<div class="article clearfix">
<h1>A Report on ICANN 43: New gTLDs and DNSSEC</h1>
<div class="storyby"><a href="http://www.computerworld.com/s/article/9225794/A_Report_on_ICANN_43_New_gTLDs_and_DNSSEC?taxonomyId=18&pageNumber=2">http://www.computerworld.com/s/article/9225794/A_Report_on_ICANN_43_New_gTLDs_and_DNSSEC?taxonomyId=18&pageNumber=2</a><br>
<br>Ram Mohan, executive vice president, chief technology officer of Afilias Limited</div>
<div style="width:1px;height:130px;float:right"> </div>
<div style="padding:15px 0px 10px 10px;float:right;clear:right">
</div>
<p><b>April 3, 2012</b>
<a href="http://www.nwfusion.com/" target="_blank">(Network World)</a>
</p><p id="first_paragraph">The ubiquity of
mobile devices, the shift to "choose it yourself" top-level domains and
the availability of internationalized domain names will profoundly
impact the relationship between your network and your network users. In
this biweekly column, Ram Mohan, a non-voting ICANN board member and
"Security and Stability Advisory Committee Liaison," chronicles these
and other developments in this biweekly Network World column.</p>
<p>The Internet's governing body, The Internet Corporation for Assigned
Names and Numbers, holds three public meetings per year to discuss how
ICANN can help make the network more secure and to encourage end-to-end
interoperability. The most recent meeting in Costa Rica in March
featured two rich information sharing sessions, one on the new <a href="http://www.networkworld.com/news/2012/011112-icann-254796.html">generic top-level domains</a> (gTLDs) program and the other on <a href="http://www.networkworld.com/news/2012/011812-dnssec-outlook-255033.html">Domain Name System Security Extensions</a> (DNSSEC).</p>
<p>The <a href="http://newgtlds.icann.org/en/">new gTLD program</a> was a
major focus for many attendees. With ICANN ready to start delegating
new gTLDs -- right-of-the-dot domain names representing brands, cities
and other keywords augmenting existing TLDs like .com and .net -- Costa
Rica was the first meeting in a while to have a <a href="http://costarica43.icann.org/node/29651">session</a> devoted to addressing the issue of universal top-level domain acceptance.</p>
<p>IN DEPTH: <a href="http://www.networkworld.com/news/2012/012312-domain-name-254976.html">How to profit from new domain name rules</a></p>
<p>As many new gTLD registries have discovered over the last decade,
even when ICANN approves new top-level domains, they're not always
immediately accepted by every application and website. As I pointed out
during the ICANN session, as recently as 2007, it was impossible to
forward a link from The New York Times site to an email address that
used one of the newer gTLDs like .mobi or .aero.</p>
<p>Although The New York Times' problem has been long since resolved, it
was one that was shared by many other sites. The issue was form
validation. Some poorly thought-out scripts or hastily coded <a href="http://www.networkworld.com/topics/applications.html">applications</a>
will sometimes reject user-submitted domain names where the TLD is
larger than three characters, for example, or when it does not match a
hard-coded list of TLDs that may be out of date. While developers
implement these measures with the best of intentions, the result is
often a poor user experience.</p>
<p>A new batch of approved TLDs that use "non-Latin" scripts is now
causing additional problems with domain validation and that may become a
more serious concern when ICANN delegates more of these
Internationalized Domain Names (IDNs) next year. One of the greatest
benefits of the new gTLD program will be the ability of users of Arabic,
Chinese or Cyrillic, for example, to navigate the Web using their
native languages and local keyboards. But if popular software and
browsers do not also support these scripts, the user experience will be
degraded.</p>
<p>Fortunately, domain validation is not a difficult problem. The
technology already exists, is freely available and is simple to
implement. The simplest way to check whether a TLD exists is to do a
live DNS query -- usually just a single line of code. For cases where
this might not be possible, ICANN has also made code available under an <a href="http://www.networkworld.com/subnets/opensource/">open source</a> license at <a href="https://github.com/icann">GitHub</a>,
where the developer community is already engaging in improvements. For
translating IDNs, implementations of the relevant IETF standard (IDNA
2008) are available as free, open-source libraries from, among other
sources, <a href="http://www.gnu.org/software/libidn/">GNU.org</a>.</p>
<p>However, awareness needs to be increased if Internet users are to
have a uniform, friendly online experience. The ICANN session discussed
measures such as direct outreach to major application makers, for
example, as well as the idea of a search engine optimization campaign to
help ensure that accurate advice ranks highly when programmers search
Google for code samples in a hurry.</p>
<p><strong>Adding security to the Domain Name System</strong></p>
<p>Every ICANN meeting for the last few years has held a half-day
session during which participants can share their views about and
experiences with <a href="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">Domain Name System Security Extensions (DNSSEC)</a>,
the next-generation secure DNS protocol. DNSSEC, which uses
cryptographic signatures to help prevent a whole class of
man-in-the-middle attacks against websites, is still in the
early-adopter stage. This makes these sessions a gold mine of
information for organizations planning their own implementation.</p>
<p>In Costa Rica, attendees heard from Comcast and PayPal, which are
leading the ISP and e-commerce sectors when it comes to rolling out
DNSSEC in the United States. PayPal's Bill Smith said that the company
has signed thousands of its domain names, in a carefully planned process
that took eight months but was "not as hard as we might have thought."
PayPal customers, whose ISPs also support DNSSEC, now have a reduced
risk of succumbing to phishing and fraud as a result.</p>
<p>One such ISP is Comcast, which has not only signed all of its domains
but has also migrated all of its millions of subscribers to
DNSSEC-friendly domain name servers. The company has found that 1.75% of
the top 2,000 sites accessed by its customers are already publishing
DNSSEC information. That small but encouraging number will increase as
more financial and e-commerce companies begin to adopt the new standard.</p>
<p>Implementing DNSSEC is becoming easier. Companies can already sign up for one-click service solutions and the new <a href="http://www.isc.org/software/bind">BIND 9.9 DNS software</a>
offers DNSSEC signing as a "bump in the wire" but there are still
challenges persuading some parties to implement. DNSSEC is complex, and
there's little end-user demand today, due to the lack of native browser
support. Some domain registries have offered their registrars financial
incentives to sign. The Swedish .se registry, for example, offered 5%
discounts on domain name registrations when the domain was signed and
saw the number of DNSSEC-compatible .se domains increase from about
4,000 to about 170,000 literally overnight.</p>
<p>ICANN is first and foremost a technical coordination body. These
sessions diving into DNSSEC adoption and the universal acceptance of
TLDs are just two recent, excellent examples of what the ICANN community
was set up to do almost 15 years ago.</p>
<p>Mohan is active in the ICANN community. He joined the ICANN Board of
Directors in November 2008 as a non-voting liaison from the Security and
Stability Advisory Committee. He is the author (with others) of the
Redemption Grace Period (RGP) and the IDN implementation guidelines, now
global industry standards. He led the GNSO IDN Working Group, is a
co-founder (along with the UN and the Public Interest Registry) of the
Arabic Script IDN Working Group. He is a founding member of the ICANN
Security and Stability Advisory Committee (SSAC), a Board advisory
committee comprised of Internet pioneers and technical experts including
operators of Internet root servers, registrars, and TLD registries.</p>
<p>Afilias is a global provider of Internet infrastructure services that
connect people to their data. Afilias' reliable, secure, scalable, and
globally available technology supports a wide range of applications
including Internet domain registry services and Managed DNS. (For more
information, visit <a href="http://www.afilias.info">http://www.afilias.info</a>.)</p>
<p><a href="http://www.networkworld.com/topics/lan-wan.html">Read more about lan and wan</a> in Network World's LAN & WAN section.</p>
</div>