ICANN 80 Meeting:

Joint meeting between the ALAC and SSAC:

Safer Cyber Campaign, discussed SAC074:

• SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle.

Future Work Planning Session:

SSAC members work and discuss the charter for:

• DNS filtering work party.
• DNSSEC assessment, etc.

SSAC June Monthly Meeting:

Regular SSAC Monthly meeting.

Panel Sessions:

NCAP:

• This will be an educational outreach session where the SSAC will present its insights and recommendations on the recent NCAP Study 2.

DNS Abuse:

• Invited folks who have meaningful things to share about use of AI and ML in detecting DNS abuse.
  • SSAC leads a panel discussion with key ICANN stakeholders to:
    • Identify current DNS Abuse research and potential collaboration points.
    • Uncover areas needing further focus to strengthen the ICANN community's response.
    • Understand how the SSAC can support ongoing and future research efforts.

Work Session: DNSSEC DS Automation:

Work session for the DNSSEC DS Automation work party.

SSAC Open Mic for the Community:

Open mic session for anyone in the ICANN community to come ask questions to the SSAC.

SSAC Wrap Up Session:

Feedback of SSAC members and improvements.

Lightning Talks:

New RSSAC Caucus Work Party on Guidelines for Changing Root Server Addresses.
E-introduce the Internet Governance Forum Support Association (IGFSA).
Role of open-source software.
Value of domain names.
Postmortem of what happened in .RU at the end of January with DNSSEC keytags colliding?
Qays to DoS yourself with DNS.
A funny thing happened on the way to PRISONER.IANA.ORG.

Publications:

SSAC 125: Report on Registrar Nameserver Management

Some key aspects:

The report focuses on a specific type of sacrificial nameserver where the parent domains of the renamed host objects are considered unsafe because they are registrable. This introduces a new attack surface for domain resolution hijacking, as malicious actors can exploit these unsafe sacrificial nameservers to gain unauthorized control over dependent domains, leading to manipulation or disruption. As of September 2020, this practice had inadvertently exposed over 500,000 domains within generic top-level domains (gTLDs) to resolution hijacking risk, resulting in over 163,000 domains falling under unauthorized control.

The report explores potential solutions to remediate exposed domains and prevent the creation of new unsafe sacrificial nameservers. Remediating exposed domains involves registrants, registrars, and registries, but coordination efforts face challenges like awareness, technical capability, and liability concerns.

To prevent the risk, two primary categories of solutions are examined:

1. granting registrars more flexibility to delete host objects of expired domains, eliminating the need for sacrificial nameservers altogether, or
2. standardized renaming methods for sacrificial nameservers so their parent domains are not registrable.

Recognizing the need for balance between operational efficiency, security, and minimization of unintended consequences, the SSAC recommends a multifaceted approach:

• Recommendation 1: The registry and registrar communities should collaborate to develop and implement a comprehensive code of conduct to mitigate the risks associated with registrable sacrificial nameservers.
• Recommendation 2: ICANN org should design, develop, and regularly publish aggregated statistics on the prevalence of unsafe sacrificial nameservers and the effectiveness of mitigation measures.
• Recommendation 3: ICANN org should directly engage with registries and registrars to assist in mitigation and prevention efforts based on the insights from Recommendation 2.

SSAC 124: Advice on Name Collision Analysis

Some key aspects:

The SSAC provides its advice on name collision analysis based on the NCAP Study Two report. The SSAC fully endorses the findings and recommendations presented in the report and recommends the ICANN Board adopt and implement these recommendations. The SSAC supports the centralized and coordinated approach proposed by Study Two.

This approach is essential for implementing effective measures to mitigate the two data-access-related risks associated with name collisions:

• Delegation Risk: Privacy and risks to users and end systems from name collisions associated with the delegation of a TLD.
• Assessment Risk: Privacy risks associated with the execution of data collection methods in the proposed Name Collision Risk Assessment Framework.

While acknowledging ICANN org's privacy concerns around the proposed data collection methods, the SSAC offers three considerations:

• Privacy risks are inherent in managing name collision risk due to ICANN's role in coordinating gTLD allocation and assignment.
• Avoiding data collection does not resolve delegation privacy risks, but rather transfers these risks to third parties, potentially amplifying harm.
• Effective management of security, stability and resiliency risks requires a proactive approach to name collision identification and mitigation.

Based on these, the SSAC recommends prioritizing solutions that allow sufficient data collection and analysis to properly inform name collision mitigation strategies. Failing to mitigate delegation risks due to assessment risk concerns would threaten DNS security/stability and end-user privacy.

The SSAC's recommendations are:

• Adopt and implement all recommendations in NCAP Study Two.
• Prioritize finding appropriate solutions within the proposed framework that enable sufficient data collection and analysis for mitigation.
• The SSAC welcomes engagement from ICANN org and offers its expertise.

The SSAC acknowledges more work is needed on privacy aspects and looks forward to collaborating with ICANN org and privacy experts.