Have some security aspects been overlooked in the rush to conclude the new gTLD program and "give birth to the baby before it starts to get really sick" as ICANN CEO Fadi Chehadé put it at a briefing jointly organised by ICANN and the European Commission a few days ago?
Ever since 2008 when the ICANN Board approved the GNSO-evolved policy that became the new gTLD program, it has been reworked so much that it's difficult to imagine any stone has been left unturned. Yet a recent letter threatens to open up a new can of worms.
The letter was sent by ALAC. In the ICANN universe, any acronym that ends with the letters A and C denotes an Advisory Committee. As the name suggests, these exist to provide advice on their specific area of expertise. One such committee, the Governmental Advisory Committee or GAC, has been getting a lot of press since April, when it gave the ICANN Board advice so far reaching some see it as taking parts of the new gTLD program back to the drawing board.
Whilst the GAC speaks for governments, other ACs represent the Internet's users (ALAC) or its technical community (SSAC). Even if the GAC is often perceived as carrying more weight, the truth is it would be difficult and politically dangerous for the ICANN Board to ignore any of its ACs as they weigh in on the new gTLD debate.
Yet ALAC's June 7, 2013 letter suggest that's exactly what the Board has been etmpted to do with advice from the SSAC, shorthand for the Security and Stability Advisory Committee. SSAC's function is to advise "the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems".
As a committee of technical experts, SSAC has naturally looked at the possible impact on the stability of the Internet of a hundred-fold increase in the size of the root zone. It has published several reports since 2008 and proponents of new gTLDs reading some of them are likely to come away feeling a little depressed.
Contrary to popular delusions, adding new Top Level Domains to a system as complex and unpredictable as the Internet is not just about giving new strings the green light at ICANN level. The possible technical side effects SSAC has looked at actually makes one weak at the knees.
Did you know, for example, that there are constant requests on the Internet for strings that don't exist? So much so in fact, that the top 10 such requests make up 10% of the total query load sent to the root servers! SSAC's SAC045 report calls this "DNS pollution" and tells us that right now, with the limited number of Top Level Domains, it's easy for the system as a whole to deal with the issue. The root responds that the requested string doesn't exist and that's that. But what if tomorrow, the string does exist?
"It is likely that many of the same conditions that cause the current set of invalid TLD queries to appear at the root level of the DNS will persist," says SSAC in its report. So those wrongly configured systems could start behaving differently when they are told that they are, in fact, asking for valid strings. Because the fact that the strings themselves have now become valid through someone else's desire to operate them as new gTLDs won't make the original request any less of a mistake. "Studies illustrate that the amount of inherited query traffic could be considerable, i.e., on the order of millions of queries per day, should the applicant's chosen string be one that appears frequently at the root," warns SSAC. Scary.
Ignoring the writing on the wall?
Through several studies, SSAC not only outlines a potential problem, but also recommends action to mitigate the risks. ALAC's June 7 letter can be read as an accusation the ICANN Board is ignoring this advice and blindly pushing on with launching new gTLDs.
"An ICANN Announcement on 28 May 2013 advised that ICANN, following the direction of its Board, is commissioning two Security Studies on the Use of Non-Delegated TLDs, and Dotless Names," writes ALAC Chair Olivier Crépin-Leblond. "While the commitment to investigate these potential conflicts is most welcome, the timing of this very necessary undertaking is regrettably late in the process of new gTLD introduction."
ALAC references SSAC study SAC046 which recommended further studies be undertaken. "This recommendation has been repeated by the SSAC on a number of occasions since," adds Crépin-Leblond, before turning to another technical issue.
On February 23, 2012, SAC053 recommended that dotless domains not be allowed. Simply put, dotless domains are a TLD used as a key word, without any suffix or prefix. "It has been a year since the release of that Advice and the Advice was very clear," Crépin-Leblond says, before castigating ICANN for concluding that public comments to SAC053 suggest no clear conclusions can be drawn from the advice and that a new study is required to determine what to do with dotless domains. "The above constitutes a flagrant flaw in the public comment system and I urge you to find the reason for this flaw. I shall also ask the Accountability and Transparency Review Team to investigate this matter since this is an example of very clear cut advice from an ICANN Advisory Committee that is put into question by the ICANN Board and Staff."
So is ICANN guilty of pushing on regardless? For applicants who are already having to contend with some unexpectedly heavy GAC advice, no doubt the answer is a resounding "no!". But they now face mounting pressure from those who are not prepared to risk the Internet starting to go all weird because new gTLDs are launched without due respect for the potential technical collateral damage they might cause.
ALAC is not the only voice suggesting caution. In March, Dot COM registry operator Verisign sent Chehadé a study on "new gTLD security and stability considerations" in which it mentions a number of possible technical hiccups.
And just days ago, on June 26, US Senate Committee on Commerce, Science and Transportation Chairman John D. Rockefeller IV grew so worried he wrote to ICANN Board Chair Steve Crocker asking him to consider doing "a limited first round of new gTLDs to allow for an effective one-year review."
Sen. Rockefeller makes the point that those entrusted with the public interest are worried. No doubt the spate of correspondence ICANN has received lately has helped increase this anxiety level.
Some of the alarm bells include FairSearch.org's assertion that Google is planning to operate the Dot Search TLD to its own advantage. "As the dominant online search provider, Google has a unique economic interest in stifling existing and emerging competitive threats to its position," says FairSearch.org, an organisation formed in 2010 to promote an open search ecosystem.
The central theme in all this remains a technical one. Is ICANN moving ahead too fast for the technical good of the Internet? At this stage, the truth may actually matter less than the perception of the truth.
It seems pretty clear, especially considering the ICANN Board has already accepted some of it, that the GAC's advice has scuppered some gTLD applicants' hope of a quick launch. On the other hand, the new gTLD program should not be allowed to drag on indefinitely. Opening up the Internet's top level has taken up so much of ICANN's life force that it's become crucial for the program to see some sort of conclusion soon.
And if part of the ICANN community or US Senators are thinking otherwise, Chehadé is behaving like the top-level manager he is: by sticking to his timeline but also by preparing a contingency plan, just in case.
"Our target date is the fall of 2013," he said in Brussels, a couple of weeks after the creation of a new "generic domains" division, to be headed by former ICANN COO Akram Attalah, was announced. "This program has consumed huge quantities of ICANN's resources. This is what this new division is about. It's there to give some oxygen back to ICANN because we have a lot of other important things to do."
Like making sure the Internet remains technically stable and functional, which is written in ICANN's Bylaws as one of its core values and which Chehadé has repeatedly said would take precedence over the drive to launch new gTLDs.
Attalah's already celebrated one major win as ICANN and its accredited registrars finally closed on almost two years of negotiations and agreed on a new registrar contract this week. A few days later, the registry contract was also wrapped up. But taking the concerns of ICANN's technical community on board whilst keeping the new gTLD program on schedule may end up being an even bigger challenge.
By Stéphane Van Gelder, Chairman, MILATHAN
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Neustar DDoS Protection
Minds + Machines