ICANN delays 20 percent of gTLDs
A fifth of new generic top-level domain (gTLD) applications have been delayed by a minimum of three months after security concerns about “name collisions”.
Interisle Consulting Group, an IT security company, produced a 197-page report detailing the substantial potential for domain names within private Internet networks to clash with publicly available gTLDs.
Private networks use naming conventions that look and operate like the public domain name system, in which new gTLDs will be delegated. Although the names are properly set within their networks, they are sometimes queried externally – by global Internet users.
A clash of private and public strings sharing the same name would cause security problems, the report said, such as traffic being directed to the wrong place.
The study, commissioned by ICANN and published on August 5, identifies three areas of risk: high, uncalculated and low. Most applications (80 percent) are low risk, a further 20 percent are uncalculated risk – which means their risk is yet to be identified – and two applications, .home and .corp, have been deemed high risk. The level of concern corresponds to how regularly the names are already queried.
To mitigate these problems, ICANN is proposing different measures for each category. The .home and .corp gTLDs will not be delegated until applicants can show the level of risk should be downgraded, an ICANN report in response to the study found.
For the uncalculated risk applications, of which .hsbc is one, ICANN will conduct a review, expected to take between three and six months, to assess what measures are required to ensure the strings are safe.
“While this study is being conducted, ICANN would not allow delegation of the strings in this category... At the same time, an applicant for these strings can work towards resolving the issues that prevented their proposed string from being categorised as low risk,” the report said.
ICANN will delegate the low risk applications but only after implementing measures to mitigate the collision risk. Registries will not be able to activate any names (although they can accept registrations) until at least 120 days after signing a registry agreement. Then, once a TLD is delegated onto the public Internet, no names can be activated for at least 30 days.
Stéphane Van Gelder, former head of ICANN’s decision-making body for gTLDs, the GNSO council, said the study has proved controversial with some portfolio applicants who have strongly denied that there is a problem with name collisions.
“They say name collisions happen all the time, no one makes a fuss, no one suggests domain names should be taken down, so why are we now making a fuss now?” he said.
“It does raise the question: is there an ulterior motive or are we protecting the stability of the Internet? The answer is I don’t know.
“But I would err on the side of caution – that ICANN is being careful about Internet security.”
Van Gelder said, however, that ICANN’s management in the late stages of the process “reeks of amateurism”.
One source speaking off-the-record said he felt sorry for the applicants in the unclassified risk group who have “been left in limbo”, and urged ICANN to “harness resources to get people off this list”.
“There is a huge goodwill to fix the problem,” he said. “There will be frustration, but this can be reduced by effective engagement.”
