A Report on ICANN 43: New gTLDs and DNSSEC

The ubiquity of mobile devices, the shift to "choose it yourself" top-level domains and the availability of internationalized domain names will profoundly impact the relationship between your network and your network users. In this biweekly column, Ram Mohan, a non-voting ICANN board member and "Security and Stability Advisory Committee Liaison," chronicles these and other developments in this biweekly Network World column.

The Internet's governing body, The Internet Corporation for Assigned Names and Numbers, holds three public meetings per year to discuss how ICANN can help make the network more secure and to encourage end-to-end interoperability. The most recent meeting in Costa Rica in March featured two rich information sharing sessions, one on the new generic top-level domains (gTLDs) program and the other on Domain Name System Security Extensions (DNSSEC).

The new gTLD program was a major focus for many attendees. With ICANN ready to start delegating new gTLDs -- right-of-the-dot domain names representing brands, cities and other keywords augmenting existing TLDs like .com and .net -- Costa Rica was the first meeting in a while to have a session devoted to addressing the issue of universal top-level domain acceptance.

IN DEPTH: How to profit from new domain name rules

As many new gTLD registries have discovered over the last decade, even when ICANN approves new top-level domains, they're not always immediately accepted by every application and website. As I pointed out during the ICANN session, as recently as 2007, it was impossible to forward a link from The New York Times site to an email address that used one of the newer gTLDs like .mobi or .aero.

Although The New York Times' problem has been long since resolved, it was one that was shared by many other sites. The issue was form validation. Some poorly thought-out scripts or hastily coded applications will sometimes reject user-submitted domain names where the TLD is larger than three characters, for example, or when it does not match a hard-coded list of TLDs that may be out of date. While developers implement these measures with the best of intentions, the result is often a poor user experience.

A new batch of approved TLDs that use "non-Latin" scripts is now causing additional problems with domain validation and that may become a more serious concern when ICANN delegates more of these Internationalized Domain Names (IDNs) next year. One of the greatest benefits of the new gTLD program will be the ability of users of Arabic, Chinese or Cyrillic, for example, to navigate the Web using their native languages and local keyboards. But if popular software and browsers do not also support these scripts, the user experience will be degraded.

Fortunately, domain validation is not a difficult problem. The technology already exists, is freely available and is simple to implement. The simplest way to check whether a TLD exists is to do a live DNS query -- usually just a single line of code. For cases where this might not be possible, ICANN has also made code available under an open source license at GitHub, where the developer community is already engaging in improvements. For translating IDNs, implementations of the relevant IETF standard (IDNA 2008) are available as free, open-source libraries from, among other sources, GNU.org.

However, awareness needs to be increased if Internet users are to have a uniform, friendly online experience. The ICANN session discussed measures such as direct outreach to major application makers, for example, as well as the idea of a search engine optimization campaign to help ensure that accurate advice ranks highly when programmers search Google for code samples in a hurry.

Adding security to the Domain Name System

Every ICANN meeting for the last few years has held a half-day session during which participants can share their views about and experiences with Domain Name System Security Extensions (DNSSEC), the next-generation secure DNS protocol. DNSSEC, which uses cryptographic signatures to help prevent a whole class of man-in-the-middle attacks against websites, is still in the early-adopter stage. This makes these sessions a gold mine of information for organizations planning their own implementation.

In Costa Rica, attendees heard from Comcast and PayPal, which are leading the ISP and e-commerce sectors when it comes to rolling out DNSSEC in the United States. PayPal's Bill Smith said that the company has signed thousands of its domain names, in a carefully planned process that took eight months but was "not as hard as we might have thought." PayPal customers, whose ISPs also support DNSSEC, now have a reduced risk of succumbing to phishing and fraud as a result.

One such ISP is Comcast, which has not only signed all of its domains but has also migrated all of its millions of subscribers to DNSSEC-friendly domain name servers. The company has found that 1.75% of the top 2,000 sites accessed by its customers are already publishing DNSSEC information. That small but encouraging number will increase as more financial and e-commerce companies begin to adopt the new standard.

Implementing DNSSEC is becoming easier. Companies can already sign up for one-click service solutions and the new BIND 9.9 DNS software offers DNSSEC signing as a "bump in the wire" but there are still challenges persuading some parties to implement. DNSSEC is complex, and there's little end-user demand today, due to the lack of native browser support. Some domain registries have offered their registrars financial incentives to sign. The Swedish .se registry, for example, offered 5% discounts on domain name registrations when the domain was signed and saw the number of DNSSEC-compatible .se domains increase from about 4,000 to about 170,000 literally overnight.

ICANN is first and foremost a technical coordination body. These sessions diving into DNSSEC adoption and the universal acceptance of TLDs are just two recent, excellent examples of what the ICANN community was set up to do almost 15 years ago.

Mohan is active in the ICANN community. He joined the ICANN Board of Directors in November 2008 as a non-voting liaison from the Security and Stability Advisory Committee. He is the author (with others) of the Redemption Grace Period (RGP) and the IDN implementation guidelines, now global industry standards. He led the GNSO IDN Working Group, is a co-founder (along with the UN and the Public Interest Registry) of the Arabic Script IDN Working Group. He is a founding member of the ICANN Security and Stability Advisory Committee (SSAC), a Board advisory committee comprised of Internet pioneers and technical experts including operators of Internet root servers, registrars, and TLD registries.

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias' reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services and Managed DNS. (For more information, visit http://www.afilias.info.)

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies