Part 1 of 5: Introduction: New gTLD Security and Stability Considerations

By Security

Verisign recently published a technical report on new generic top-level domain (gTLD) security and stability considerations. The initial objective of the report was to assess for Verisign’s senior management our own operational preparedness for new gTLDs, as both a Registry Service Provider for approximately 200 strings, as well as a direct applicant for 14 new gTLDs (including 12 internationalized domain name (IDN) transliterations of .com and .net). The goal was to help ensure our teams, infrastructure and processes are prepared for the pilot and general pre-delegation testing (PDT) exercises, various bits of which are underway, and the subsequent production delegations and launch of new gTLDs shortly thereafter.

However, in cataloging internal and external risks related to the new gTLD program, we found several far-reaching and long-standing issues that need to be further explored and/or resolved with varying levels of urgency. We felt it necessary to shine a more public light on these issues in order to raise awareness of the effects that could be felt throughout the internet if proper caution is not exercised in the implementation of new gTLDs.

A Little Background

In addition to being a direct applicant stakeholder and Registry Service Provider in the new gTLD program, Verisign has long been deeply engaged in various aspects of the Domain Name System (DNS) and broader internet infrastructure ecosystem.  For example, Verisign:

  • Operates two of the internet’s 13 root name servers (letters A & J),
  • Runs the TLD registry services for .com, .net, .gov, and several other TLDs (accounting for more than120 million registered domain names),
  • Works with ICANN and the U.S. Department of Commerce’s NTIA to perform the root zone management function itself,
  • Has provided more than 15 years of uninterrupted network availability for .com and .net,
  • Is a public company and maintains hundreds of controls across 8 regulatory compliance frameworks that are periodically audited or continuously monitored by third parties,
  • Has a worldwide network footprint and backbone with approximately 70 data center or regional services locations globally, and
  • Provides Managed DNS, DDoS Protection Services and Cyber threat intelligence services (e.g., iDefense) to a global customer base that includes a number of Fortune 500 companies.

Verisign’s expertise and distinct view into the Internet ecosystem enables us to highlight issues that could prove to have significant consequences. In developing the New gTLD Security and Stability Considerations report, we sought to not only understand our own preparedness, but also that of the broader DNS ecosystem, and of the billions of Internet users ultimately dependent on that system. Somewhat ironically in hindsight, it was comments from ICANN leadership in late January 2013, and collaborative work within ICANN’s Registry Stakeholders (RySG) Group in February and March to examine concerns about operational preparedness that led Verisign to publicly issue a report in part to help draw due attention and foster more rapid consideration and resolution of these issues, given that ICANN was purportedly months and hours away from launch.

While the New gTLD Security and Stability Considerations report is by no means comprehensive, it provides a clear illustration of the many existing issues and known risks that have been highlighted in various documents, and public, for several years – many of which came from ICANN’s very own Security and Stability Advisory Committee (SSAC) – that still need to be addressed or explored further (e.g., namespace collisions issues and administrative boundaries in the DNS), and should be completed before new gTLDs are delegated.

In an effort to make the information within the report more digestible to a broad audience, I will publish several blog posts over the next few weeks that will explore some of these outstanding (or resolved) issues. The general objective is to share, in as simple a manner as possible, my perspective on often complex and nuanced Internet infrastructure security and stability issues related to the DNS and new gTLDs in particular. My aim is to simply increase awareness of the issues, risks, and resolutions that face applicants, registry operators and registrars, application developers and OS vendors, security folk, enterprises, and consumers alike.

New gTLD Security and Stability Considerations Blog Series

  1. Introduction: New gTLD Security & Stability Considerations
  2. Stability at the Core, Innovation at the Edges
  3. Internal Names Certificates, SAC057, CA/B Forum and revocation in X.509
  4. NXDOMAINs, SAC045, PayPal letter
  5. New gTLD SSR-2: Exploratory Consumer Impact Analysis

(Information available on, or accessible through, websites mentioned in this blog [above] are not incorporated herein by reference.)

Share:

Danny McPherson

Danny McPherson leads Verisign’s technology and security organizations. He is responsible for Verisign's corporate and production infrastructure, platforms, services, engineering and operations, as well as information and corporate security. He has actively participated in internet operations, research and standardization since the early 1990s, including serving on the Internet Architecture Board and chairing an array of Internet Engineering Task Force and... Read More →