Weekly Edition
Return to the Security page
| |||||||||||||
ICANN adds new gTLDsThe Internet Corporation for Assigned Names and Numbers (ICANN) is committed to launching a slew of new generic top level domains (gTLDs; i.e., those that are not country-code TLDs), and the first assortment of proposals has been published. ICANN's process has attracted no shortage of criticism, but there are also concerns over how the availability of hundreds of unrestricted TLDs will impact security. In 2000, ICANN approved the first new gTLDs since the dawn of the DNS system in the 1980's. That set of seven domains (.aero, .biz, .coop, .info, .museum, .name, and .pro) was selected by ICANN's board out of roughly 40 applications, in one of its first official acts. ICANN policy dictates that the "sponsored" gTLDs — .aero, .coop, and .museum — be used only by particular industries or groups, and that the "restricted" gTLDs — .biz, .name, and .pro — be used only for specific purposes. Those requirements sound similar, with the main difference being that sponsored gTLDs are proposed by and subsequently managed by private entities. Eight more gTLDs were approved in 2003: .asia, .cat, .jobs, .mobi, .tel, .travel., .post, and .xxx, all of which are sponsored. The current round of new gTLD selection is supposed to usher in unlimited numbers of new domains. The application period started on January 12 and ended on April 12, during which time ICANN took in 1,930 applications from 1,268 separate applicants. ICANN charged a $185,000 application fee for each domain, with the understanding that a $25,000 annual fee would accompany any domain eventually approved. ICANN published a one-page overview [PDF] of the applications, noting that there were 230 domains that had more than one applicant vying for control. The list reads much like you would expect; there are plenty of companies seeking control of the .app, .secure, and .web gTLDs, many more out to create a brand-specific gTLD (such as .google and .bmw), and a few community- or geographically-oriented applications (such as .africa, .catholic, or .ieee). Up next comes the objection and dispute resolution process, which is tentatively slated to last seven months. Each objection to a gTLD application must meet one of ICANN's four grounds for objection (which are listed on the page), be brought by someone who meets the "standing" criteria, and include the appropriate fee (which varies depending on the objection). Those without deep pockets can also leave a comment at no charge, although comments that do not meet the formal objection grounds will not be forwarded to the evaluation panels. Disputes between multiple organizations after the same domain will be handled by an ICANN review committee. If a consensus cannot be reached, the disputed domain will be auctioned off. The review process divides the entire set of applications into batches, with the first batch scheduled to land on reviewers' desks in July. ICANN has devised a mechanism for sorting applications into batches that is, shall we say, novel. Each applicant logs in to the ICANN site and competes to click on a timestamp-generating button; the applicants that come closest to hitting the target time are in batch one. Applicants (although perhaps "players" is more descriptive) get to select their own target time, and are allowed to practice before generating their timestamp for real. Divide and conquerThe timestamp-generating process (which ICANN itself refers to as "digital archery") has attracted plenty of criticism and even mockery. But there are more substantial objections to the batching process, too. Rohan Pearce at Computerworld quotes one domain registrar as saying that applicants in later batches could find themselves waiting a number of years before their applications reach the examination stage. The size of the fees associated with the process has also generated criticism. There is not much data with which to impartially compare ICANN's fee structure — apart from the fact that $185,000 is a substantial hike from 2000 and 2003's $50,000 sticker price. ICANN contends that running a gTLD is an expensive process not to be undertaken casually, so the fees are meant in part to discourage throngs of cybersquatters or mischief-makers from bogging down the process. NPR says that many see the high stakes as a "land grab" unfairly blocking out non-profit and community groups in favor of well-heeled businesses. It also notes that domain speculators shelled out a lot of capital for gTLDs of common words, including one company that filed 307 separate applications. The National Association of Advertisers even started a public petition to protest the policy, arguing that it forces business to spend money defensively acquiring domain names just to protect their brands. Finally, there have long been critics who contend that ICANN and its processes are too US-centric. SiliconValley.com reports that China, Russia, and Brazil have lobbied to have ICANN's functions transferred to the United Nations or another international body. 911 of the 1,930 gTLD applications came from North America, which is not a majority, but may be enough to bolster such complaints. Security implicationsA radically-expanded set of valid gTLDs may also impact security. For starters, with 2,000 TLDs in the wild, it will be more difficult for legitimate businesses to police all of the possible variations on their name and product brand — or expensive to register them all. That will make it easier for domain phishing attackers to slip a phony site past users' eyes. E.g., in the heat of the moment, are you sure that your bank's actual URL was MyBank.finance and not MyBank.financial, or that you typed zork.games instead of zork.game? ICANN received applications for all four of those gTLDs. It is also possible that the massive influx of new top-level registrars will make it more likely for a nefarious player of some sort to get into the gTLD game. A phisher running a domain registrar is a little far-fetched, but there are other possibilities. Some have suggested that the expansion plan will overload the root DNS zone, and that it would be better to partition the root. China has proposed a plan to the IETF that implements multiple autonomous roots. Under the plan, China would control its own country code TLD (.cn) and other national domain names, but still call out to peer DNS networks to resolve other domain names. Computerworld quotes Patrik Wallström of OpenDNSSEC as saying that the proposal instead amounts to "a way to severely segment the Internet," and notes China's reputation for blocking access to Internet content. Then again, ICANN has had its own in-house security problems plague the gTLD process. It accidentally posted the mailing addresses and other personal information of applicants on the public web site (information which was supposed to remain confidential). That leak followed May's incident, in which the organization had to shut down the gTLD application system because it inadvertently exposed personal information to other applicants. Whatever the long-term impact is on security, one can rest assured that increasing the number of TLDs by a factor of 100 will cause considerable extra work for administrators and developers, on every task from email address verification to traffic analysis. The fifteen new gTLDs ICANN has already introduced still account for only a fraction of the registrations in the original TLDs, and while none of the newly-proposed TLDs are likely to unseat .com either, rewriting the rules of what constitutes a valid domain will have far-reaching impacts. (Log in to post comments)
ICANN adds new gTLDs Posted Jun 21, 2012 2:58 UTC (Thu) by josh (subscriber, #17465) [Link]
This whole ugly process has me wondering yet again: what would the Internet have looked like if top-level domains never existed? What would happen if instead of the original .com, .net, and .org, we had just .?
Personally, I suspect the result would have turned out significantly better.
ICANN adds new gTLDs Posted Jun 21, 2012 5:05 UTC (Thu) by butlerm (subscriber, #13312) [Link]
The problem with that idea is that it pollutes the local namespace, something that could be a problem if registries are allowed to associate A records directly with the new gTLDs as well. It is much more convenient to allow "ibm" to refer to a host named ibm if you have one defined, for example, rather than possibly resolve to a top level A record for an ibm gTLD.
ICANN adds new gTLDs Posted Jun 21, 2012 6:02 UTC (Thu) by cpeterso (guest, #305) [Link]
The separate .com, .org, .etc namespaces create these identify problems.
The IETF can just reserve a pseudo-TLD like .local. It already reserves .example, .invalid, .localhost, and .test. Mac OS X already self-assigns hostnames like "hostname.local" and, according to this report [1], .local is the fourth most queried TLD.
ICANN adds new gTLDs Posted Jun 21, 2012 7:05 UTC (Thu) by steveriley (subscriber, #83540) [Link]
That appears to be a cached report from September 2009. Here's the URL that generates a dynamic report for the period beginning seven days (604,800 seconds) before the moment you request it:
http://stats.l.root-servers.org/cgi-bin/dsc-grapher.pl?wi...
It's interesting to observe the changes over almost three years. The range of the graph is almost three times as large. ".local" bubbles up from #5 to #3 (which makes me think that DNS forwarders ought to just drop ".local"). ".home" came out of nowhere to grab fourth place. The number of requests for ".arpa" has declined -- but why? Brazil has overtaken Russia for the most-requested country TLD. And what is up with that crazy ".belkin" TLD -- zillions of home wireless routers, pinging a thing that doesn't exist?
ICANN adds new gTLDs Posted Jun 21, 2012 9:32 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
I don't think it would make much difference.
zork.game vs zork.games vs zork.com vs zork.net all have the same basic problem, there are more than one way to think about a site and at any level in the name hierarchy there are only a limited number of names available to use.
eliminating country codes and the ,org/.com/.net top level domains would only promote the second level domain names to be the top level names.
I think we're headed in that direction anyway, eventually, but it's really not clear how to manage the result sanely, and taking smallish steps towards it will help find many of the problems.
ICANN adds new gTLDs Posted Jun 21, 2012 17:23 UTC (Thu) by drag (subscriber, #31333) [Link]
> eliminating country codes and the ,org/.com/.net top level domains would only promote the second level domain names to be the top level names.
Yes it would just mean that all organizations have their own top level domain.
This is a good thing, not a bad thing.
Domain names are hierarchical namespace designed specifically for human recognition and therefore they should reflect how humans run hierarchical organizations.
So instead of
zork.game, zork.games, zork.com ...
you have:
game.zork, games.zork, com.zork. All of which is owned and controlled by a single Zork Corp.
So the difference is instead of forcing Zork to purchase multiple domain names from multiple groups.. name spaces that try to force some organizational methodology dreamed up years ago that doesn't apply to Zork Corp in any meaningful way.. they are in full control of their own name space and can divide up how they see fit. They can easily have new.australia.zork or africa.zork or corp.zork to divide up domains into subdomains for various purposes, internal and external.
Also it prevents confusion and deceptions from people purchasing zork.net or zork.me and such things to deceive users. Or squat on and essentially hold parts of Zork's name space hostage.
This allows a very simple human readable way to drill down a organization:
specific <----- less specific <--- organization tag
Instead of forcing people to guess if zork.eu and zork.net are owned by the same people....
=============================
Even better though would simply to have _only_ TLD and get rid of hostname.tld completely and just go with:
zork/corp/sausage/linux/whatever/file.txt
or
I would like that MUCH better then any other scheme. Just have all hierarchies global in nature. Although this, I suspect, would be far too much.
ICANN adds new gTLDs Posted Jun 21, 2012 17:38 UTC (Thu) by raven667 (subscriber, #5198) [Link]
Maybe we'll get rid of DNS and all switch to X.500/LDAP/AD naming...
ICANN adds new gTLDs Posted Jun 22, 2012 11:55 UTC (Fri) by jengelh (subscriber, #33263) [Link]
Somehow, dc=www,dc=zork,dc=com does not strike me as any win over www.zork.com :)
Or we could just abolish DNS, since many already do a Google search these days just to find the right TLD to add to a company's name to get to the right site in a particular pool of same-named sites/companies. Take http://arpa.net as an example...
ICANN adds new gTLDs Posted Jun 21, 2012 17:59 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
> game.zork, games.zork, com.zork. All of which is owned and controlled by a single Zork Corp.
except that there can legitimately be more than one Zork Corp (let alone Zork Enterprises, Zork Inc, etc) so this does not eliminate confusion
ICANN adds new gTLDs Posted Jun 21, 2012 19:04 UTC (Thu) by josh (subscriber, #17465) [Link]
And only one of those can own zork.com today, so the issue still applies. The same first-come-first-served rule applies, but without the added confusing of having zork.{com,net,org,biz,bz,co,co.uk,...} all mean different things.
So, one will get zork, one will get zork-enterprises, one will get zorkinc, and so on.
ICANN adds new gTLDs Posted Jun 21, 2012 19:24 UTC (Thu) by nix (subscriber, #2304) [Link] This is an occasion for song, I'd say.
ICANN adds new gTLDs Posted Jun 23, 2012 23:52 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
but you can have zork.com.uk etc.
it's very easy to end up with conflicting names, and any global naming scheme that you create will have problems dealing with the conflicts. There's nothing inherently wrong with any option, it's just a question of how people end up using it.
ICANN adds new gTLDs Posted Jun 21, 2012 19:45 UTC (Thu) by nybble41 (subscriber, #55106) [Link]
Strictly speaking, to avoid confusion the DNS namespace should probably be divided up according to trademark domains, i.e. zork.games.pto.us, or by corporate registration, i.e. zonk.corp.md.us. Then it would be up to the PTO and/or the state to ensure unique and non-confusing names within their respective domains. The UN or WTO or similar international organization could manage a TLD for the truly international domains. Finally, we would need a place for personal domains, perhaps under each ccTLD based on citizenship.
Besides the ccTLDs and a small number of international domains (.intl or .un, .wto, etc.) there would be no other TLDs.
Time to consider change of ICANN governance Posted Jun 21, 2012 9:50 UTC (Thu) by copsewood (subscriber, #199) [Link]
I don't think anyone seriously wanted to fix something that wasn't broken until it was. I think now that by polluting the global namespace making brand and phishing protection near impossible, ICANN have made decisions which break things. The ITU would never have allowed the equivalent to occur in connection with international telephony dialling codes which they oversee.
Politically the current arrangement was never going to hold indefinitely anyway, because the idea that non US national governments must treat a company under California law as having diplomatic peer status was never going to be considered acceptable international relations. Once enough of those politically sensitive to the state of Internet governance become technically aware of the alternate root option and its potential for fragmentation, we may as well expect the proposal for ICANN to come under ITU governance to be put onto the diplomatic negotiation table. Once the US wants anything else badly enough at the UN which other countries are persuadable over, but upon which we haven't yet made up our minds, we may well see the status of ICANN changing.
As to fragmentation of the root, I think we're likely to see that anyway, because the more technically cautious resolver administrators will be wary of resolving names within allegedly criminally-managed TLDs and the more TLDs exist, the greater the probability that one or more of these will be criminally managed. Email admins already fragment the Net to a certain extent, by greylisting emails from parts of the net based upon assumptions and measurements concerning the probability of abuse coming from various quarters.
Time to consider change of ICANN governance Posted Jun 21, 2012 11:48 UTC (Thu) by epa (subscriber, #39769) [Link]
Yes, I can see that before too long, over-cautious administrators will block DNS lookups of names that aren't in the long-established TLDs like .com, .net and .(ISO country code). That will lead to the establishment of a mirror domain such that X.mirrordns.com resolves to the same as X.
Time to consider change of ICANN governance Posted Jun 21, 2012 12:06 UTC (Thu) by gioele (subscriber, #61675) [Link]
> Yes, I can see that before too long, over-cautious administrators will block DNS lookups of names that aren't in the long-established TLDs like .com, .net and .(ISO country code). That will lead to the establishment of a mirror domain such that X.mirrordns.com resolves to the same as X.
My fear is that these administrators will block the lookup of every non-traditional TLDs *except* .google, .apple, .facebook and .docs. Good luck requesting an exception to another TLD that does not belong to a big brand.
Time to consider change of ICANN governance Posted Jun 22, 2012 16:05 UTC (Fri) by sorpigal (subscriber, #36106) [Link] If fragmentation is going to happen anyway (seems inevitable, now) we might as well stop pretending that ICANN has some kind of actual monopoly on gTLDs. They only have any kind of authority within the confines of the traditional root servers and anyone is free to use a competing set of roots or even a completely different name resolution system.
While the sun still shines Posted Jun 21, 2012 17:15 UTC (Thu) by pboddie (subscriber, #50784) [Link]
ICANN's behaviour is completely explicable: while the organisation still has its authority over the Internet's top-level namespace, it can effectively print money by creating one gold-rush after another as brand after brand and company after company have to buy up domains bearing their names before someone else does.
When stewardship of such matters passes to some other organisation, hopefully one with a more responsible attitude, maybe ICANN can still make a few bucks selling tulip bulbs or titles to plots of land on the Moon.
While the sun still shines Posted Jun 28, 2012 11:13 UTC (Thu) by gvy (guest, #11981) [Link]
Yup, ICANN is rather UCANNT these days. What's the reason for .secure if anyone with a few bucks can get a .pro for example (which wasn't -- and isn't -- the stated intent and policy)? I cann't believe they'll be able to provide any more integrity after having already failed.
ICANN adds new gTLDs Posted Jun 29, 2012 16:57 UTC (Fri) by philomath (guest, #84172) [Link]
One of the "grounds for objection" is "String Confusion", so .games and .game can't both be accepted, right?
ICANN adds new gTLDs Posted Jun 29, 2012 18:23 UTC (Fri) by dark (subscriber, #8483) [Link] That depends on whether someone with 'standing' actually files an objection. The applicants for .game and .games actually have a motive to agree NOT to object; they might be happier to see both domains go in than to risk having their application denied.
|
|||||||||||||