SSAC Advisory on Internal Name Certificates

Why the Board is addressing the issue now? The internal certificate issue identified by SSAC in SAC 057 is a symptom that enterprises have local environments that include strong assumptions about the static number of top-level domains and/or have introduced local top-level domains that may conflict with names yet to be allocated. Regardless of whether these assumptions are valid or not, to be proactive in its stewardship role, ICANN wishes to determine what security and stability implications these potential conflicts have, especially since applications for new gTLDs are in the process of being evaluated by ICANN for delegation into the root. This study also sets a precedent for potential future TLD rounds, where similar studies might need to be conducted as a matter of due diligence. What are the proposals being considered? The Board requests the ICANN President and CEO to commission a study on the use of TLDs not currently delegated at the root level of the public DNS in enterprises. The study would also consider the potential security impacts of applied-for new-gTLD strings in relation to this usage. In fulfilling the study, the Board is also considering requesting RSSAC to assist root operators in providing some statistics and observations. Finally the Board is considering requesting the SSAC to consider whether it has additional advice for the Board based on its analysis of the study. What Stakeholders or others were consulted? The SSAC presented the “SAC 057: SSAC Advisory on Internal Name Certificates” to the ICANN community in Beijing. As a result, the SSAC received feedback from the community on this issue and their input informed the SSAC’s request. What concerns or issues were raised by the community? Some community members have raised concerns about the use of TLDs that are not currently delegated at the root level of the public DNS and its impact to enterprises when ICANN delegates these TLDs into the public DNS. Some have asked for an evaluation of such risks so that the ICANN community can make informed decisions. Some have said that their studies show no significant risk to the security and stability of the DNS and have exhorted ICANN to continue on the course of evaluation and eventual delegation of all successful gTLD applications, regardless of conflict due to internal name certificates. What significant materials did Board review? The SSAC Report on Internal Name Certificates , The SSAC Report on invalid Top Level Domain Queries at the Root Level of the Domain Name System (15 November 2010 with corrections) , Report of the Security and Stability Advisory Committee on Root Scaling (6 December 2010) What factors the Board found to be significant? In taking its action, the Board considered the recommendations of the SSAC in SAC 045, 046 and 057. Are there Positive or Negative Community Impacts? The Board’s action to direct staff, through the President and CEO, to commission a detailed study on the risks related to the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises will provide a positive impact on the community as it will enhance the understanding of this issue by providing additional information on security impacts of applied-for new-gTLD strings in relation to this usage. This will permit the community and the Board to understand in more detail the potential security and stability concerns if TLDs that are in conflict are delegated, and the impact on the overall functionality of the Internet. Are there fiscal impacts/ramifications on ICANN (Strategic Plan, Operating Plan, Budget); the community; and/or the public? This action is not expected to have an impact on ICANN's resources, and directing this work to be done may result in changes to the implementation plans for new gTLDs. While the study itself will not have a fiscal impact on ICANN, the community or the public, it is possible that study might uncover risks that result in the requirement to place special safeguards for gTLDs that have conflicts. It is also possible that some new gTLDs may not be eligible for delegation. Are there any Security, Stability or Resiliency issues relating to the DNS? SAC057 has identified several security risks to the DNS. This study intends to provide a more quantitative view of the problem, and to provide information that would inform future decisions. This is an Organizational Administrative Function for which public comment is not required. However, any recommendations arising out of the work directed through this resolution are likely to require community input prior to Board consideration.