Search DNSSEC Blog


Wednesday, September 30, 2009

ICANN’s New US Contract And New Top Level Domains - It’s Not Over

"With a day to go before the joint project agreement between the Internet Corporation for Assigned Names and Numbers (ICANN) and the United States Department of Commerce (DoC) is set to expire, calls for continuous US oversight role have been reiterated by US politicians and private-sector representatives who reason that this oversight is especially needed in the face of the planned introduction of new internet top-level domains like .shop.

ICANN is a “captured regulator,” the Coalition Against Domain Name Abuse (CADNA) warned last Wednesday and asked for additional oversight by the Department of Homeland Security (DHS), as ICANN is “risking cybersecurity, national security and global security.” Yet The Economist magazine ran an opinionated story only a day later asserting that ICANN would be “independent,” under the new contract conceding that the core infrastructure managed by ICANN - the domain-name system (DNS) root zone - will still be controlled by US authorities.
So it’s not over, neither the disputes about new top-level domains (TLDs) nor those about further internationalising internet domain name system oversight.

ICANN was founded in 1998 to organise private-sector, bottom-up and multi-stakeholder management for the coordination of the DNS and also IP addresses and so-called protocol parameters. It has since been at the centre of a heated debate about the roles of the US, but also global governments, industry and civil society groups in internet governance.
Broadsides at ICANN

While it had been quiet about the deadline of its joint project agreement (JPA) over the last month, last week ICANN saw some broadsides fired at its TLD expansion plans and its work record in general that would have been suitable for lobbying by US companies and trademark owners seeking to preserve US control. ICANN is “not independent,” “not transparent” nor “accessible,” is only after its own profits and is risking the stability and security of the internet it is tasked to protect, wrote CADNA, that lists companies like Verizon, HP, Dell, but also non-telecommunications, non-information technology members like Goldman Sachs or Wells Fargo, Nike or Hilton Hotels. CADNA called for a “full-scale audit of ICANN."

The group requested that a special federal commission take up to twelve months “to fully audit ICANN and develop recommendations for a revised and updated JPA.” The introduction of new TLDs also came under fire from CADNA who dismissed the roll-out as “poorly conceived.”
Steve DelBianco, chairman of the Net Choice Coalition, representing companies like VeriSign and eBay, complained at a 23 September hearing of the House Judiciary Subcommittee on Courts and Competition Policy that ICANN had “got sidetracked” in the process of introducing new TLDs.

“ICANN should refocus on international labels [domains],” DelBianco said. Countries like China have long asked for internationalised, non-Latin domain names at the highest level. By opening up the TLD expansion to every new Latin-script string and complicating and slowing the process instead ICANN has risked the “splintering of the single root system,” he said, because “China has got tired of label makers and made a mini-ICANN of their own sitting on top of ours.” DelBianco neglected to mention that his parallel proposal to allocate the Chinese versions of .com, .net to the registries managing the English versions like VeriSign likely would not amuse the respective countries.

DelBianco, joined by Richard Heath, president of the International Trademark Association argued, that new generic TLDs in English would not bring innovation. Heath said it would instead “decrease competition if we (the trademark owners) have to fund a lot more defensive registration“ and this would also divert resources from innovation and from investment in corporate social sponsorship projects.

Congressional Members: New TLDs Require Oversight of ICANN
Several members of Congress seemed to agree with the two trademark right representatives. Chairman Hank Johnson (Democrat, Georgia) for example said: “I do not understand [why] they want an unlimited expansion of the name space.“ Johnson acknowledged non-Latin TLDs and initiatives like .nyc and .eco have merit. Given the planned expansion, US oversight over ICANN’s process continued to be necessary to provide stability and security for domain name owners, he said.

Republican Congressman Howard Coble (North Carolina) warned that ICANN by proceeding with the expansion of the name space had “not for the first time ignored what one might think is a mandatory instruction.” Governments in ICANN’s own Governmental Advisory Committee (GAC) had raised concerns about the new TLD process, and the DoC had asked for economic proof of the necessity of new TLDs, he said.

A week earlier a study from Interisle commissioned by ICANN also had recommended first introducing a new security feature to the DNS, the DNS Security Extensions protocol (DNSSEC), before moving on with the introduction of new TLDs, said Coble. The study on “Scaling the Root” in fact concluded ICANN could for stability reasons either introduce new gTLDs, new international (IDN) TLDs and next generation internet (Ipv6) or DNSSEC. It recommended to start with the latter, which will authorise answers to name requests in the DNS and therefore make forgery more difficult. The DoC already has announced that DNSSEC should be introduced by the end of this year. To amalgamate the complicated technology into the DNS system, root operators and the community should be given 12 to 15 months before another addition to the system is started, the study found.

ICANN: No Link between JPA and new TLDs

ICANN officials rejected the link between the dispute over TLDs and the JPA contract discussions. ICANN’s new CEO, Rod Beckstrom, in a letter dated 22 September wrote to several congressmen who had asked for legislation to make US oversight permanent by legislation, that consultations on the IP issues were still underway. “There is no link to the conclusion of the JPA,,” he said.

ICANN Chief Operating Officer Doug Brent at the hearing outlined the process on the future application procedure for new TLDs as an ongoing discussion: a third version of the extensive applicant’s guidebook would come out beginning of October, Brent said. Several protective measures that were proposed by the “Implementation Recommendation Group“ (IRT) were called upon by ICANN’s board chairman. The IRT work was seen by other ICANN stakeholder groups including registries, registrars, and non-commercial domain name holders as yet another round for the IP community of undermining and bypassing the multi-stakeholder process that had worked for months for a consensus.

“We will not allow an expansion that will not adequately protect trademark owners,” reiterated Brent, and “it will not be an unbridled expansion.” Delaying the process begun as part of ICANN’s overall mandate to bring competition to the originally monopolistic domain name system according to Beckstrom and Brent would only serve “to perpetuate existing market conditions: concentration within some existing registries, with most short generic strings unavailable and those that trade on the value of the current marketplace, holding portfolios based upon the value of current .com.”

Support for ICANN’s process to now finally push through with new generic TLDs and non-English TLDs came from a coalition of domain name registries like Core, registrars like ENOM, declared applicants for new TLDs including the competitors for the .eco TLD of which one is supported by former Vice President Al Gore and a Commissioner of the Canadian Regulatory Authority (CRTC). In their letter to the ICANN Board, the pro-TLD coalition urged ICANN to initiate the new TLD application period without further delay as it would bring more competition and consumer choice and avoid chaos stemming from an alternative addressing scheme that would pop up if ICANN gave in to what they see as fearmongering and “narrow arguments advanced so vociferously by those who seek to preserve their advantages.”
End of the JPA, No End to US Control

So what will happen with a new agreement in place this week? ICANN officials so far have not responded to requests for detailed information. Beckstrom in his letter to the congressmen dated 21 September wrote: “I am in discussions with the NTIA (DoC National Telecommunications and Information Administration) to establish a long-standing relationship to accommodate principles including the beliefs that ICANN should remain a nonprofit corporation based in the United States, and should retain an ongoing focus on accountability and transparency.“ ICANN should be made a permanent institution, said Beckstrom, adding, “Accordingly, ICANN seeks to have a long-term relationship with the United States government and also seeks to build long-term relationships with other countries and contractual partners as well.“

By the end of last week The Economist came out with leaked information about an “independent“ ICANN, quoting a four-page paper about “affirmations and commitments” that envisaged four oversight panels over ICANN, checking on “competition among generic domains (such as .com and .net), the handling of data on registrants, the security of the network and transparency, accountability and the public interest.” The US would only retain a permanent seat in the latter one, and representatives of “foreign governments” would be included in the oversight panels. The agreement sets up oversight panels that include representatives of foreign governments to “conduct regular reviews of ICANN’s work in four areas.”

The potential new oversight model would partly answer long-standing requests for internationalisation, not the least from non-US governments, according to Wolfgang Kleinwächter, an internet governance expert and head of ICANN’s Nominating Committee. The member states of Europe have passed another version of their “Guidelines on International Management of the Domain Name System” demanding further development of the private-sector-led bottom-up multi-stakeholder model for the technical coordination and the day-to-day management of the DNS, continued efforts towards full transparency and accountability and, notably, a “strengthened” GAC “that has increased active membership (in particular from developing countries), greater involvement in ICANN’s policy development processes [..] and effective secretariat support.”

GAC members might be the ones who could fill the oversight panels, one can speculate, and this might have come up during talks the NTIA held with the EU Troika (Sweden, Spain and the European Commission) at a meeting on the first of September, one of several meetings NTIA had with governments around the world in the run-up to the JPA deadline.

The EU guidelines also state a need to stipulate and support dialogue and cooperation on public policy issues pertaining to the internet“ in general, a possible hint of the need for continued discussions at the upcoming UN-led Internet Governance Forum in Egypt. The guidelines do not touch on the new TLD process, yet recommend “the establishment of an arbitration and dispute resolution mechanism base on international law in case of disputes.” The burden to go to a California court to appeal against a California-based ICANN decision has been mentioned at many new TLD events in Europe recently.

In the end, a change in the JPA might bring some changes and pacify some concerns over an overly US-centric ICANN. “From what I read, it looks like a smart move,” said Kleinwächter. What it will not bring is “independence” as ICANN will continue to be a government contractor for what is the core “critical resource” - the root zone and internet protocol address allocation management which are delegated via a separation contract, the Internet Assigned Numbers Authority (IANA) contract. US authorities have always declared that they will hold on to that one.

So after the JPA, it’s not over and discussions about the new TLDs can be expected to continue, too, for a long time.
Monika Ermert may be reached at"

Source: ICANN’s New US Contract And New Top Level Domains - It’s Not Over, Monika Ermert, Retrieved on September 30, 2009 from

Friday, September 25, 2009

Nominum shoots for the cloud

The firm is using the cloud model to accelerate take-up of its Intelligent DNS systems, which feature enhanced security capabilities compared to legacy DNS systems, such as preventing users from being directed to unwanted, illegal or malicious content.

“We believe intelligent DNS needs to be ubiquitous to reach all parts of the internet, especially those enterprises and mid-tier ISPs for whom a full software solution may have until now been out of reach in terms of budget and expertise,” said Skye’s general manager, Jon Shalowitz.

“This is like adding fluoride to the water security safeguards built into the network because the threats are getting worse and legacy DNS systems don’t have the intelligence built in to understand what’s bad and what’s good.”

Skye will be offered in four separate but complementary services. The most basic is Skye Secure an authoritative service with full DNSSec support for enterprises and ISPs who want to protect their online apps and sites from threats.

Skye Core is intended for the same customers who want to shore up their internal DNS and cache servers, and this can be extended with Skye Trust a real time threat management service which could act in lieu of third party web filtering technology, said Shalowitz.

Skye Search, finally, is a turnkey search destination solution for ISPs, providing their customers with navigation assistance and search recommendations for a wide range of user-based DNS errors.

Source: Nominum shoots for the cloud, Loulith Galenzoga, Zikkir Information Technology News, Retrieved on 23 September 2009 from

Tuesday, September 22, 2009

DNSSEC: Bolstering Internet Security - .ORG

Alexa Raad, CEO of .ORG, The Public Interest Registry and Ram Mohan, CTO and EVP of Afilias provide a brief video statement on the need for Domain Name System Security Extensions (DNSSEC) in the community and their dedication to widespread adoption and deployment within the Domain Name industry.

Nominum introduces cloud-based version of Intelligent DNS with SKYE

Nominum has taken the next step with its intelligent DNS format and offered a cloud based version of it.

Named SKYE, the service will offer ‘pay to use' cloud-based infrastructure services to a broader range of ISPs. It will allow large and small enterprises to provide their end-users with increasing protection and improving relevance when navigating the internet.

The intelligent DNS is currently used by 170 million households and 100 service providers globally. The company claimed that by extending access to its carrier grade DNS software through a service-based model, internet navigation, safety and security will be vastly and swiftly improved for all broadband users.

SKYE vice president and general manager Jon Shalowitz claimed that the idea was to take the intelligent DNS and make it available through the cloud. Shalowitz said: “This is a hosted model, the goal is to allow some level of security and policy based control and allow it to be accessible to all networks. This is very attractive to business models that want to leverage the best software but control cost.

“It carries a wealth of information, not only the DNS input from a technology standpoint but it will tell you when things go wrong.” He also claimed that this will present a solution to people who use freeware ‘or something in Microsoft'. He said: “We are seeing a groundswell of integration from ISPs but they need to know how to bring intelligent DNS to the rest of the internet. SKYE is about taking the intelligent DNS to 100 per cent of users.”

SKYE has been established as a separate business unit from Nominum's existing software business, with considerable investment made to establish a global data centre presence and recruit staff to grow and market the business and manage service delivery.

It comprises four service offerings providing an end-to-end DNS solution: SKYE Core is a caching DNS service for Tier 2 & 3 ISPs and enterprises; SKYE Secure is an authoritative (external) DNS service supporting DNSSEC aimed at both ISPs and enterprises; SKYE Search is a turnkey search destination solution for ISPs to help redirect users responsibly to the right website; while SKYE Trust is a threat management service for ISPs which blocks malicious activity on the internet such as malware, botnets, spam and abhorrent content in real-time.
Shalowitz said: “DNSSEC creates a secure layer that is almost an SSL connection, this will ensure that there is no man-in-the-middle attack and confirms who you are. SKYE supports it and it is DNSSEC ready.”

Friday, September 18, 2009

Iran testing DNSSEC domain security

From the 'No UN Inspectors Required' files:

The Islamic Republic of Iran is now testing out DNSSEC (DNS Security) for the its dot ir (.ir) country code domain.

That's right, Iran is now improving the security of its domain. Politics of what is going on in Iran (elections, nuclear aspirations) aside, the move towards DNSSEC is a good thing. According to Iran's nic @ir domain registration authority, a DNSSEC testbed began operations on Aug 30, 2009 and will continue until Feb 26, 2010.

Iran will be joining .se, .org and .edu (among others) as DNSSEC secured domain space. This means that at some point in 2010, the authenticity and security of domain holders in Iran will be better than it is today.

No one should really be surprised by this move as the move to DNSSEC is at this point a global movement that is now really starting to pick up momentum.In the summer of 2008, the Internet was rocked by the revelation that the Domain Name System (DNS), one of the core infrastructures of the Internet, was vulnerable to attack. The ultimate solution to the DNS vulnerability according to many security experts is DNSSEC (DNS Security Extensions) While the total number of actual domains secured by DNSSEC today is relatively small by my count, it's a number that I expect to grow exponentially in 2010.

Tuesday, September 15, 2009

BIND 9.7.0a3 is now available


This is a technology preview of new functionality to be
included in BIND 9.7.0. Not all new functionality is in
place. APIs and configuration syntax are not yet frozen.

BIND 9.7 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration
and operation.

New features include:

- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
(see README.rfc5011 for additional details).
- Smart signing: simplified tools for zone signing and key
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
(see README.libdns for details).
- On some platforms, named and other binaries can now print out
a stack backtrace an assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support (see
README.pkcs11 for additional details).

Additional features planned but not included in this alpha release:

- Fully automatic signing of zones by "named"
- Additional PKCS#11 support, including multiple OpenSSL engines

BIND 9.7.0a3 can be downloaded from:

Friday, September 11, 2009

.edu getting secured with DNSSEC

DNSSEC is the smart, educated way to secure DNS right?

Ever since security researcher Dan Kaminsky big DNS security disclosure in 2008, the need for DNSSEC, which provides integrity security for DNS information has been obvious. Yet relatively few top level domains (TLDs) have actually signed their zones for DNSSEC.

The .edu (for education) TLD, operated by Educause is now set to join the ranks of DNSSEC secured TLDs by March of 2010. A testbed is set to be in place this month to begin the preliminary work. Educause manages the .edu TLD under an agreement with the U.S Department of Commerce.

"The Internet plays a vital role in higher education by facilitating online learning, collaboration, and research," said Lawrence E. Strickling, Assistant Secretary for Communications and Information at the Department of Commerce in a statement. "We are pleased that DNSSEC will be implemented in the .edu domain, which complements work already underway to better secure the Domain Name System overall."

This is clearly good news and further adds to the momentum that DNSSEC is now enjoying.

From my vantage point, I see 2010 as the year of DNSSEC with the beginning of wide adoption. I still think it will take a year (or more) until the whole Internet is secured (if ever) but there is light at the end of the tunnel.