POSTS TAGGED: icann

Verisign’s Preliminary Comments on ICANN’s Name Collisions Phase One Report

Burt Kaliski | Apr 16, 2014

Verisign posted preliminary public comments on the "Mitigating the Risk of DNS Namespace Collisions" Phase One Report released by ICANN earlier this month. JAS Global Advisors, authors of the report contracted by ICANN, have done solid work putting together a set of recommendations to address the name collisions problem, which is not an easy one, given the uncertainty for how installed systems actually interact with the global DNS.  However, there is still much work to be done.

Below, I have outlined the four main observations from ICANN’s "Mitigating the Risk of DNS Namespace Collisions" Phase One Report discussed in Verisign’s public comment along with recommendations:

Read more

Proceedings of Name Collisions Workshop Available

Burt Kaliski | Mar 26, 2014

Presentations, papers and video recordings from the name collisions workshop held earlier this month in London are now available at the workshop web site, namecollisions.net.

The goal for the workshop, described in my “colloquium on collisions” post, was that researchers and practitioners would “speak together” to keep name spaces from “striking together.”  The program committee put together an excellent set of talks toward this purpose, providing a strong, objective technical foundation for dialogue.  I’m grateful to the committee, speakers, attendees and organizers for their contributions to a successful two-day event, which I am hopeful will have benefit toward the security and stability of Internet naming for many days to come.

Keynote speaker, and noted security industry commentator, Bruce Schneier (Co3 Systems ) set the tone for the two days with a discussion on how humans name things and the shortcomings of computers in doing the same.  Names require context, he observed, and “computers are really bad at this” because “everything defaults to global.”  Referring to the potential that new gTLDs could conflict with internal names in installed systems, he commented, “It would be great if we could go back 20 years and say ‘Don’t do that’,” but concluded that policymakers have to work with DNS the way it is today.  

Bruce said he remains optimistic about long-term prospects as name collisions and other naming challenges are resolved:  “I truly expect computers to adapt to us as humans,” to provide the same kind of trustworthy interactions that humans have developed in their communications with one another.

Read more

Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated

Burt Kaliski | Feb 26, 2014

The Mitigating the Risk of DNS Namespace Collisions report, just published by JAS Global Advisors, under contract to ICANN, centers on the technique of “controlled interruption,” initially described in a public preview shared by Jeff Schmidt last month.

With that technique, domain names that are currently on one of ICANN’s second-level domain (SLD) block lists can be registered and delegated for regular use, provided that they first go through a trial period where they’re mapped to a designated “test” address.  The staged introduction of new SLDs is intended to provide operators of installed systems the opportunity to assess the potential impact of an impending name collision on their own, before any external operators have an opportunity to exploit it.

The new technique is subject to a public comment period before being adopted (including discussion at the upcoming Name Collisions Workshop).  However, if this technique (or any other) were adopted, it would stand to reason the staged introduction would need to be monitored carefully.  Someone would need to check that SLDs on the block lists actually did go through the trial period, and were not put into regular use without the appropriate opportunity for assessment by operators of installed systems.

(Note that Verisign isn’t endorsing the technique; we are reviewing the just-published Mitigating the Risk of DNS Namespace Collisions report, and we’ve already expressed reservations about the statistical invalidity of SLD block lists as an indicator of name collision risk.  That being said, the point still remains that if such a technique were adopted, it would need to be monitored to ensure correct implementation.)

Given the anticipation of “controlled” interruption, it’s ironic that while ICANN specifically precludes the delegation of domain names on the SLD block lists, dozens of them were actually registered and delegated!

That fact was recently duly noted by one of Verisign’s researchers who has been analyzing the daily progress of new gTLDs.  As it turns out, nearly all delegated SLDs that should have been blocked were cancelled over the past weekend after independent reports citing the existence of inappropriate delegations began to circulate.

That the delegations of SLDs on the block lists could have caused name collisions with installed systems is not our primary concern.  (And, as noted above, we don’t consider the block lists – which are based solely on query frequency at specific points in time – to be the final word on which delegations might or might not cause name collisions.  As our chief security officer Danny McPherson has well explained in one of his blog posts, “Query frequency data without query context isn’t enough.”)

Our concern, rather, is that domain names on the SLD block lists were delegated at all, given ICANN’s clear direction to the contrary.  As Pat Kane and I have noted in a broader-ranging letter to NTIA on operational miscues in the new gTLD delegation process, a policy that’s unenforced is worse than no policy at all.

If this is the state of affairs when the answer is “no” – effectively, a state of “uncontrolled interruption” – what happens when the answer changes to “wait 120 days”?


Collisions Ahead: Look Both Ways before Crossing

Burt Kaliski | Jan 23, 2014

Many years ago on my first trip to London, I encountered for the first time signs that warned pedestrians that vehicles might be approaching in a different direction than they were accustomed to in their home countries, given the left-versus-right-side driving patterns around the world.  (I wrote a while back about one notable change from left-to-right, the Swedish "H Day," as a comment on the IPv6 transition.)

If you're not sure on which side to expect the vehicles, it's better to look both ways -- and look again -- if you want to reduce the risk of a collision.

It's quite fitting therefore (at least to the extent I can stretch the metaphor) that the first Workshop and Prize on Root Causes and Mitigations of Name Collisions (WPNC 14) will be held in London on March 8-10.  The workshop -- to be held at the Hilton London Metropole following the 89th meeting of the Internet Engineering Task Force (IETF) in the same location -- will bring together researchers and practitioners to review the latest developments in understanding and preventing the impact of the unintended overlap of two name spaces.

The overlap of primary interest today, of course, is between the global Domain Name System (DNS) name space and local name spaces within installed systems, as I've further detailed in a recent blog series.

Much of the current concern centers around the "alternate path" introduced by ICANN in its Oct. 7, 2013 plan document, whereby a new top-level domain (TLD) can be added to the global DNS provided that the operator of the TLD agrees to avoid any second-level domain (SLD) that had a query in one of several past "Day in the Life" (DITL) data sets.  It's sort of like the warning sign telling me what traffic looked like the last eight times I arrived at Heathrow.  Because it's still not clear on what technical basis ICANN thinks this approach will work, Pat Kane and I just sent another letter to ICANN requesting an explanation.

The research community may well have better guidance -- that's what I'm most looking forward to about this workshop.

A workshop poster is now available as a further reminder of the call for papers, due Feb. 10.

Rewarding Research: A Better Connected World, Name Collisions and Beyond

Burt Kaliski | Dec 13, 2013

It's a privilege for Verisign to welcome this week the recipients of our 2012 Internet Infrastructure Grant program, who will be presenting the results of research their teams have conducted over the past year and a half.  The results will be the focus of our fourth and final Verisign Labs Distinguished Speaker Series event for the year.

The event will open with a keynote talk by Prof. Ellen Zegura of Georgia Tech (United States), who will give an overview of the field these two projects explore, "Intermittent and Low-Resource Networks: Theory and Practice."  It's an honor to have Prof. Zegura with us to describe both the academic and hands-on work she's conducted in this important area.

Prof. Philippe Cudre-Mauroux of University of Fribourg (Switzerland) will then share the findings of his joint project with Dr. Christophe Guéret of Vrije Universiteit Amsterdam (The Netherlands) -- "Registry Systems without the Web" -- a new, open-source, general-purpose data repository and resolution system intended for environments with little or no regular access to the web.Prof. Z. Morley Mao of University of Michigan (United States) will conclude the event with summarizing discoveries on "Supporting Mobile Network Communication in Adverse Environments," a joint project with grant co-recipient Prof. Cui Yong of Tsinghua University (China).  Their project proposes several new infrastructure network services optimized for mobile users again in environments that are at best partially connected.

Verisign sponsors projects like these to encourage progress in understanding better ways to connect online with reliability and confidence -- especially as more of the world becomes connected, and environments continue to change.  Our 2011 grant program followed the general theme of "improving the Internet infrastructure for the next 25 years." The 2012 program, featured at this week's event, focused on "Internet infrastructure and access challenges faced by users in the developing world and elsewhere."

In 2014, rather than selecting among proposals for research to be pursued in the coming year, will recognize and reward work that's already being done.  This time, our targeted research area will be name collisions in the global Domain Name System (DNS).  As described in my recent blog series, name collisions can occur when a system employs a domain name suffix such as .corp to identify internal resources and the same suffix is also employed as a top-level domain (TLD) in the global Internet.

Until recently, name collisions have not been a significant concern to researchers or operators because the set of TLDs has remained close to the same for a long time.  However, the environment around DNS is now changing rapidly with as many as 1,400 proposed TLDs moving through a formal evaluation process, some of which have just recently been added to the global DNS.

There have been a few preliminary studies so far on name collisions, mostly originating from within the DNS community.  To expand the base of publicly available results and draw from the broader Internet research community, Verisign Labs is organizing a new Workshop and Prize on Root Causes and Mitigations of Name Collisions (WPNC), or namecollisions.net for short, which will be held in March 2014.  We invite researchers to share their best analyses and techniques for understanding causes and effects of name collisions.  Similar to the scope of Prof. Zegura's talk, we are interested in both "theory and practice."

And similar to our past two grant programs, we are awarding funds for the top projects.  As described in more detail in the workshop announcement, we will award a prize of $50,000 to the most valuable research contribution presented at the workshop as determined by an independent judging panel, as well as several smaller prizes.  If the results of the previous grant programs are any indication, we can expect high quality contributions from top researchers in the field.

We're grateful for the researchers whom we've been able to support through the Verisign Infrastructure Grant Program and look forward to the ongoing impact of their work.