[AfrICANN-discuss] A Report on ICANN 43: New gTLDs and DNSSEC

Anne-Rachel Inné annerachel at gmail.com
Thu Apr 5 11:56:48 SAST 2012

 A Report on ICANN 43: New gTLDs and DNSSEC

Ram Mohan, executive vice president, chief technology officer of Afilias

*April 3, 2012* (Network World) <http://www.nwfusion.com/>

The ubiquity of mobile devices, the shift to "choose it yourself" top-level
domains and the availability of internationalized domain names will
profoundly impact the relationship between your network and your network
users. In this biweekly column, Ram Mohan, a non-voting ICANN board member
and "Security and Stability Advisory Committee Liaison," chronicles these
and other developments in this biweekly Network World column.

The Internet's governing body, The Internet Corporation for Assigned Names
and Numbers, holds three public meetings per year to discuss how ICANN can
help make the network more secure and to encourage end-to-end
interoperability. The most recent meeting in Costa Rica in March featured
two rich information sharing sessions, one on the new generic top-level
domains <http://www.networkworld.com/news/2012/011112-icann-254796.html>(gTLDs)
program and the other on Domain
Name System Security

The new gTLD program <http://newgtlds.icann.org/en/> was a major focus for
many attendees. With ICANN ready to start delegating new gTLDs --
right-of-the-dot domain names representing brands, cities and other
keywords augmenting existing TLDs like .com and .net -- Costa Rica was the
first meeting in a while to have a
session<http://costarica43.icann.org/node/29651>devoted to addressing
the issue of universal top-level domain acceptance.

IN DEPTH: How to profit from new domain name

As many new gTLD registries have discovered over the last decade, even when
ICANN approves new top-level domains, they're not always immediately
accepted by every application and website. As I pointed out during the
ICANN session, as recently as 2007, it was impossible to forward a link
from The New York Times site to an email address that used one of the newer
gTLDs like .mobi or .aero.

Although The New York Times' problem has been long since resolved, it was
one that was shared by many other sites. The issue was form validation.
Some poorly thought-out scripts or hastily coded
sometimes reject user-submitted domain names where the TLD is larger
than three characters, for example, or when it does not match a hard-coded
list of TLDs that may be out of date. While developers implement these
measures with the best of intentions, the result is often a poor user

A new batch of approved TLDs that use "non-Latin" scripts is now causing
additional problems with domain validation and that may become a more
serious concern when ICANN delegates more of these Internationalized Domain
Names (IDNs) next year. One of the greatest benefits of the new gTLD
program will be the ability of users of Arabic, Chinese or Cyrillic, for
example, to navigate the Web using their native languages and local
keyboards. But if popular software and browsers do not also support these
scripts, the user experience will be degraded.

Fortunately, domain validation is not a difficult problem. The technology
already exists, is freely available and is simple to implement. The
simplest way to check whether a TLD exists is to do a live DNS query --
usually just a single line of code. For cases where this might not be
possible, ICANN has also made code available under an open
source<http://www.networkworld.com/subnets/opensource/>license at
GitHub <https://github.com/icann>, where the developer community is already
engaging in improvements. For translating IDNs, implementations of the
relevant IETF standard (IDNA 2008) are available as free, open-source
libraries from, among other sources,

However, awareness needs to be increased if Internet users are to have a
uniform, friendly online experience. The ICANN session discussed measures
such as direct outreach to major application makers, for example, as well
as the idea of a search engine optimization campaign to help ensure that
accurate advice ranks highly when programmers search Google for code
samples in a hurry.

*Adding security to the Domain Name System*

Every ICANN meeting for the last few years has held a half-day session
during which participants can share their views about and experiences
with Domain
Name System Security Extensions
the next-generation secure DNS protocol. DNSSEC, which uses cryptographic
signatures to help prevent a whole class of man-in-the-middle attacks
against websites, is still in the early-adopter stage. This makes these
sessions a gold mine of information for organizations planning their own

In Costa Rica, attendees heard from Comcast and PayPal, which are leading
the ISP and e-commerce sectors when it comes to rolling out DNSSEC in the
United States. PayPal's Bill Smith said that the company has signed
thousands of its domain names, in a carefully planned process that took
eight months but was "not as hard as we might have thought." PayPal
customers, whose ISPs also support DNSSEC, now have a reduced risk of
succumbing to phishing and fraud as a result.

One such ISP is Comcast, which has not only signed all of its domains but
has also migrated all of its millions of subscribers to DNSSEC-friendly
domain name servers. The company has found that 1.75% of the top 2,000
sites accessed by its customers are already publishing DNSSEC information.
That small but encouraging number will increase as more financial and
e-commerce companies begin to adopt the new standard.

Implementing DNSSEC is becoming easier. Companies can already sign up for
one-click service solutions and the new BIND 9.9 DNS
software<http://www.isc.org/software/bind>offers DNSSEC signing as a
"bump in the wire" but there are still
challenges persuading some parties to implement. DNSSEC is complex, and
there's little end-user demand today, due to the lack of native browser
support. Some domain registries have offered their registrars financial
incentives to sign. The Swedish .se registry, for example, offered 5%
discounts on domain name registrations when the domain was signed and saw
the number of DNSSEC-compatible .se domains increase from about 4,000 to
about 170,000 literally overnight.

ICANN is first and foremost a technical coordination body. These sessions
diving into DNSSEC adoption and the universal acceptance of TLDs are just
two recent, excellent examples of what the ICANN community was set up to do
almost 15 years ago.

Mohan is active in the ICANN community. He joined the ICANN Board of
Directors in November 2008 as a non-voting liaison from the Security and
Stability Advisory Committee. He is the author (with others) of the
Redemption Grace Period (RGP) and the IDN implementation guidelines, now
global industry standards. He led the GNSO IDN Working Group, is a
co-founder (along with the UN and the Public Interest Registry) of the
Arabic Script IDN Working Group. He is a founding member of the ICANN
Security and Stability Advisory Committee (SSAC), a Board advisory
committee comprised of Internet pioneers and technical experts including
operators of Internet root servers, registrars, and TLD registries.

Afilias is a global provider of Internet infrastructure services that
connect people to their data. Afilias' reliable, secure, scalable, and
globally available technology supports a wide range of applications
including Internet domain registry services and Managed DNS. (For more
information, visit http://www.afilias.info.)

Read more about lan and
wan<http://www.networkworld.com/topics/lan-wan.html>in Network World's
LAN & WAN section.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20120405/c0a75c5d/attachment-0001.htm

More information about the AfrICANN mailing list