Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated

Burt Kaliski | Feb 26, 2014

The Mitigating the Risk of DNS Namespace Collisions report, just published by JAS Global Advisors, under contract to ICANN, centers on the technique of “controlled interruption,” initially described in a public preview shared by Jeff Schmidt last month.

With that technique, domain names that are currently on one of ICANN’s second-level domain (SLD) block lists can be registered and delegated for regular use, provided that they first go through a trial period where they’re mapped to a designated “test” address.  The staged introduction of new SLDs is intended to provide operators of installed systems the opportunity to assess the potential impact of an impending name collision on their own, before any external operators have an opportunity to exploit it.

The new technique is subject to a public comment period before being adopted (including discussion at the upcoming Name Collisions Workshop).  However, if this technique (or any other) were adopted, it would stand to reason the staged introduction would need to be monitored carefully.  Someone would need to check that SLDs on the block lists actually did go through the trial period, and were not put into regular use without the appropriate opportunity for assessment by operators of installed systems.

(Note that Verisign isn’t endorsing the technique; we are reviewing the just-published Mitigating the Risk of DNS Namespace Collisions report, and we’ve already expressed reservations about the statistical invalidity of SLD block lists as an indicator of name collision risk.  That being said, the point still remains that if such a technique were adopted, it would need to be monitored to ensure correct implementation.)

Given the anticipation of “controlled” interruption, it’s ironic that while ICANN specifically precludes the delegation of domain names on the SLD block lists, dozens of them were actually registered and delegated!

That fact was recently duly noted by one of Verisign’s researchers who has been analyzing the daily progress of new gTLDs.  As it turns out, nearly all delegated SLDs that should have been blocked were cancelled over the past weekend after independent reports citing the existence of inappropriate delegations began to circulate.

That the delegations of SLDs on the block lists could have caused name collisions with installed systems is not our primary concern.  (And, as noted above, we don’t consider the block lists – which are based solely on query frequency at specific points in time – to be the final word on which delegations might or might not cause name collisions.  As our chief security officer Danny McPherson has well explained in one of his blog posts, “Query frequency data without query context isn’t enough.”)

Our concern, rather, is that domain names on the SLD block lists were delegated at all, given ICANN’s clear direction to the contrary.  As Pat Kane and I have noted in a broader-ranging letter to NTIA on operational miscues in the new gTLD delegation process, a policy that’s unenforced is worse than no policy at all.

If this is the state of affairs when the answer is “no” – effectively, a state of “uncontrolled interruption” – what happens when the answer changes to “wait 120 days”?