AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large FY25 Strategic Priority Activities

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

ICANN 80 Meeting:

The ICANN 80 meeting included the following sessions and key takeaways of the sessions:

Joint meeting between the ALAC and SSAC:

During this session, the Safer Cyber Campaign (SAC074) was discussed. 

  • SSAC presented the SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle.
  • The At-Large community discussed advancing the campaign's implementation further.

Future Work Planning Session:

SSAC members discussed the charter for the DNS filtering work party and the DNSSEC assessment.

SSAC June Monthly Meeting:

The regular SSAC Monthly meeting was held.

Panel Sessions:

Name Collision Analysis Project (NCAP):

  • This educational outreach session featured SSAC presenting insights and recommendations from the recent NCAP Study 2.

DNS Abuse:

  • Invited individuals shared insights and experiences on using AI and ML to detect DNS abuse.
    • SSAC also led a panel discussion with key ICANN stakeholders to:
      • Identify current DNS Abuse research and potential collaboration points.
      • Uncover areas needing further focus to strengthen the ICANN community's response.
      • Understand how SSAC can support ongoing and future research efforts.

Work Session: DNSSEC DS Automation:

This work session featured the DNSSEC DS Automation work party presenting its progress and next steps.

SSAC Open Mic for the Community:

This open mic session invited members of the ICANN community to ask questions and engage with SSAC.

SSAC Wrap Up Session:

This closed session, exclusive to SSAC members, allowed them to share insights from ICANN80.

Lightning Talks:

This series of Lightning Talks featured presenters sharing insights on various topics:

  • The new RSSAC Caucus Work Party on guidelines for changing root server addresses.
  • An introduction to the Internet Governance Forum Support Association (IGFSA).
  • The role of open-source software.
  • The value of domain names.
  • A postmortem analysis of the DNSSEC keytag collision incident in .RU at the end of January.
  • Methods to unintentionally cause a DoS using DNS.
  • An amusing incident involving PRISONER.IANA.ORG.


Publications:

SSAC 125: Report on Registrar Nameserver Management

Some key aspects:

The report focuses on a specific type of sacrificial nameserver where the parent domains of the renamed host objects are considered unsafe because they are registrable. This introduces a new attack surface for domain resolution hijacking, as malicious actors can exploit these unsafe sacrificial nameservers to gain unauthorized control over dependent domains, leading to manipulation or disruption. As of September 2020, this practice had inadvertently exposed over 500,000 domains within generic top-level domains (gTLDs) to resolution hijacking risk, resulting in over 163,000 domains falling under unauthorized control.

The report explores potential solutions to remediate exposed domains and prevent the creation of new unsafe sacrificial nameservers. Remediating exposed domains involves registrants, registrars, and registries, but coordination efforts face challenges like awareness, technical capability, and liability concerns.

To prevent the risk, two primary categories of solutions are examined:

  1. granting registrars more flexibility to delete host objects of expired domains, eliminating the need for sacrificial nameservers altogether, or
  2. standardized renaming methods for sacrificial nameservers so their parent domains are not registrable.

Recognizing the need for balance between operational efficiency, security, and minimization of unintended consequences, the SSAC recommends a multifaceted approach:

  • Recommendation 1: The registry and registrar communities should collaborate to develop and implement a comprehensive code of conduct to mitigate the risks associated with registrable sacrificial nameservers.
  • Recommendation 2: ICANN org should design, develop, and regularly publish aggregated statistics on the prevalence of unsafe sacrificial nameservers and the effectiveness of mitigation measures.
  • Recommendation 3: ICANN org should directly engage with registries and registrars to assist in mitigation and prevention efforts based on the insights from Recommendation 2.


SSAC 124: Advice on Name Collision Analysis

Some key aspects:

The SSAC provides its advice on name collision analysis based on the NCAP Study Two report. The SSAC fully endorses the findings and recommendations presented in the report and recommends the ICANN Board adopt and implement these recommendations. The SSAC supports the centralized and coordinated approach proposed by Study Two.

This approach is essential for implementing effective measures to mitigate the two data-access-related risks associated with name collisions:

  • Delegation Risk: Privacy and risks to users and end systems from name collisions associated with the delegation of a TLD.
  • Assessment Risk: Privacy risks associated with the execution of data collection methods in the proposed Name Collision Risk Assessment Framework.

While acknowledging ICANN org's privacy concerns around the proposed data collection methods, the SSAC offers three considerations:

  • Privacy risks are inherent in managing name collision risk due to ICANN's role in coordinating gTLD allocation and assignment.
  • Avoiding data collection does not resolve delegation privacy risks, but rather transfers these risks to third parties, potentially amplifying harm.
  • Effective management of security, stability and resiliency risks requires a proactive approach to name collision identification and mitigation.

Based on these, the SSAC recommends prioritizing solutions that allow sufficient data collection and analysis to properly inform name collision mitigation strategies. Failing to mitigate delegation risks due to assessment risk concerns would threaten DNS security/stability and end-user privacy.

The SSAC's recommendations are:

  • Adopt and implement all recommendations in NCAP Study Two.
  • Prioritize finding appropriate solutions within the proposed framework that enable sufficient data collection and analysis for mitigation.
  • The SSAC welcomes engagement from ICANN org and offers its expertise.

The SSAC acknowledges more work is needed on privacy aspects and looks forward to collaborating with ICANN org and privacy experts.

  • No labels