Home / Blogs

An Open Letter to NTIA, ICANN, and IANA

Karl Auerbach

I am writing this note in order to express my concern about an impending change in the root of the Domain Name System (DNS) and two of the largest Top Level Domains (TLDs). I am concerned that there is a risk of disruption to the net that has not been adequately evaluated and I am concerned that this change is being deployed without adequate monitoring or safeguards.

ICANN, IANA, and NTIA are the bodies that are responsible for the stable, continuous, reliable, and accurate operation of the top tier of the internet Domain Name system. Whether through positive choice or not ICANN, IANA, and NTIA are about to allow a change to occur to the top tier of the DNS system.

This change may endanger the stability of the internet.

Neither ICANN, IANA, nor NTIA has investigated this change. No evaluation has been made to determine whether this change is safe. No contingency plans have been put into place to reverse the change should adverse side effects occur.

The risks of this change may be small or they may be large - the problem is that no one has studied the issue sufficiently to know the risks.

This situation is troubling. But what is even more troubling is that neither ICANN, IANA, nor NTIA have procedures through which this, and future changes to the internet's Domain Name System can be evaluated. Nor are there procedures through which such a change, if felt to be safe, may be deployed in a way that ill effects can be measured and the change be backed-out if those ill-effects are unacceptably large.

On September 20 the following was posted to the NANOG mailing list:

Date: Mon, 20 Sep 2004 16:58:49 -0400
From: Matt Larson
To: nanog@merit.edu
Subject: IPv6 support for com/net zones on October 19, 2004

VeriSign will add support for accessing the com/net zones using IPv6 transport on October 19, 2004. On that day, AAAA records for a.gtld-servers.net and b.gtld-servers.net will be added to the root and gtld-servers.net zones.

We do not anticipate any problems resulting from this change, but because these zones are widely used and closely watched, we want to let the Internet community know about the changes in advance.

Matt — Matt Larson VeriSign Naming and Directory Services

Despite the assurance contained in that announcement this change does contain aspects that could engender increased traffic loads, increased name resolution delays, and even result in loss of Domain Name System (DNS) services to users under some circumstances.

This change was announced by VeriSign, not by ICANN, IANA, or NTIA. Yet the tone of the announcement expresses a sense that there are no contingencies and that this change will occur without any further action on the part of ICANN. IANA, or NTIA.

Neither ICANN, IANA, nor NTIA has presented any analysis that enumerates the risks or benefits of this change.

The only documents that exist are an internet draft and a research paper [PDF]. Both of these papers examine only the effect of this change on root servers and do not deal with the effects on other parts of the internet. The internet draft is a thought-piece that lacks empirical substantiation of its claims and reaches its conclusions without showing the rationale behind those conclusions. That draft reaches the conclusion that the degree of risk is acceptable without ever explaining how it determines what constitutes an acceptable level of risk. The research paper does come to the conclusion that operational changes are required, a conclusion that appears to be ignored by the announced change.

Small scale versions of the October 19 change were deployed in some country-code TLDs. However, because those deployments were performed without any monitoring there is no information available regarding the side effects of that change on internet users, ISPs, or the DNS resolvers they use.

Neither ICANN, IANA, nor NTIA has presented any plan to monitor the deployment of this change to ascertain whether any unexpected or unacceptable side effects occur. Nor has ICANN, IANA, or NTIA presented any plan to roll-back the change should that become necessary.

Since its inception ICANN has adopted the position that any changes to the DNS must be justified by massive need and be proved to contain virtually no element of risk That conservative approach has been the expressed reason why ICANN has spent so much time on the question of new top level domains (TLDs).

The change proposed by the Verisign announcement presents at least as much risk of ill side effects as the addition of new TLDs. In fact, to my mind as an internet technologist, the risk inherent in this proposed change is qualitatively greater than it is for new TLDs.

It is incumbent on ICANN, IANA, and NTIA to justify to the community of internet users that a proposed change to DNS is safe and that its deployment will be carefully monitored and that there are contingency plans should the unexpected happen.

There are those who will argue that the risks associated with the proposed change are small and of a negligible degree. They may be the right. However we do not have the research, experimentation, and analysis to know.

Given the centrality of the DNS to the reliable and continuous operation of the internet and the fact that his change is being made to the largest of all of the top level domains it is not prudent to rely on mere assurances, particularly when those assurances are not backed by solid research and objective experimental validation.

It is reckless to deploy such changes without appropriate monitoring, backed by pre-change baseline measurements, to evaluate whether the change, once deployed, should be allowed to remain in place or the status quo ante be restored.

I call upon ICANN, IANA, and NTIA to suspend the change announced in Verisign's email of September 20 until such time that ICANN, IANA, or NTIA can publish an objective and detailed proof, backed by verifiable and repeatable experimental measurements, that the change is safe not only to root servers but that it will also not cause ill effects to ISPs or internet users. This proof should make explicit the means by which it determines what degree of effects are acceptable and what degrees of risk are not acceptable.

In addition I call upon ICANN, IANA, and NTIA to not deploy any such change without adequate monitoring of the effects and a complete roll-back action plan.

Because DNS and the internet are still evolving, further changes will certainly be proposed. ICANN, IANA, and NTIA ought to establish a clear mechanism to publish notice of such changes, to scientifically inquire into the effects of such changes, and to safely deploy such changes.

The National Telecommunications and Information Administration (NTIA), because it retains ultimate control of the root zone of the domain name system, should require that ICANN and IANA demonstrate the safety of changes to the DNS before such changes are deployed. In the absence of such demonstrations, NTIA must step forward and refuse to allow the changes.

---
Originally published on CaveBear Weblog.

By Karl Auerbach, Chief Technical Officer at InterWorking Labs
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: An Open Letter to NTIA, ICANN, and IANA Jeff  –  Oct 13, 2004 8:38 AM PDT

I think that Karl's complaint is even more widely spread than that. I think that any major change to the root servers should first be viewed by asking the question 'Are there any benefits to be gained from this change in the real world?'. Cchange for the sake of change may be applied to ones wallpaper, but I fail to see why the world needs to change very basic mechanisms without taking that look at the whole picture and on 30 day's notice.

Verisign is well known for taking unilateral action and this looks like one more case for the file.

Re: An Open Letter to NTIA, ICANN, and IANA Stephane Bortzmeyer  –  Oct 13, 2004 12:45 PM PDT

> The only documents that exist are an internet
> draft and a research paper [PDF].

Please Karl, search deeper. There are another two studies, both mentioned in ICANN's announce about adding IPv6 glue to the root :

"DNS Response Size and Name Compression" http://w6.nic.fr/dnsv6/resp-size.html

and

http://www.icann.org/committees/security/dns-recommendation-01nov03.htm

The ICANN document is http://www.iana.org/procedures/delegation-data.html

Re: An Open Letter to NTIA, ICANN, and IANA Stephane Bortzmeyer  –  Oct 13, 2004 12:48 PM PDT

> Since its inception ICANN has adopted the
> position that any changes to the DNS must be
> justified by massive need and be proved to
> contain virtually no element of risk That
> conservative approach

It took 17 months for ICANN to add IPv6 glue after the ".fr" first request. Isn't it conservative enough? It took many meetings of the RSSAC and other bodies to override ICANN's caution. It really looks like here that you would do anything to complain about ICANN, which was the brake in that case, not the accelerator.

Re: An Open Letter to NTIA, ICANN, and IANA Stephane Bortzmeyer  –  Oct 26, 2004 11:38 PM PDT

It's done:

A.GTLD-SERVERS.NET. AAAA 2001:503:A83E:0:0:0:2:30
B.GTLD-SERVERS.NET. AAAA 2001:503:231D:0:0:0:2:30

Added this night. The Internet is still running.

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias