Commerce chief faces 5 Internet emergencies

DNS security, ICANN relationship top Obama nominee Locke’s Internet policy agenda

If former Washington State Gov. Gary Locke (D) is confirmed as the new U.S. Commerce Secretary, he'll face several Internet policy issues that require immediate attention and decisive action in 2009.

Locke's advocates say he's up to the task. The Business Software Alliance on Wednesday hailed Locke as having knowledge and experience in the most important issues facing U.S. high-tech companies.

"Governor Locke showed a strong understanding of information technology's role in our economy and society," BSA says. "Locke also has a strong record in advancing free and fair trade, with an especially strong knowledge of China and other emerging economies."

One challenge for Locke is appointing a forward-thinking, tech-savvy leader for the National Telecommunications and Information Administration (NTIA), which is the arm of Commerce that handles most Internet infrastructure-related issues.

NTIA oversees issues related to the Domain Name System, which matches domain names with corresponding IP addresses. NTIA also has contractual relationships with the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit organization that coordinates DNS-related issues, and VeriSign, which operates DNS root servers and the popular .com and .net domains.

"The most important thing for transition is for the new leadership to get a handle of the core functions of NTIA, which include authorizing changes to the DNS authoritative root and overseeing the entire NTIA, ICANN, VeriSign triangle," says John Kneuer, a former NTIA administrator for President George W. Bush who operates a public policy advisory group in Washington D.C.

"Responsibility for the DNS along with spectrum management for critical government functions are the most important things that NTIA does," Kneuer said.

Kneuer says a key challenge for the new Commerce Secretary and NTIA director will be to stay focused on Internet infrastructure issues despite the push to spend $7.2 billion in broadband infrastructure grants included in the Obama Administration's economic stimulus package.

Internet issues "are going to be competing with the more high-profile things that NTIA is being called upon to do. The broadband infrastructure grants and DTV will demand a lot of attention from grant applicants and members of Congress," Kneuer says. "These are all very important, but they aren't as important as making sure the core Internet infrastructure works."

Kneuer says the new Commerce leadership team needs to understand the consensus-based process that NTIA and ICANN use to operate the DNS.

NTIA must "continue the role that the U.S. government has played as a back-stop for ICANN to make sure that ICANN is transparent, fully functional and responsive to all constituent voices," Kneuer says. "It's going to be important for NTIA to keep an appropriate focus on these core functions when there are going to be a lot of competing issues."

Here are five issues related to Internet infrastructure that Locke will need to address as soon as he takes office:

1. Signing the DNS Root Zone

The Internet engineering community is waiting for the U.S. Commerce Department to approve deployment of DNS Security Extensions (DNSSEC) on the root zone.

DNSSEC prevents hackers from hijacking Web traffic and redirecting it to bogus sites. The Internet standard prevents so-called cache poisoning attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption. DNSSEC is viewed as the best way to bolster the DNS against vulnerabilities such as the Kaminsky bug discovered last summer.

Only Commerce has authority to deploy DNSSEC across the 13 server clusters that carry the DNS root zone data, which is at the pinnacle of the DNS hierarchy. These server clusters resolve requests from the top-level domains, which in turn handle DNS queries for names registered in those domains.

In order for DNSSEC to be most effective, the standard needs to be deployed from the top to the bottom of the DNS heirarchy – at the root zone, at top-level domains and at individual Web sites.

Last October, the Commerce Department issued a request for comments about deploying DNSSEC on the root zone. Respondents overwhelmingly urged the Commerce Department to sign the root zone as soon as possible. Nothing has happened since then.

That's why DNSSEC developers have come up with a scheme called a Trusted Anchor Repository that can be used to bypass the Commerce Department and move ahead with DNSSEC deployment without the root zone being signed. However, proponents of these repositories would prefer that Commerce mandate that the DNS root zone be signed.

"Signing the root has two benefits," says Internet pioneer Steve Crocker, who is currently CEO of Shinkuro. "From a technical perspective, it means that layer is signed…But from a political perspective, as soon as the root is signed that sends a very powerful signal that [DNSSEC] is for real, and everyone should do it."

Crocker says he believes Commerce will take action to sign the DNS root zone data.

"The handwriting is on the wall: the root will be signed, but when and how I don't think anybody knows," Crocker said. "How fast do they need to go? It's a question of how soon do you need to shut the barn door."

Experts say there is no technical reason preventing Commerce from mandating DNSSEC deployment across the 13 root zone server clusters in 2009.

"The root zone has 300 TLDs in it," Crocker explained, adding that deploying DNSSEC on the .com domain is a more difficult issue because it has 70 million domain names.

VeriSign, which operates the .com domain, has promised to deploy DNSSEC within 24 months. 

Getting the root signed "is a very important issue, and it's an obvious next step," says Ram Mohan, CTO of Afilias, which operates the .info domain. "The other clear thing that needs to be done is an end-to-end test. Given that a significant top-level domain such as .org will soon be signed and then the root is signed, we need to look at DNSSEC from end-to-end."

2. ICANN Relationship

ICANN oversees the Internet's DNS through a memorandum of understanding (MOU) with the Commerce Department. ICANN's current MOU – also known as the Joint Project Agreement (JPA) -- expires in September.

At issue is whether ICANN should be free of Commerce Department oversight after the agreement expires, or whether another agreement should be put in place by the U.S. government to ensure stable operation of the DNS.

ICANN wants to be independent, arguing that it is accountable and transparent enough to operate on its own through its collaborative processes that involve the global Internet community.

Many Internet engineers agree that it's time for ICANN to be independent of U.S. government control.

"I would like to see ICANN go it alone," says Paul Hoffman, director of the VPN Consortium and an active participant in the DNSSEC community. "There's no question they can…The best way is for Commerce to let it go. Then [the Obama Administration] will look modern and new."

Some conservative think tanks and technology industry executives favor continued Commerce Department oversight of ICANN. The Center for Democracy and Technology and TechNet have argued for an extended agreement between ICANN and the U.S. Commerce Department.

ICANN says that even if the JPA expires, it will continue to have oversight from the Commerce Department because it has a separate contract with the agency to operate the Internet Assigned Numbers Authority (IANA).

"The IANA contract, which is more specific than the JPA, gives ICANN control over root server management until 2011," says Kim Davies, manager of root zone services for ICANN. "The U.S. government is going to be monitoring root zone management for some time."

The new Commerce Secretary and NTIA director will need to move quickly to address the agency's relationship with ICANN, which hosts a constituent and board meeting next week in Mexico City.

"At Afilias, we don't have an opinion about whether there needs to be another agreement," Mohan said. "We think all the parties need to make sure Internet stability isn't affected."

Kneuer says ICANN must demonstrate to the Commerce Department that it has the endorsement of the global Internet community and that it has " the core competency and contingency plans and systems in place to perform this critical function."

3. New Top-Level Domains

One issue that will dominate ICANN's meeting next week is the organization's plan to introduce hundreds of new generic top-level domains in the DNS. ICANN's plan has been widely criticized for costing too much and creating too much chaos on the Internet infrastructure.

ICANN says the new domain name extensions will spur innovation and competition in the domain name industry and provide more choice for consumers. The new domains would be anywhere from three to 63 characters in length and could support Chinese, Arabic and other scripts.

As of December, the Internet had 177 million registered domain names across 200-plus top-level domains, including country codes and generic extensions such as .com and .net, VeriSign said. ICANN's new gTLD plan could increase the number of domains by a factor of five.

ICANN held an open comment period last fall for corporations, government and individuals to comment on its plan to add anywhere from 200 to 800 new domain name extensions to the Internet. Comments were due Dec. 15.

Most corporations urged ICANN to postpone or cancel the new gTLD program because it will be too costly for them to protect their trademarks across so many new extensions. They also worry that so many new domains will lead to a rise in counterfeiting, phishing and other online scams.

Another big concern is cost. ICANN has proposed charging $185,000 for a new gTLD and $75,000 a year to retain it. That will make it too expensive for companies to buy all of the extensions for their trademarks – i.e. .microsoft or .ibm – and it's also too expensive for governments that might want to buy .paris or .nyc.

The Commerce Department sent a letter to ICANN in December stating that ICANN needs to conduct an economic study of the TLD market prior to the introduction of new gTLDs. The agency also said ICANN should review the impact of new gTLDs on the security and stability of the Internet and justify its fee structure.

In response to these criticisms, ICANN in February issued another draft of its new gTLD plan. In this draft, ICANN proposes reducing the annual cost for new gTLDs to $25,000 plus .25 per transaction per year for domains with more than 50,000 registered names.

ICANN says it will solicit more input from the Internet community over the next 60 days on the issues of how new gTLDs will affect stability and security of the Internet, how to protect trademarks and whether there is market demand for new domain extensions.

ICANN also has set up a special study group to look at the impact of many simultaneous changes to DNS root zone operations, including new gTLDs and DNSSEC.

"I'm part of a small group that is helping pull experts together to provide technically oriented advice…about what might exist at the root with all of these things being added contemporaneously," Mohan said.

VeriSign backs the idea of new gTLDs.

"We believe these new domain names will benefit customers," says Jill McNabb, vice president of naming services at VeriSign. "We think they will spur competition and grow the market overall. But it is critical that the new domains are introduced in a manner that protects the security and stability of the Internet. The DNS has been very reliable and very scalable given the amount of traffic going over the DNS."

McNabb admits that ICANN's processes and timeframe for introducing more gTLDs are not final.

"We think it's critical that there be continuing and ubiquitous experience for domain names even though there are some technical issues that are still being worked out," she said.

Kneuer questions ICANN's plan to introduce hundreds of new gTLDs and the process it used to analyze the impact of the plan.

"They are now undergoing the sorts of analysis on the impacts for security and stability on the core routers. They are asking some of the questions that one would have thought would have been asked and answered by this point in the process," Kneuer says. He adds that ICANN's gTLD plan "does not stand out as a sterling example" of ICANN being a competent, functional organization ready to be independent of U.S. government control.

4. Promoting IPv6

An issue that ICANN, the Commerce Department and the entire U.S. government will face in 2009 is the ongoing transition to IPv6, an upgrade to the Internet's main communications protocol.

IPv6 provides virtually unlimited address space, built-in security and simplified network management. Created by the Internet Engineering Task Force in 1998, IPv6 replaces IPv4, which supports 4.3 billion individually addressed devices on the network.

IPv4 address space is running out, and experts agree that the 27-year-old protocol will not support all the Internet-connected devices used by the world's 6.5 billion people in the future. IPv6 provides so many IP addresses — 2 to the 128th power — that it is expected to enable secure, mobile and embedded applications that are inconceivable today.successfully met a requirement to upgrade all backbone networks to be capable of supporting IPv6 traffic.

Federal agencies last June

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies