Home / Blogs

Why Registry Service Providers Should be Accredited by ICANN

Kurt Pritz

The merits of a Registry Service Provider accreditation programs have been debated across the Domain Industry since the most recent round of Domain Name Registries were introduced starting in 2012. This post discusses the early reasoning in support of an accreditation program; changes in the policy considerations between 2012 and now; the effects of competition on the landscape; a suggestion for how such a program might be implemented; and why such a program should be introduced now.

Abstract

A small number of Registry Service Providers provide registry technical services for nearly all the 1000+ new Domain Name Registry Operators.

A program to accredit registry service providers was considered as part of the 2012 round to establish new domain name registries. This was not adopted at the time because it was thought such a program would discourage diversity, i.e., it would create a barrier to expansion of the domain name industry into underserved areas.

Since that time, downward pressure on prices due to competition among Registry Service Providers has drained capital from the marketplace that might otherwise be used to fund stable, resilient infrastructures.

A registry service accreditation program, properly designed, created now and adopted ahead of the next round of domain name registry introductions:

  • would serve to increase the stability and resiliency of the DNS by focusing qualifying criteria on resilience to attacks and the latest threat matrices (in addition to Service Level Agreements and operational criteria), and
  • could increase diversity and introduce the domain name industry into under-served areas.

An accreditation program, designed with substantial implementation advice from the domain name industry and community, could be implemented without a formal policy development process. Even a voluntary program would be attractive, as it would include the cost benefit of a streamlined pre-delegation testing protocol and the marketing benefit associated with being a leader in stability and resiliency. If voluntary, other Registry Service Providers (in-house or contracted) can meet the agreed upon contractual requirements and pass pre-delegation testing in the usual way.

2012 Round Environment

Currently, 42 Registry Service Providers (RSPs) provide technical services for all of the 1000+ newly minted generic top-level domain name registries (gTLDs). Fewer than a quarter of those 42 cover the vast majority of the new TLD domain name registries and the domain name registrations in those new TLDs. Very basically, Registry Service Providers perform the technical operations of the registry, connecting the registry to the DNS and to registrars.

Each of the 1000+ new Domain Name Registries Operators passed a "pre-delegation test," intended to ensure that the Registry Operator (the entity entering into the registry agreement with ICANN) had put into operation adequate infrastructure to operate the registry (see New gTLD Program: Draft Applicant Guidebook). Because Registry Operators engaged with the existing, limited number of Registry Service Providers, the pre-delegation tests were performed many, many times on the same RSP. Because there were several "portfolio" applicants, applicants that applied for many TLD registries, the exact same pre-delegation tests were performed on the same hardware using the same criteria many times over.

Recognizing that performing multiple, similar tests on the same Registry Service Provider would unnecessarily lengthen the applicant evaluation process, some Registry Service Providers and Domain Name Registry applicants urged that there be an accreditation program for Registry Service Providers to eliminate unnecessary repetition (and associated time and cost) in the testing program. The accreditation program would be administered by ICANN. The vetting associated with obtaining the Registry Service Provider accreditation would supplant the need for pre-delegation testing of each new Domain Name Registry as it came down the evaluation path, so long as the Domain Name Registry had contracted with an accredited Registry Service Provider to provide its technical registry services.

Such an accreditation program was not implemented in the 2012 round of new TLDs.

Consideration of whether to implement Registry Service Provider accreditation is part of the Domain Name Industry policy discussion planning the next round of Domain Name Registries. Now that the market has developed, some policy discussion participants are motived by preservation and enhancement of market share of each of the individual Registry Service Providers as well as saving time and cost during the pre-delegation testing process.

Policy Considerations

2012 Round

Registry Service Provider accreditation was not implemented for the 2012 round of Domain Name Registry introductions. The policy reason for this was that an accreditation requirement was seen to be a bar to potential Registry Service Providers in developing regions or even those seeking to start up in any region in order offer competition.

In other words, an accreditation program was seen as a discouragement to those that might offer geographical diversity or increased competition because of the capital investment that might be required. Even if the accreditation program was merely made available and not made to be a requirement to provide registry technical services, the existence of the accreditation program would discourage would be start-up Registry Service Providers. To them, the accreditation program would be seen as an additional substantial cost.

While well-intentioned, the policy objective was unmet. The absence of a Registry Service Provider accreditation program did not result in increased diversity, the introduction new RSPs or even gTLD applicants who provided for their own "in-house" registry services.

Next round

The above-described policy reasons for not establishing a Registry Service Provider accreditation program no longer exist. Instead, the current set of circumstances serves to encourage the establishment of an accreditation program for the following reasons:

  • Practically (or literally) no firms from developing or underserved regions took advantage of the opportunity presented by the 2012 gTLD round to build a registry service provider or provide technical services to new registry operators in developing or underserved regions. In other words, the policy to refrain from establishing a Registry Service Provider accreditation program in order to encourage more participation in underserved regions did_not_work.
  • There is time to competently design and implement such a program ahead of the current policy discussion. If undertaken now, the remaining two-year gap between now and the next round provides ICANN and the community with the opportunity and time to:
    • establish an accreditation program including appropriate technical requirements without further delaying the next round,
    • market the program in underserved regions,
    • provide education & training, and
    • encourage partnerships & investment to roll out an effective program with a strong likelihood of adoption.
  • Most importantly, there is time to carefully craft and test accreditation criteria that will not only promote competition, but will also serve to enhance Domain Name System (DNS) stability and resiliency.

Therefore, the accreditation program can serve the twin ICANN primary missions to build diversity and ensure DNS stability at the same time.

Race to the Bottom

A dozen or more years ago, former ICANN CEO Paul Twomey and I used to chat about the market structure and where it might be headed. Along with almost everyone else, we thought the $6 per annual domain name registration commanded by Verisign for .COM domains was excessive when compared to the fiscal needs to provide a reliable, resilient infrastructure and market (to the extent it was necessary) the .COM Domain Name Registry.

However, we also thought that maintaining a sizable capital flow through the entire marketplace provided its own form of resiliency and robustness. If domain name registrations were marketed at $1 a year as some recommended, the entire market might be strangled by the mere absence of cash flow and, in case of emergency (attack, infrastructure failure or other fiscal or physical disaster) there would not be the back-up reserves upon which the entire industry could draw.

That situation is being close to realized. The market has divided into Domain Name Registry Operators and Registry Service Providers. Registry Operators (not Registry Services Providers) are in a position to collect most of the margin derived from the sale of domain names. Registry Service Providers are in competition to provide technical services that have essentially become a commodity. Prices for registry services have dropped from $6 per registration-year to $3 and beyond. The price is now routinely $1 per registration-year with prices headed toward or below $0.50.

Arguably, Registry Service Providers operate the key Internet infrastructure, resolving over two million queries per second. The well-established providers have always invested heavily in infrastructure to ensure their ongoing security, stability and resiliency.

When registry operations and registry services were integrated into one organization, much of the ~$6 derived from each domain name sale could be allocated for registry services infrastructure. Now Registry Operators (the party contracted with ICANN) might be only a marketing organization, relying on a Registry Service Provider for all of its technical services and expertise.

As prices for registry services are driven downward, there is less capital available for infrastructure maintenance and improvement. The inevitable outcome is a failure, either due to an attack or just from being under the weight of neglect and underinvestment. If you have a population of X players in the market, all for-profit entities and all in a highly competitive environment, one (and then more) will inevitably reduce prices too much, reduce investment too much or mismanage the operation in some other way that will lead to a failure.

It has been pointed out that registry service providers are subject to strictly monitored Service Level Agreements.  In other words, operating Registry Service Providers already are being "re-tested" constantly.  That is true. But in this type of regime, Registry Service Providers will only pass until they fail, and that will be too late. (Airplanes are tested constantly that they meet operational criteria as they fly but we don't want to find their failures through crashes.)

How can we create incentives to invest in infrastructure and prevention?

One answer is an accreditation program where the criteria target stability and resiliency rather than SLAs.

For example, to obtain / retain accreditation, Registry Service Providers could demonstrate that all recently identified threats were addressed, certain expanded diversity requirements were met, and there was capacity to handle 10xxxxx times expected load.

An independent firm could be retained to identify and compile a threat matrix along with acceptable measures to address them. The IETF could play a role as they see fit.

The current pre-delegation tests target operations and ensure that Registry Service Providers, at the moment of testing, meet all required operational criteria. It is well demonstrated that all the current Registry Service Providers meet that criteria as they have passed them multiple times. The accreditation program would not abandon that testing; it would add the resiliency testing and requirements.

Anyone who knows me also knows that I am not one of the Domain Name System technical cognoscenti. However, it is equally apparent that the downward spiral of Registry Service Provider pricing will lead to cut corners. The result will be a failure.

This might be prevented if we institute standards targeted at preventing corner-cutting and encouraging robust, resilient infrastructures that anticipate sophisticated attacks and growth. Let the Registry Service Providers compete equally but from a higher plateau.

The pre-delegation testing scheme is a snapshot. A renewable accreditation program, can take a long-term view to promote the health and reliability of this newly developed marketplace.

Implementation

While a straightforward exercise, Registry Service Provider accreditation requires that a number of policy and implementation decisions be made. The recommendations below are made to demonstrate the program is workable and with the understanding that there are alternative adequate implementation schemes.

  • Criteria creation: Eventually, we might point to an RFC. In the near-term, ICANN can retain and compensate an independent team comprised of SSAC / IETF members to develop the initial criteria. As with any standards setting, this might be a contentious step where those with significant infrastructure attempt to exclude others from the market. (ISO standards often take years to create in a rancorous environment where each participating firm seeks to gain an edge.)

    Therefore, it is imperative that the criteria-creating team is chaired by a strong, independent entity and that the work is informed by an independent study. Examples of firms that could perform in both those roles are JAS Advisors, ISC and CHIP S.A.

  • Oversight: Oversight of the program should be performed by a technically and operationally cognizant, independent entity retained by ICANN. (A Domain Name Industry-comprised body should not be formed for such a role, as it would be open to criticism for lack of independence.) The oversight body would consider inputs from the SSAC, IETF and IAB. Its primary duties would include:
    • Standards and criteria maintenance until such time that RFCs replace the need for independently developed standards.
    • Accreditation
    • Annual renewal
    • Periodic updates: in the event new threats are identified that require immediate attention, all accredited Registry Service Providers would be require update their capability within a specified period of time.
  • Privity of contract; duties and obligations of the parties: Existing agreements would remain essentially the same except with an added set of agreements between ICANN and the accredited Registry Service Providers. Each accredited Registry Services Provider would have an accreditation agreement with ICANN and a services agreement with each of the Registry Operators retaining it.

    Registry Operators would be responsible for complying with their Registry Agreement with ICANN, including Service Level Agreements. Failure of a Registry Service Provider (either to maintain the SLAs or maintain its accreditation) does not relieve a Registry Operator of its contractual obligations. This is similar to the agreement scheme among Registry Operators, ICANN-accredited registrars and ICANN. Whether Registry Operators would be required to use only accredited Registry Services Providers is probably a policy discussion (see below).

    Registry Service Providers would be obligated to ICANN to maintain their accreditation in accordance with their agreement with ICANN and obligated to Registry Operators in accordance with their agreement with them.

    Fees: This effort could be fee-neutral, meaning that ICANN receives the same amount of fees as before the implementation of an accreditation program. If Registry Service Providers are charged a fee, there should be a corresponding decrease in fees to Registry Operators. One rationale for such a fee structure is that ICANN is charged with maintaining DNS stability and resiliency. This accreditation program that ensures that Registry Service Providers build capacity to meet those stability and resiliency goals, i.e., this is not a change in ICANN responsibilities or obligations.

    A program that is fee-free program to Registry Services Providers will provide an incentive to join (and adopt to resiliency measures).

  • Policy implications: ICANN has the authority to launch an accreditation program under the New gTLD Program Consensus Policy Principles that, "a set of technical criteria must be used ... to minimise the risk of harming the operational stability, security and global interoperability of the Internet," and a "set of capability criteria ... must be used to provide an assurance that an applicant has the capability to meets its obligations." (If it is decided that a formal Policy Development is required, we can put off discussion of an accreditation program until the 2028 round.)

    To me, ICANN could make accreditation mandatory absent any bottom-up policy advice to the contrary. If there is no policy on a topic, ICANN should be able to address stability and security issues as they arise. The primary ICANN Core Value is: "Preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet."

    To avoid a controversy raised by a mandatory accreditation, ICANN can make the accreditation program voluntary. The benefits to accredited providers include a streamlined pre-delegation testing protocol and the marketing benefit associated with being a leader in stability and resiliency. Other Registry Service Providers can meet the agreed upon contractual requirements and pass pre-delegation testing in the usual way.

By Kurt Pritz, Strategic Planning Board, UKCI - operator of the .ART registry
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Good points Mason Cole  –  Aug 04, 2016 9:24 PM PDT

Kurt makes some very good points here.  Accreditation of service providers would bring additional stability, reliability and predictability to the DNS infrastructure.  Such a requirement would assist in perpetuating the competitive environment, prevent handcuffing to back-end providers, and make any necessary change friction-free.  While this would make applications in a new round more efficient, this is a good concept to implement now to foster a more competitive environment, rather than waiting for a new round.

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign