Verisign Rolls Out 4 Part Series On Why Second Level Domain Blocking For New gTLD’s Isn’t Good Enough
Verisign just published the 1st of a new 4 part series on the potential collision issue arising from new gTLD’s this one authored by Burt Kaliski.
Verisign message is “the introduction of a new generic top-level domain (gTLD) at the global DNS root could result in name collisions with previously installed systems” and that ICANN “alternate path” for new gTLD’s to launch of blocking any SLDs associated with the new gTLD in the “Day-in-the-Life of the Internet” (DITL) and other relevant data sets” is not good enough to fix the problem.
“The problem, as is often the case for new proposals, is in the details.”
“In the next three blog posts, I will outline three main concerns with ICANN’s alternative path to new gTLD delegation:
- Part 2 of 4 – DITL Isn’t Statistically Valid for This Purpose
- Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis
- Part 4 of 4 – Conclusion: SLD Blocking Is Too Risky without TLD Rollback”
“Verisign Labs conducted two research studies earlier this year on the evidence for and risks of potential name collisions between installed systems and applied-for gTLDs. The studies confirmed that a large number of queries currently processed by the DNS root servers do indeed include domain name suffixes that match applied-for gTLDs and therefore could be at risk if the behavior of the global DNS were to change. ”
“Without appropriate countermeasures, changing the global DNS by delegating a new gTLD could introduce significant cybersecurity and operational risks, as explored further in two recent Verisign Labs Technical Reports: New gTLD Security and Stability Considerations and New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. For example:
- When a colliding gTLD is delegated, the name server for the gTLD might direct installed systems to resources in the global name space in response to a DNS query, rather than indicating that a domain does not exist. If this were to happen, resources within the installed system would be connected unexpectedly with resources outside, possibly leading to operational instability and potentially opening the door to attacks.
- Name collisions resulting from new gTLDs could also result in vulnerabilities based on internal-name certificates, which sometimes employ domain names with suffixes that were intended only to be assigned internally. If colliding gTLDs were delegated in the global DNS, a certificate obtained externally could potentially be misused to impersonate a user or a server within the internal network. ICANN’s Security and Stability Advisory Committee (SSAC) has recommended that certificate authorities transition away from issuing such certificates if potentially colliding gTLDs are involved.
We will publish the 2nd in the series once its released.