Verisign’s New Letter To NTIA On New gTLD’s: Its Important to Differentiate Between “Ability” and “Advisability.”
In a letter send by Verisign today to the National Telecommunications and Information Administration (NTIA), U.S. Department of Commerce; Verisign made it clear it is ready, willing and able to delegate up to 20 new gTLD’s to the root upon request of the NTIA but it also made clear that it doesn’t advise that the 1,000 new gTLD strings a year get delegated to the root saying:
“The introduction of delegations of new gTLDs into the root zone, it is important to differentiate between “ability” and “advisability.”
The letter signed by Pat Kane as Senior Vice President of Naming Services and Danny McPherson Vice President and Chief Security Officer VeriSign:
“While we have the ability today to add the mutually agreed upon 100 TLDs to the root zone per week, we and others believe that it is prudent to take a more cautious approach to adding records to the root zone at least until appropriate safeguards, particularly those recommended by the Security and Stability Advisory Committee (SSAC), are in place. ”
“Further, as you are aware, Verisign has a duty specified in the Cooperative Agreement between Verisign and the Department of Commerce to serve the public interest in the continued security and stability of the Internet domain name system (DNS).”
“On the question of advisability, it is important to make clear that Verisign is not the first and is not alone in expressing concerns over security issues raised by the introduction of new gTLDs. The National Research Council, in a 2005 report “Signposts in Cyberspace,” warned that introducing new TLDs into the root at a rate exceeding “tens of TLDs per year” would risk instability.
ICANN’s own SSAC, as well as expressly commissioned study teams of experts, issued several advisories, dating back to 2009, advising ICANN to take steps prior to introducing new gTLDs.:
“The lack of implementation of these recommendations was documented in SAC059, issued April 18, 2013, which included clear language on the lack of progress and possible, this can only be achieved with a deliberate and measured deployment.”
“Additionally, both the At-Large Advisory Committee (ALAC)5 and the Governmental Advisory Committee (GAC) have written to ICANN’s board of directors advising them to heed SSAC advice on dotless domains and name collisions, and to make SSAC analysis pUblic.
We believe we are providing precisely the value that both ICANN and the Department of Commerce sought in their agreements with us – security and stability advice from the most experienced operator of the largest and historically the most reliable registry, thus leveraging a broad base of institutional knowledge and subject matter expertise.
For example, on March 28, 2013 we submitted our “New gTLD Security and Stability Considerations Report.”
Subsequently, in May 2013 ICANN commissioned a study on naming collisions.
The findings from the study, led by lnterisle Consulting Group, were released on August 5.
They were accompanied by an ICANN proposal, called New gTLD Collision Risk Mitigations.
Both validate the reality of the risks we highlighted in March.
While we strongly believe the Interisle study did not go deep enough in assessing risk largely due to a late start and limits in time and resources, its conclusions echo those of Verisign’s report on March 28. announced date to recommend strings for delegation on April 23, 2013.
At that time, however, ICANN and many others were dismissive of our report and pressed forward with their announced dates to recommned strings for delegation on April 23, 2013.
Even after ICANN chose to delay the April date, and with our March 28 report in-hand, ICANN continued to claim there was nothing to be concerned about with respect to the security of new gTLDs and that they were moving forward with their April target date.
ICANN then moved its target delegation date to August, and now to September.
Verisign’s efforts very likely helped prevent substantial damage and disruption to users of global Internet infrastructure. It should be clear that ICANN must be more receptive to multi-stakeholder input, which will enable it to be less reactive in planning the rollout of new gTLDs.
Verisign takes all of its contractual obligations very seriously, including the two raised in your letter: to delegate new gTLDs into the root when directed by NTIA, and to serve the public interest regarding security and stability. Nothing we have said or done conflicts with the first, and we have been diligent in the second.
Therefore, if NTlA believes, as stated in your letter, that the authority to order delegations, along with the ability to order the removal of delegations together comprise sufficient controls lo manage instability and security risks, and that the time frame articulated by ICANN’s senior management for the delegation of new gTLDs is appropriate, we can agree to disagree and Verisign will still act in accordance with its contractual obligations.
We believe, as we are sure you do, that any such disagreement on the degree of risk does not restrict our right and obligation as an experienced operator LO publicly voice our concerns. The solid working relationship that we have had over the years should continue even when we disagree on the severity of the risks and paths for risk mitigation.
Regarding the work or the Root Server System Advisory Committee (RSSAC) to which you refer, we are pleased that the RSSAC is developing instrumentation recommendations which include an early warning system.
We continue to advise, however, that delegation of new root zone entries at any rate should not be permitted until these systems (which are not yet developed and ror which the requirements are not yet completed) are thoroughly reviewed and robustly tested, and even then scaled at a rate commensurate with the importance of the root zone. Consistent with good security practices, these proposals, which only recently began to be discussed, should be reviewed and posted for public comment to ensure that haste has not overlooked critical requirements.
A key objective of SSAC’s 201 0 recommendations for early warning and root instrumentation was to provide sufficient data to lCANN to forewarn users and others of the potential impacts of new gTLDs. This pre-delegation responsibility fell squarely on ICANN.
However on August 5, 2013, ICANN unilaterally and abruptly proposed to shift this obligation (to include early warning mechanisms and potentially impacted party notification) and associated liabilities, without notice, to applicants and new gTLD registry operators who are not ideally positioned to discharge these obligations.
In addition, even if registries were able to fully implement ICANN’s new risk notification regime, there would be little or no time left for those impacted parties to take appropriate protective measures. This transfer of risk is new and contrary to all previous recommendations that have been made by ICANN and its Advisory Committees over the last several years.9 We hope you will in some way address this proposed
The deployments of DNSSEC into the root in July 2010, and the automation of the Root Zone Management System in July 2011, are excellent examples of the collaborative success that ICANN, NTIA and Verisign have achieved together. Both of these successes, however, have had deployment paths that were well tested with agreed upon check points with vetted and measured success criteria, over extensive periods post initial deployment, with adoption and implementation of a broad set of recommendations.
We would advise that the deployment of the monitoring, instrumentation and management capabilities for the root zone enjoy similar consideration, and ultimately, success.
Motivated by the presentation of name collision risks and SSR issues in Durban a few weeks ago by ICANN and their contractor. Interisle Consulting Group, our technical team endeavored to provide some additional analysis, which Interisle stated during the presentation’s Q&A it did not have the data or time to conduct. I 1,12 We have submitted the methodology and findings to the SSAC and broader Internet community for review and comment, and we will post it, along with additional analysis, during ICANN’s open comment period on the Interisle Consulting Group study.
We also attach the report here, “New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis,” which we believe, with just a cursory exploration, clearly demonstrates the deep complexity in the interdependencies of the DNS and a number of network services and Web protocols, which have implications well beyond the matter of root zone delegations.
The many resulting non-obvious but very serious risks to businesses and consumers we were able to identify and document with just a few weeks work bear careful study, and provide a new foundation for future work.
The evolution of the new gTLD program demonstrates the importance of the DNS as a critical layer of Internet infrastructure that one-third of the global population relies on hundreds of billions of times every day, and that over $200 billion in e-commerce in the U.S. alone is built upon. For more than 16 years, we are proud to have operated a large part of that infrastructure with unparalleled reliability. Our interests are straightforward: We want that reliability to continue, which we believe is in the public interest.”"