handled manually, signed email from ICANN to Verisign, who manages the root zone, with a check at NTIA, who oversees it under longstanding contracts. As the number of changes increased, more due to added IPv6 and DNSSEC records than increased numbers of TLDs, the amount of email got unwieldy so they came up with a new system where the change data is handled automatically with people looking at secure web sites rather than copy and paste from their mailboxes. This system still in testing and isn't in production yet; Verisign would really prefer that it was before ICANN starts adding large numbers of new TLDs.

The new domains all have to use the Trademark Clearinghous (TMCH), a blacklist of names that people aren't allowed to register. Due to lengthy dithering at ICANN, the the TMCH operator was just recently selected, and they haven't even started working out the technical details of how registry operators will query it in real time as registrations arrive.

There are other ICANN issues as well, the process for transferring a failed registry's data to a backup provider isn't ready, nor is zone file access for getting copies of zone data, nor are the pre-delegation testing reqiurements done, and the GAC (the representatives from various governments) could still retroactively veto new domains even after they'd been placed in service.

All of these issues are well known, and the technical requirements have been listed in the applicant guidebook for several years, so it does reflect poorly on ICANN that they're so far from being ready to implement the new domains.

Most importantly, Verisign notes that the root servers, who are run by a variety of fiercely independent operators, have no coordinated logging or problem reporting system. If something does go wrong at one root server, there's no way to tell whether it's just them or everyone other than making phone calls. Verisign gives some examples of odd and unexpected things that happened as DNSSEC was rolled out, and again their concerns are quite reasonable.

An obvious question is what is Verisign's motivation in publishing this now. Since they are the registry for .COM and .NET and a few smaller domains, one possibility is FUD, trying to delay all the new domains to keep competitors out of the root. I don't think that's it. Over 200 of the applications say that they'll use Verisign to run their registries, so Verisign stands to make a fair amount of money from them. And everyone expects that to the extent the new TLDs are successful at all, it'll be additional, often defensive registrations, not people abandoning .COM and .NET.

So my take on this is that Verisign means what they say, the root isn't ready for all these domains, nor are ICANN's processes ready, and Verisign as the root zone manager is justifiably worried that if they go ahead anyway, the root could break.

Update: Thu April 4, 2013
A follow up to the discussed Verisign's white paper, New gTLD Security and Stability Considerations, in which they listed a bunch of reasons that ICANN isn't ready to roll out lots of new TLDs. Among the reasons were that several of the services the new GTLDs are required to use aren't available yet, including the Emergency Back End Registry Operators (EBEROs), who would take over the registry functions for a TLD whose operator failed. They were supposed to have been chosen in mid-2012. By complete coincidence, ICANN has announced that they had chosen the three Emergency End Registry Operators. I can't wait to see what happens next week.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: DNS, DNS Security, ICANN, Security, Top-Level Domains

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

TMCH Kevin Murphy  –  Mar 29, 2013 9:30 PM PDT

Probably not accurate to call the TMCH a "a blacklist of names that people aren't allowed to register".

The TMCH gives trademark holders the right to register domains in sunrise periods (but only if they pay and are eligible under the registry's rules) and sends potentially worthless EULA-style warnings to people who attempt to register domains that match trademarks.

It doesn't stop anyone registering anything.

TMCH John Levine  –  Mar 29, 2013 9:38 PM PDT

You're right, but VRSN's point, that registries have to query the TMCH in real time and nobody has a clue how that's going to work, was the main issue.

And it's a good point. The TMCH Kevin Murphy  –  Mar 29, 2013 9:52 PM PDT

And it's a good point. The TMCH is an unknown quantity for new gTLD registries and their potential customers at this point.

The pertinent question, however, is whether it threatens the security and stability of the DNS we all know and love. That's a much harder case to argue.

If the TMCH catastrophically fails, what does that mean to anyone other than companies trying to sell new gTLD domain names, and people trying to buy them, during the first 90 days of GA?

Not much, I'd say.

software is hard John Levine  –  Mar 29, 2013 9:59 PM PDT

The TMCH will need some kind of EPP extension, that then has to be coded into everyone's registry software and debugged. Having written my share of client/server software I'm acutely aware of all of the strange and flaky ways that stuff can fail.

If they're lucky, everything will be just dandy. If they're not, they'll get strange bugs like TMCH lookups randomly changing the strings that people are trying to register.

Do read the report. The TMCH is just one example of the parts of the new gTLD program that are not even within hailing distance of being ready for prime time.

Also remember the incentivies John Levine  –  Mar 29, 2013 10:02 PM PDT

There are over 200 new TLD applications with VRSN as the back end, mostly closed dot-brand stuff. That's got to represent several million dollars per year of revenue to VRSN, with little incremental cost since it'll run on the same infrastructure that runs .NAME and .JOBS and so forth. They must be pretty nervous to be willing to forego that kind of revenue.

Not necessarily. They could just as easily Kevin Murphy  –  Mar 30, 2013 7:15 AM PDT

Not necessarily. They could just as easily be nervous, some say, about new gTLDs cutting into their $800 million .com business.

"several million dollars per year of revenue" Andrew Allemann  –  Mar 30, 2013 7:27 AM PDT

That's nothing to VRSN. Look at their income statement.

Just checking John Levine  –  Mar 30, 2013 9:19 AM PDT

So are you both saying you've read VRSN's paper and you think the issues are all bogus?  How about the root zone automation issue?

I'm not saying the issues are bogus. Kevin Murphy  –  Mar 30, 2013 10:02 AM PDT

I'm not saying the issues are bogus. On the contrary, most of them have been discussed for years.

Why now? Avtal Meren  –  Mar 30, 2013 2:41 PM PDT

I'm still trying to understand: Why did Verisign wait until so late to publish these concerns?  Couldn't they have raised the alarm six months or a year ago?

Avtal

ICANN announced a few days ago that John Levine  –  Mar 30, 2013 3:18 PM PDT

ICANN announced a few days ago that they've approved about 30 TLD applications, which means that they may actually have some intention of putting them into the root.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Auctions Update: MMX Wins .law and .vip

LogicBoxes Partners with I-Content to Implement Vertical Integration for .RICH and .ONL

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

General Availability Kicks Off for .Website, .Press and .Host

New .ORGANIC Top-Level Domain Welcomes Leading Brands As .ORGANIC Pioneers

Dot Chinese Online and Dot Chinese Website Featured in EURid's World Report on IDNs 2014

New .ORGANIC Top-Level Domain Opens to Serve the Organic Community

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

Independent Endorsement of Dot Chinese Online & Dot Chinese Website by by FiarWinds Partners

New gTLDs and Best Practices for Domain Management Policies (Video)

.Host Announces Top Global Players As Pioneer Partners

Public Interest Registry Releases Bi-Annual Report, .Org Domain Registrations Pass 10.4 Million

Public Interest Registry to Speak About Upcoming Launch of .ngo and .ong Domains for NPOs

Landrush Opens for .Website, .Press and .Host

Afilias Announces General Availability of .BLACK Top-Level Domain

Nominum Announces Future Ready DNS

Last Lap of .WEBSITE, .PRESS and .HOST Sunrise

DotConnectAfrica Trust Responds to ICANN 50 GAC Advice, Updates on .Africa Application IRP Status

Sponsored Topics