ICANN Resolutions » SSAC Advisory on Internal Name Certificates

Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

SSAC Advisory on Internal Name Certificates


Resolution of the ICANN Board
Topic: 
Name Collision Study
Summary: 

Board directs the commission of a study on the use of TLDs that are not currently delegated at the root level of the public DNS (subsequently named, the "Name Collision Study").

Category: 
Internet Protocols
Meeting Date: 
Sat, 18 May 2013
Resolution Number: 
2013.05.18.08 – 2013.05.18.11
Resolution Text: 
Whereas, the delegation of TLDs in a way that promotes security and a good user experience is a longstanding topic of importance to ICANN's Board and the global Internet community. Whereas, on 15 March 2013, the ICANN Security and Stability Advisory Committee (SSAC) published SAC 057: SSAC Advisory on Internal Name Certificates. Whereas, enterprises have local environments that may include strong assumptions about which top-level domains exist at the root level of the public DNS, and/or have introduced local top-level domains that may conflict with names yet to be delegated at the root level of the public DNS. Whereas, in its stewardship role, ICANN wishes to determine what these potential clashes are. Resolved (2013.05.18.08), the Board directs the President and CEO, in consultation with the SSAC, to commission a study on the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises. The study should consider the potential security impacts of applied-for new-gTLD strings in relation to this usage. Resolved (2013.05.18.09), the Board requests RSSAC to assist ICANN in the collection of data and observations related to root server operations that are relevant for the study, and to work with root server operators to enable sharing of such data and observations as appropriate, in the most expedient way possible. Resolved (2013.05.18.10), The Board directs the President and CEO to reach out to the Certificate Authority/Browser forum to collect statistics on the distribution of internal name certificates by top-level domain, in the most expedient way possible. Resolved (2013.05.18.11), the Board requests the SSAC to consider offering additional advice based on its assessment of the issues identified in the ICANN study, in the most expedient way possible.
Rationale for Resolution: 
Why the Board is addressing the issue now? The internal certificate issue identified by SSAC in SAC 057 is a symptom that enterprises have local environments that include strong assumptions about the static number of top-level domains and/or have introduced local top-level domains that may conflict with names yet to be allocated. Regardless of whether these assumptions are valid or not, to be proactive in its stewardship role, ICANN wishes to determine what security and stability implications these potential conflicts have, especially since applications for new gTLDs are in the process of being evaluated by ICANN for delegation into the root. This study also sets a precedent for potential future TLD rounds, where similar studies might need to be conducted as a matter of due diligence. What are the proposals being considered? The Board requests the ICANN President and CEO to commission a study on the use of TLDs not currently delegated at the root level of the public DNS in enterprises. The study would also consider the potential security impacts of applied-for new-gTLD strings in relation to this usage. In fulfilling the study, the Board is also considering requesting RSSAC to assist root operators in providing some statistics and observations. Finally the Board is considering requesting the SSAC to consider whether it has additional advice for the Board based on its analysis of the study. What Stakeholders or others were consulted? The SSAC presented the “SAC 057: SSAC Advisory on Internal Name Certificates” to the ICANN community in Beijing. As a result, the SSAC received feedback from the community on this issue and their input informed the SSAC’s request. What concerns or issues were raised by the community? Some community members have raised concerns about the use of TLDs that are not currently delegated at the root level of the public DNS and its impact to enterprises when ICANN delegates these TLDs into the public DNS. Some have asked for an evaluation of such risks so that the ICANN community can make informed decisions. Some have said that their studies show no significant risk to the security and stability of the DNS and have exhorted ICANN to continue on the course of evaluation and eventual delegation of all successful gTLD applications, regardless of conflict due to internal name certificates. What significant materials did Board review? The SSAC Report on Internal Name Certificates , The SSAC Report on invalid Top Level Domain Queries at the Root Level of the Domain Name System (15 November 2010 with corrections) , Report of the Security and Stability Advisory Committee on Root Scaling (6 December 2010) What factors the Board found to be significant? In taking its action, the Board considered the recommendations of the SSAC in SAC 045, 046 and 057. Are there Positive or Negative Community Impacts? The Board’s action to direct staff, through the President and CEO, to commission a detailed study on the risks related to the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises will provide a positive impact on the community as it will enhance the understanding of this issue by providing additional information on security impacts of applied-for new-gTLD strings in relation to this usage. This will permit the community and the Board to understand in more detail the potential security and stability concerns if TLDs that are in conflict are delegated, and the impact on the overall functionality of the Internet. Are there fiscal impacts/ramifications on ICANN (Strategic Plan, Operating Plan, Budget); the community; and/or the public? This action is not expected to have an impact on ICANN's resources, and directing this work to be done may result in changes to the implementation plans for new gTLDs. While the study itself will not have a fiscal impact on ICANN, the community or the public, it is possible that study might uncover risks that result in the requirement to place special safeguards for gTLDs that have conflicts. It is also possible that some new gTLDs may not be eligible for delegation. Are there any Security, Stability or Resiliency issues relating to the DNS? SAC057 has identified several security risks to the DNS. This study intends to provide a more quantitative view of the problem, and to provide information that would inform future decisions. This is an Organizational Administrative Function for which public comment is not required. However, any recommendations arising out of the work directed through this resolution are likely to require community input prior to Board consideration.