AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large FY25 Strategic Priority Activities

Versions Compared

Old Version 7

changes.mady.by.user Matthias M. Hudobnik

Saved on

compared with

New Version 8

changes.mady.by.user Matthias M. Hudobnik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SSAC 125: Report on Registrar Nameserver Management

Some key aspects:

The report focuses on a specific type of sacrificial nameserver where the parent domains of the renamed host objects are considered unsafe because they are registrable. This introduces a new attack surface for domain resolution hijacking, as malicious actors can exploit these unsafe sacrificial nameservers to gain unauthorized control over dependent domains, leading to manipulation or disruption. As of September 2020, this practice had inadvertently exposed over 500,000 domains within generic top-level domains (gTLDs) to resolution hijacking risk, resulting in over 163,000 domains falling under unauthorized control.

The report explores potential solutions to remediate exposed domains and prevent the creation of new unsafe sacrificial nameservers. Remediating exposed domains involves registrants, registrars, and registries, but coordination efforts face challenges like awareness, technical capability, and liability concerns. To prevent the risk, two primary categories of solutions are examined:

  1. granting registrars more flexibility to delete host objects of expired domains, eliminating the need for sacrificial nameservers altogether, or
  2. standardized renaming methods for sacrificial nameservers so their parent domains are not registrable.

Recognizing the need for balance between operational efficiency, security, and minimization of unintended consequences, the SSAC recommends a multifaceted approach:

  • Recommendation 1: The registry and registrar communities should collaborate to develop and implement a comprehensive code of conduct to mitigate the risks associated with registrable sacrificial nameservers.
  • Recommendation 2: ICANN org should design, develop, and regularly publish aggregated statistics on the prevalence of unsafe sacrificial nameservers and the effectiveness of mitigation measures.
  • Recommendation 3: ICANN org should directly engage with registries and registrars to assist in mitigation and prevention efforts based on the insights from Recommendation 2.


SSAC 124: Advice on Name Collision Analysis

Some key aspects:

The SSAC provides its advice on name collision analysis based on the NCAP Study Two report. The SSAC fully endorses the findings and recommendations presented in the report and recommends the ICANN Board adopt and implement these recommendations. The SSAC supports the centralized and coordinated approach proposed by Study Two. This approach is essential for implementing effective measures to mitigate the two data-access-related risks associated with name collisions:

  • Delegation Risk: Privacy and risks to users and end systems from name collisions associated with the delegation of a TLD.
  • Assessment Risk: Privacy risks associated with the execution of data collection methods in the proposed Name Collision Risk Assessment Framework.

While acknowledging ICANN org's privacy concerns around the proposed data collection methods, the SSAC offers three considerations:

  • Privacy risks are inherent in managing name collision risk due to ICANN's role in coordinating gTLD allocation and assignment.
  • Avoiding data collection does not resolve delegation privacy risks, but rather transfers these risks to third parties, potentially amplifying harm.
  • Effective management of security, stability and resiliency risks requires a proactive approach to name collision identification and mitigation.

Based on these, the SSAC recommends prioritizing solutions that allow sufficient data collection and analysis to properly inform name collision mitigation strategies. Failing to mitigate delegation risks due to assessment risk concerns would threaten DNS security/stability and end-user privacy.

The SSAC's recommendations are:

  • Adopt and implement all recommendations in NCAP Study Two.
  • Prioritize finding appropriate solutions within the proposed framework that enable sufficient data collection and analysis for mitigation.
  • The SSAC welcomes engagement from ICANN org and offers its expertise.

The SSAC acknowledges more work is needed on privacy aspects and looks forward to collaborating with ICANN org and privacy experts.