CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

ICANN Criticized for Rolling Out gTLDs “Too Quickly”

In response to recent criticism that the new system of generic top-level-domains (gTLDs) was being rolled out too quickly, the Internet Corporation for Assigned Names and Numbers (ICANN) selected three emergency back-end registry operators (EBROs).

In response to recent criticism that the new system of generic top-level-domains (gTLDs) was being rolled out too quickly, the Internet Corporation for Assigned Names and Numbers (ICANN) selected three emergency back-end registry operators (EBROs).

The organization selected China Internet Network Information Center (CNNIC), Neustar, and Nominet as its EBROs, ICANN said in a statement Tuesday. EBROs are activated when a registry operator’s operations are disrupted. When the registry operator is unable to sustain critical registry functions temporarily, the EBRO ensures the domain names associated with the operator’s top-level-domain continue to resolve to its correct destination.

“Having them in different regions of the world reduces the chance that a natural disaster would affect all three at any one time,” ICANN said.

Global InternetICANN last year voted to expand the top-level-domain system to include generic words. Thousands of companies submitted bids to become a registrar and to manage gTLDs with generic words such as .book and .sport. ICANN is in the process of evaluating those applications, and the first 27 have already passed the initial evaluation phase.

Industry groups and major Internet organizations warned recently that ICANN was moving too fast with its gTLD rollout. One of the concerns centered about the fact that the public launch of the new gTLD system is scheduled for April 23, but registries and clearing houses will not be ready by then, Verisign said in a Form 8-K filing sent to the U.S. Securities and Exchange Commission. A copy was sent to ICANN as well. Verisign’s application, a transliteration of “” in Chinese, has already passed initial evaluation.

“In order to ensure a successful implementation of each new gTLD, it is essential that proper planning be conducted in advance,” Verisign said. There are no project plans available for each gTLD, which could impact to current registry operations, Verisign said. There should be “adequate buffers” in the timeline to account for implementation, internal testing, security auditing and vulnerability testing, pilots and early field trials, and deliberate transition to operations, Verisign said.

“It actually appears as though there is little to no time allotted for operators to adequately prepare,” Verisign said. The company manages some of the root servers in the Domain Name System infrastructure.

ICANN is supposed to have performed pre-delegation testing, and creating a trademark clearing house (TMCH) and EBERO. The latest announcements addressed the concerns about EBROs but not the other issues.

Verisign is not the only one concerned with the rollout. There were “significant security issues related to delegating gTLDs that are currently in wide use as defacto, private TLDs,” Brad Hill and Bill Smith, from the PayPal Information Risk Management group at Internet giant eBay, wrote in a public letter to Fadi Chehade and Stephen Crocker, ICANN’s CEO and chairman of the board last month. There are a number of invalid TLDs in wide use, primarily in internal networks, which would be impacted by the new gTLDs.

Advertisement. Scroll to continue reading.

The query strings include domain, localhost, local, and intranet, among others, and are widely used as internal network identifiers, the Certificate Authority Security Council said in a statement. Using these identifiers was part of recommended best practices over the past two decades and are commonly used for internal network routing. The use of non-public domain extensions is extends well beyond digital certificates, CASC told SecurityWeek.

With ICANN planning to release hundreds of new domains, these organizations who have used these extensions internally will have to scramble to modify their networks and operations and incur significant costs, which could become a “significant burden,” according to the CASC.

In some cases, such as in some Active Directory configurations, the task may be very difficult to “operationally impossible,” PayPal’s Smith and Hill wrote.

“While some new gTLDs will have a lesser impact than others, the .corp extension is notably common and should not be released as a resolvable gTLD,” CASC said.

Since internal names create a potential security risk, CASC supports encouraging organizations to first eliminate the internal names. There is an industry-wide initiative aiming for a 2016 deadline for eliminating internal names. The deadline takes into account the need for organizations to budget and plan for this change, something ICANN is not doing, CASC said.

“We strongly urge ICANN to consider the ramifications of its actions and show appropriate discretion in releasing new gTLDs, particularly in reference to the widely used .corp extension,” CASC said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.