NTIA Demands VeriSign Confirmation It Will Delegate New gTLDs, Despite Security Concerns
VeriSign is convinced “things will break” if new generic top-level domains are delegated, Chief Security Officer Danny McPherson told us. But its certainty has the NTIA worried that the company will fail to uphold its obligation to delegate new gTLDs when necessary. In a Friday letter to VeriSign, NTIA said it “fully expects VeriSign to process change requests when it receives an authorization to delegate a new gTLD” (http://bit.ly/16vfjEu). The letter, which ICANN published Saturday, asked VeriSign for written confirmation in the next two weeks that VeriSign will launch the new gTLDs when asked. VeriSign, which operates the A root server, is under contract with NTIA to process changes to the root NTIA asks it to process. NTIA receives requests for changes from ICANN through its Internet Assigned Numbers Authority.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
NTIA was responding to a May 30 letter from VeriSign Senior Vice President Paul Kane, who told NTIA “we strongly believe certain issues have not been addressed and must be addressed before any root zone managers, including VeriSign, are ready to implement the new gTLD Program” (http://bit.ly/1b7fxmj). He said ICANN had yet to fully address remaining “critical issues,” which “left unremediated could jeopardize the security and stability of the DNS,” in the letter, which was also published Saturday. VeriSign brought up its security and stability concerns in a March letter to ICANN, which outlined potential security problems like internal name collisions. At its meeting in Durban last month, ICANN promised the release of a full independent study into the issue, which hasn’t been released (WID July 18 p5). Preliminary results of that study said nearly every applied-for new gTLD could have some potential for an internal name collision. ICANN Chief Security Officer Jeff Moss said at the time ICANN would delay rollout of the new gTLDs if it determined rollout would “affect the global DNS.” Both ICANN and NTIA declined to comment.
McPherson said ICANN’s independent study failed to address the acuteness of the impact of internal name clashes, based on the preliminary results he had seen in Durban. “What if some region is more broadly impacted or there are emergency communications systems on the Internet?” he asked. “If ICANN makes a change and it breaks some network in Uganda that’s a critical network and they rely on the Internet, don’t we have an obligation to forewarn them? Isn’t that the public interest aspect of all this?” VeriSign’s Kane raised similar concerns in his May letter to NTIA.
McPherson said VeriSign is fully capable of delegating the 100 gTLDs per week that ICANN anticipates asking it to delegate. “But just because you can swallow a hundred pills in a minute doesn’t mean it’s a good idea,” McPherson warned. He said VeriSign would perform the delegations, saying it never said it would not. But he said the company had an obligation “from a security and stability standpoint, to make sure NTIA is aware of the issues,” and noted that his company took on a lot of risk and liability in doing so, since it had an interest in making sure the Internet ecosystem remained stable.
"Inconsistencies in VeriSign’s position in recent months are troubling,” said NTIA Senior Telecommunications Policy Specialist Vernita Harris in the Friday letter. She said ICANN’s Root Server Stability Advisory Committee had already developed the parameters for the basis of an early warning system to detect and mitigate any effects that would “challenge the scaling and/or working of the Internet’s root server system as a result of new gTLDs.” The checks in the automated system and the ability to revert to previous root zone data for automation in an emergency “would be sufficient for the delegation of new gTLDs,” she added.
Some critics of VeriSign’s position say its complaints about security and stability have more to do with its stake in .com, the success of which could be threatened by an expansion of the TLD space. VeriSign runs the TLD, and was told by NTIA last year it could not raise prices on the string (WID Dec 4 p4). Donuts Inc. CEO Paul Stahura blasted VeriSign for cloaking its self-interest in “false fears about the future of the Internet,” since it wants to maximize the quantity of .com registrations, in a blog post last month (http://bit.ly/13B0tvI). “It is the step we always expected. But the rest of the ICANN community, staff and Board should have no illusions regarding what is fueling those so-called concerns.” McPherson responded to those concerns, saying the company would be the backend registry provider for more than 200 new gTLDs. VeriSign, like ICANN, is in a tough spot, he said, but “for anyone to think we don’t have an upside” to the delegation of new gTLDs is incorrect. A Donuts spokesman said there’s “no reason to be worried about any problem with the DNS when new TLDs are delegated.” As NTIA said its letter, “root zone partners have taken significant steps to ensure the stability of the DNS root zone,” he said. “VeriSign’s recent actions seem to be clearly motivated by competitive concerns, which is unfortunate.” He said new gTLDs will be more stable than were existing TLDs, including .com, even several years ago -- “when VeriSign seemed unconcerned about the issues it now raises."
NetChoice Executive Director Steve DelBianco said the security concerns are real, but “this is more about timing than tension. ... A lot has happened in the two months between VeriSign’s letter and NTIA’s response. And the ICANN community has yet to see the latest outside expert reports on name collisions.” He said both governments and the business community want real-time monitoring of new TLDs, as well as a rapid reversal option if the TLD is causing problems.