Historical Resolution Tracking Feature » 2009-06-26 - Redirection and Synthesized DNS Responses
Important note: The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
2009-06-26 - Redirection and Synthesized DNS Responses
Board prohibited redirection and synthesizing of DNS responses by TLDs, directed staff to implement order, requested the ccNSO to report on this matter, and asked the GAC to consider it.
- Execute prohibition
- Responsible entity: Several ICANN staff departments
- Due date: None specified
- Completion date: Ongoing (Included in Final Implementation Plan for IDN ccTLD Fast Track in October 2009; implemented for gTLD registries, 4 October 2009)
- Communicate and disseminate concerns
- Responsible entity: Several ICANN staff departments
- Due date: None specified
- Completion date: Ongoing
- Provide report on mechanisms that could be employed to ensure effective prohibition
- Responsible entity: ccNSO
- Due date: None specified
- Completion date: TBD
- Consider measures to alleviate harm caused by redirection and synthesis
- Responsible entity: GAC
- Due date: None specified
- Completion date: TBD
Whereas, on 10 June 2009, the Security and Stability Advisory Committee (SSAC) has forwarded an advisory which determines that the redirection and synthesizing of DNS responses by TLDs poses a clear and significant danger to the security and stability of the domain name system.
Whereas, the topic of redirection and synthesizing of DNS responses by TLDs and TLD operators has been studied by members of the community with knowledge and expertise in this area. See:
- SAC032 "Preliminary Report on DNS Response Modification" (20 June 2008) <http://www.icann.org/committees/security/sac032.pdf>;
- RSTEP "Search.Travel RSTEP Report" (2 November 2006) <http://www.icann.org/registries/rsep/tralliance_report.pdf>;
- SAC015 "Why Top Level Domains Should Not Use Wildcard Resource Records" (10 November 2006) <http://www.icann.org/committees/security/sac015.htm>;
- SAC006 "Redirection in the COM and NET domains" (9 July 2004) <http://www.icann.org/committees/security/ssac-report-09jul04.pdf>.
Whereas, the Board recognizes that resolution of these issues would be beneficial to the security and stability of the Domain Name System.
Resolved (2009.06.26.19), that new TLDs, including ASCII and IDN gTLDs and IDN ccTLDs, should not use DNS redirection and synthesized DNS responses. Staff is directed to revise the relevant portions of the draft Applicant Guidebook to prohibit such redirection and synthesis at the top-level for new gTLDs, and to take all available steps with existing gTLDs to prohibit such use.
Resolved (2009.06.26.20), the Board further directs staff to communicate and disseminate in July 2009 the concerns regarding harm caused by the redirection and synthesizing of DNS responses with appropriate parties, including the ccNSO, ccTLD operators and the GAC, who might be able to ensure measures are taken to assure the integrity of error responses as well as name resolution for ccTLDs.
Resolved (2009.06.26.21), the Board requests that the ccNSO provide a report on mechanisms that could be employed to ensure that redirection and synthesis at the top level is effectively prohibited.
Resolved (2009.06.26.22), the Board invites the GAC to consider what measures could be taken to alleviate harm that can be caused by redirection and synthesis of DNS responses at the top level.
- No additional funding provided.
- A prohibition on wildcards has been added to the 4 November 2009 Registry Agreement, Proposed Draft (v.3) (Specification 6 of version 3 of the Registry Agreement.
- A prohibition was also added to the Final Implementation Plan for the IDN ccTLD Fast Track Process, approved 30 October 2009.