Security Experts:

ICANN Criticized for Rolling Out gTLDs "Too Quickly"

In response to recent criticism that the new system of generic top-level-domains (gTLDs) was being rolled out too quickly, the Internet Corporation for Assigned Names and Numbers (ICANN) selected three emergency back-end registry operators (EBROs).

The organization selected China Internet Network Information Center (CNNIC), Neustar, and Nominet as its EBROs, ICANN said in a statement Tuesday. EBROs are activated when a registry operator's operations are disrupted. When the registry operator is unable to sustain critical registry functions temporarily, the EBRO ensures the domain names associated with the operator's top-level-domain continue to resolve to its correct destination.

"Having them in different regions of the world reduces the chance that a natural disaster would affect all three at any one time," ICANN said.

Global InternetICANN last year voted to expand the top-level-domain system to include generic words. Thousands of companies submitted bids to become a registrar and to manage gTLDs with generic words such as .book and .sport. ICANN is in the process of evaluating those applications, and the first 27 have already passed the initial evaluation phase.

Industry groups and major Internet organizations warned recently that ICANN was moving too fast with its gTLD rollout. One of the concerns centered about the fact that the public launch of the new gTLD system is scheduled for April 23, but registries and clearing houses will not be ready by then, Verisign said in a Form 8-K filing sent to the U.S. Securities and Exchange Commission. A copy was sent to ICANN as well. Verisign's application, a transliteration of "dot.com" in Chinese, has already passed initial evaluation.

"In order to ensure a successful implementation of each new gTLD, it is essential that proper planning be conducted in advance," Verisign said. There are no project plans available for each gTLD, which could impact to current registry operations, Verisign said. There should be "adequate buffers" in the timeline to account for implementation, internal testing, security auditing and vulnerability testing, pilots and early field trials, and deliberate transition to operations, Verisign said.

“It actually appears as though there is little to no time allotted for operators to adequately prepare," Verisign said. The company manages some of the root servers in the Domain Name System infrastructure.

ICANN is supposed to have performed pre-delegation testing, and creating a trademark clearing house (TMCH) and EBERO. The latest announcements addressed the concerns about EBROs but not the other issues.

Verisign is not the only one concerned with the rollout. There were "significant security issues related to delegating gTLDs that are currently in wide use as defacto, private TLDs," Brad Hill and Bill Smith, from the PayPal Information Risk Management group at Internet giant eBay, wrote in a public letter to Fadi Chehade and Stephen Crocker, ICANN's CEO and chairman of the board last month. There are a number of invalid TLDs in wide use, primarily in internal networks, which would be impacted by the new gTLDs.

The query strings include domain, localhost, local, and intranet, among others, and are widely used as internal network identifiers, the Certificate Authority Security Council said in a statement. Using these identifiers was part of recommended best practices over the past two decades and are commonly used for internal network routing. The use of non-public domain extensions is extends well beyond digital certificates, CASC told SecurityWeek.

With ICANN planning to release hundreds of new domains, these organizations who have used these extensions internally will have to scramble to modify their networks and operations and incur significant costs, which could become a "significant burden," according to the CASC.

In some cases, such as in some Active Directory configurations, the task may be very difficult to "operationally impossible," PayPal's Smith and Hill wrote.

"While some new gTLDs will have a lesser impact than others, the .corp extension is notably common and should not be released as a resolvable gTLD," CASC said.

Since internal names create a potential security risk, CASC supports encouraging organizations to first eliminate the internal names. There is an industry-wide initiative aiming for a 2016 deadline for eliminating internal names. The deadline takes into account the need for organizations to budget and plan for this change, something ICANN is not doing, CASC said.

"We strongly urge ICANN to consider the ramifications of its actions and show appropriate discretion in releasing new gTLDs, particularly in reference to the widely used .corp extension," CASC said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.