Type: Client Alerts
Last week, ICANN (the organization that oversees the domain name system of the Internet) was busy with nothing less than the security and stability of the Internet. At ICANN’s recent meeting in Durban, those of us attending heard a drumbeat of studies, presentations and concerns regarding "name collisions": the conflicts that will arise when new gTLDs go live and conflict with existing top-level extensions in private networks. For years, standard practice has been to use "internal domains" in private networks (e.g., corporate, educational and governmental networks), such as .corp, .mail, .home, etc., etc. Given the small number of existing TLDs (and the fact that they were existing), it was easy for network engineers to work around the existing TLDs. Now, ICANN proposes to release almost 1,400 new TLDs (Top Level Domains – the Internet address to the right of the dot) into this existing ecosystem.
ICANN’s Shaky Mitigation Strategy
ICANN has now reacted to the studies and concerns over name collisions, and posted a "Proposal to Mitigate Name Collision Risks" The Proposal assumes that all new gTLDs can be divided in three parts, like Gaul: High Risk (just .home and .corp), Uncalculated Risk (approximately 280 gTLDs) and Low Risk (the remaining 1100 gTLDs). The flaw in this reasoning is that the division is based solely on the number of observed "empty queries" relating to each new gTLD.
However, "numerosity" – the number of potential name collisions in a given gTLD – is only half the risk analysis. The other half is "severity" – identifying and measuring the consequences of any potential name collision. This can only be done by digging deeper and looking at "use cases": are particular gTLDs likely to clash with internal domains used for phone services (including emergency phone services like 911), industrial controls, medical devices, power grids, etc.? Are particular clashes more likely to create security breaches or total network failures, as opposed to "mere" glitches? Are particular clashes more difficult to mitigate in the real world? The Interisle study, which forms the basis for the Proposal (and which ICANN posted with the Proposal), notes that "severity of consequences" needs to be taken into account, but ICANN has made the "policy decision" to rely on numerosity alone. This is like deciding whether to be concerned about potential traffic accidents based solely on the volume of traffic, without taking into account road conditions, visibility or the type of traffic using that road. If school buses and oil tankers are going around blind curves in the rain with the traffic lights out, it doesn’t matter that traffic seems light.
Voice Your Concerns Now
ICANN has given the world 21 days to comment, starting August 5 and ending August 27, with an additional 21 days for reply comments, ending September 17. This is not much time, given the technical and policy complexities of the matter and the August timeframe. The Association of National Advertisers (ANA), which has been challenging the peccadilloes and mortal sins of ICANN for a long time, has written a letter to ICANN requesting an extension of this time period to November 1, with the reply period ending November 21, to allow participants adequate time for study and analysis.
If your company or institution has a private network, you may be vulnerable to network failures or security breaches caused by name collisions when new gTLDs start becoming operational. We encourage you to consult with your network specialists to identify the internal domains used in your network, whether those domains "collide" with any of the new gTLDs, how the colliding domains are used, what would happen if traffic or security for those domains were to be compromised, and the time and costs for mitigation. We also encourage you to provide comments to ICANN if the results of your analysis raise concerns. Reed Smith’s ICANN authorities are ready to help you with every aspect of this process. Please contact Greg Shatan, Brad Newberg, Judy Harris or Clark Lackert.
Verisign Raises Additional Red Flags
Verisign has been one of the most vocal entities in pointing out serious "security, stability and resiliency" concerns with ICANN’s new gTLD program, including the name collision issue. This raised the ire of the NTIA (National Telecommunications and Information Administration), the U.S. government entity that deals with ICANN matters. NTIA wrote a letter to Verisign on August 2, finding fault with its criticisms and demanding that Verisign confirm that it will stand by its commitments as a "root zone operator" to delegate new gTLDs into the root when authorized to do so.
The timing for this letter could not have been more unfortunate for NTIA. The letter was sent on a Friday and ICANN posted its name collision proposal the following Monday, proving that Verisign was not "Chicken Little" and that even ICANN recognized that Verisign’s concerns were well-founded.
Verisign has now responded with a dense six-page letter of its own, telling the NTIA that it is important to distinguish between the "ability" to deploy new gTLDs and the "advisability" of doing so, given current concerns. Verisign states that a "deliberate and measured deployment" of new gTLDs is necessary. Verisign takes pains to point out that it is also contractually obligated "to serve the public interest in the security and stability of the Internet domain name system." Verisign strongly implies that NTIA was asking it to sacrifice this obligation in favor of its obligation to deploy new gTLDs when told to do so. Verisign also provides NTIA with an additional study by Verisign on name collision data points that Interisle was not able to cover, entitled "New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis." While ICANN did not post the study on its correspondence page, Verisign has posted this study. I have not yet read the entire 27-page, single-spaced, double-column study, but it begins, "Interesting times await those who rely on something, and at once cannot imagine it failing." This seems like a variation on the old (and possibly apocryphal) Chinese curse, "May you live in interesting times."
We certainly do.
Client Alert 2013-222