MAY 2013 – SSAC Liaison Report
(as at 27May13)
1. SSAC MEETINGS. There have been no SSAC Meetings since the last report.
2. SSAC WORK PARTIES. I am currently participating in two SSAC Work Parties:
- Identifier Abuse Metrics Work Party – attended meeting on 1May13, chaired three teleconferences with survey participants on 23May13 and 24May13.
- DNS Abuse Work Party – has not met since the ICANN Meeting in Beijing.
3. BOARD CONSIDERATION OF SAC057 - SSAC ADVISORY ON INTERNAL NAME CERTIFICATES. SAC057 was publicly released on 15Mar13 and considered by the ICANN Board in its meeting of 18May13. Minutes of the Board Meeting are included in full below. In summary, the Board has:
- Commissioned a study on the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises.
- Requested RSSAC to assist ICANN in the collection of data and observations related to root server operations relevant to the study.
- Reached out to the Certificate Authority/Browser forum to collect statistics on the distribution of internal name certificates by top-level domain.
- Requested SSAC to consider offering additional advice based on its assessment of the issues identified in the ICANN study.
4. DSSA WORKING GROUP. In hibernation until the ICANN Meeting in Durban, awaiting outcomes of the next stage of work by the contractors engaged by ICANN to develop a DNS Risk Management Framework, Westlake Governance.
SAC057 – SSAC ADVISORY ON INTERNAL NAME CERTIFICATES
Whereas, the delegation of TLDs in a way that promotes security and a good user experience is a longstanding topic of importance to ICANN's Board and the global Internet community.
Whereas, on 15 March 2013, the ICANN Security and Stability Advisory Committee (SSAC) published SAC 057: SSAC Advisory on Internal Name Certificates.
Whereas, enterprises have local environments that may include strong assumptions about which top-level domains exist at the root level of the public DNS, and/or have introduced local top-level domains that may conflict with names yet to be delegated at the root level of the public DNS.
Whereas, in its stewardship role, ICANN wishes to determine what these potential clashes are.
Resolved (2013.05.18.08), the Board directs the President and CEO, in consultation with the SSAC, to commission a study on the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises. The study should consider the potential security impacts of applied-for new-gTLD strings in relation to this usage.
Resolved (2013.05.18.09), the Board requests RSSAC to assist ICANN in the collection of data and observations related to root server operations that are relevant for the study, and to work with root server operators to enable sharing of such data and observations as appropriate, in the most expedient way possible.
Resolved (2013.05.18.10), The Board directs the President and CEO to reach out to the Certificate Authority/Browser forum to collect statistics on the distribution of internal name certificates by top-level domain, in the most expedient way possible.
Resolved (2013.05.18.11), the Board requests the SSAC to consider offering additional advice based on its assessment of the issues identified in the ICANN study, in the most expedient way possible.
Rationale for Resolutions 2013.05.18.08 – 2013.05.18.11
Why the Board is addressing the issue now?
The internal certificate issue identified by SSAC in SAC 057 is a symptom that enterprises have local environments that include strong assumptions about the static number of top-level domains and/or have introduced local top-level domains that may conflict with names yet to be allocated. Regardless of whether these assumptions are valid or not, to be proactive in its stewardship role, ICANN wishes to determine what security and stability implications these potential conflicts have, especially since applications for new gTLDs are in the process of being evaluated by ICANN for delegation into the root. This study also sets a precedent for potential future TLD rounds, where similar studies might need to be conducted as a matter of due diligence.
What are the proposals being considered?
The Board requests the ICANN President and CEO to commission a study on the use of TLDs not currently delegated at the root level of the public DNS in enterprises. The study would also consider the potential security impacts of applied-for new-gTLD strings in relation to this usage. In fulfilling the study, the Board is also considering requesting RSSAC to assist root operators in providing some statistics and observations. Finally the Board is considering requesting the SSAC to consider whether it has additional advice for the Board based on its analysis of the study.
What Stakeholders or others were consulted?
The SSAC presented the "SAC 057: SSAC Advisory on Internal Name Certificates" to the ICANN community in Beijing. As a result, the SSAC received feedback from the community on this issue and their input informed the SSAC's request.
What concerns or issues were raised by the community?
Some community members have raised concerns about the use of TLDs that are not currently delegated at the root level of the public DNS and its impact to enterprises when ICANN delegates these TLDs into the public DNS. Some have asked for an evaluation of such risks so that the ICANN community can make informed decisions. Some have said that their studies show no significant risk to the security and stability of the DNS and have exhorted ICANN to continue on the course of evaluation and eventual delegation of all successful gTLD applications, regardless of conflict due to internal name certificates.
What significant materials did Board review?
The SSAC Report on Internal Name Certificates1 [PDF, 1.14 MB], The SSAC Report on invalid Top Level Domain Queries at the Root Level of the Domain Name System (15 November 2010 with corrections)2 [PDF, 507 KB], Report of the Security and Stability Advisory Committee on Root Scaling (6 December 2010)3 [PDF, 175 KB]
What factors the Board found to be significant?
In taking its action, the Board considered the recommendations of the SSAC in SAC 045, 046 and 057.
Are there Positive or Negative Community Impacts?
The Board's action to direct staff, through the President and CEO, to commission a detailed study on the risks related to the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises will provide a positive impact on the community as it will enhance the understanding of this issue by providing additional information on security impacts of applied-for new-gTLD strings in relation to this usage. This will permit the community and the Board to understand in more detail the potential security and stability concerns if TLDs that are in conflict are delegated, and the impact on the overall functionality of the Internet.
Are there fiscal impacts/ramifications on ICANN (Strategic Plan, Operating Plan, Budget); the community; and/or the public?
This action is not expected to have an impact on ICANN's resources, and directing this work to be done may result in changes to the implementation plans for new gTLDs. While the study itself will not have a fiscal impact on ICANN, the community or the public, it is possible that study might uncover risks that result in the requirement to place special safeguards for gTLDs that have conflicts. It is also possible that some new gTLDs may not be eligible for delegation.
Are there any Security, Stability or Resiliency issues relating to the DNS?
SAC057 has identified several security risks to the DNS. This study intends to provide a more quantitative view of the problem, and to provide information that would inform future decisions.