One of the consistent chants we've always heard from ICANN is that there has to be a single DNS root, so everyone sees the same set of names on the net, a sentiment with which I agree. Unfortunately, I discovered at this week's ICANN meeting that due to ICANN's inaction, it's already too late.
Among the topics that ICANN has been grinding away at is Internationalized Domain Names (IDNs) that contain characters outside the traditional English ASCII character set. The technical issues were settled a while ago in the IETF, with a scheme called punycode that encodes Unicode characters as ASCII strings stat start with xn--. ICANN has tied itself with the issue of homographs, different characters that look the same or mean the same thing. Once people noticed that IDNs let you register different names that look the same, the intellectual property crowd that has always had a mysteriously great influence on ICANN went into a tizzy and they went into lengthy discussions on what to do about them. Unfortunately, there is no technical way to make homographs go away, because there is no agreement on what ''the same'' means. ICANN came up with a draft recommendation on IDN policy which nobody implemented, and is now about to come up with a second draft which nobody seems likely to implement, either.
While ICANN dithered, groups in China and in Arabic speaking countries went ahead with experiments in IDNs for Chinese and Arabic, and set up experimental parallel root zones with names in the local character sets. These experiments worked (no surprise, Unicode and punycode are technically sound) and now those roots are the roots that everyone in those countries use.
A friend who traveled to Arabic countries reported that ISPs simply reroute traffic for the public routes to their own root servers, and most people are none the wiser except that Arabic domain names work. He only realized what was going on when he tried to reach the Red Cross web site and kept getting the local Red Crescent instead, and tracked it down to the DNS returning different answers from what he'd expected to get from the usual DNS.
Furthermore, at least one large ISP in Europe is doing the same thing, redirecting root server traffic to their own servers. In their case the goal more likely is to deal with users with misconfigured DNS clients by catching traffic to any name server, not just the roots, but it also offers the opportunity to make additions and deletions without the knowledge or consent of either the real domains or the users.
Now that the split root genie is out of the bottle, is there any way to get it back in? Not that I can see. Let's hope that users in China and other countries with their own private roots figure out that there's more to the net than their DNS shows them.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DDoS Protection
Neustar DNS Services