More like this


ICANN's technical competence queried by Verisign report

Upcoming dossier highlights dozens of problems with domain name overseer

EXCLUSIVE A review of the globe's DNS security, stability and resiliency by dot-com registry and root server operator Verisign has called into question the technical competence of domain name overseer ICANN.

The 33-page document, seen by The Register and due to be published soon, comes just days after the news emerged that ICANN's staff IT accounts were hacked in late November with attackers gaining access to the internet's zone files and user accounts as well as the organization's blog, and the governmental advisory committee's wiki site.

The report highlights the database that was hacked – the Central Zone Data System (CZDS) – alongside a raft of other systems that ICANN runs, as a "growing list of examples where ICANN's operational track record leaves much to be desired."

That list includes the system used to run applications for new internet extensions (which failed spectacularly and was taken offline for six weeks a while ago), the Trademark Clearinghouse and the Registrar Contact Information Database (RADAR).

But it is on the internet's technical functions that the report – the third in a series, this one titled "Operational Foreshocks" – pays most attention. On those it paints a picture of an under-resourced, poorly communicating and freewheeling organization that fails to address known problems and lacks the capacity to look forward to upcoming ones.

Questions over the organization's technical abilities may give pause for thought since ICANN is pushing to be given greater control over the internet's critical IANA functions next year. IANA does a lot of behind-the-scenes work to keep the internet as we know it glued together, such as by running the world's DNS and allocating IP addresses.

Name collisions

The report goes into some depth on the issue of "name collisions" following the introduction of generic top-level domains, such as .book and .ninja. Verisign, and others to a degree, have been banging on about it so much that ICANN introduced a system to tackle a potentially huge number of conflicts caused by new dot-word domain names.

The concern is that a lot of companies, orgs and home sysadmins will have machines on their networks named msexchange.mail, and so on, assuming those top-level domain names will never resolve to anything on the public internet.

Thanks to the introduction of gTLDs, things like .network that have been used for years to name things on LANs will start to exist on the public DNS and cause unexpected results, potentially spilling confidential information, if you're not careful with your DNS resolver settings, of course.

As a result of the system ICANN eventually introduced, nearly ten million new domains were put on hold and two gTLDs – .corp and .home – were "deferred indefinitely."

Verisign feels that the approach taken was insufficiently thorough, however, arguing that a "lack of systematic measurement… falls short of a proper way to evaluate the success of failure of the mitigation framework."

It notes that historical DNS data was used to make determinations over potential conflicts rather than the real-time system it had advocated, and accuses ICANN of making only "minor provisions" to deal with potential security problems as well as "superficial assumptions" over likely impacts.

It also criticizes ICANN for allowing new gTLDs to be added to the internet before proper studies on the potential impacts were carried out. And it notes there is no obligation for operators to report or analyze the data they receive on collisions.

In response, ICANN's CTO David Conrad told The Register his organization had struck a balance between fostering innovation and competition and maintaining the stability and security of the network.

"The ICANN community itself disagreed over how to deal with name collisions," he told us. "And the approach we agreed upon was a reasonable compromise. There is always a risk any time you change things, but no one is arguing that we shouldn't be making those changes."

Sponsored: IBM FlashSystem V9000 product guide

Next page: Root servers