ICANN is pleased to announce the publication of the Dotless Domain Name Security and Stability Study Report [PDF, 1.02 MB] by IT Security firm, Carve Systems LLC (Carve Systems).
Dotless domain names are those that consist of a single label (e.g., http://example, or mail@example). Dotless names would require the inclusion of, for example, an A, AAAA, or MX, record in the apex of a TLD zone in the DNS (i.e., the record relates to the TLD-string itself).
On 23 February 2012, the ICANN Security and Stability Advisory Committee (SSAC) published SAC 053: SSAC Report on Dotless Domains [PDF, 182 KB]. In this report, the SSAC stated that dotless domains would not be universally reachable and recommended strongly against their use. As a result, the SSAC recommended that the use of DNS resource records such as A, AAAA, and MX in the apex of a Top-Level Domain (TLD) should be contractually prohibited where appropriate, and strongly discouraged in all cases.
On 23 June 2012, the ICANN Board adopted resolution 2012.06.23.09 tasking ICANN to consult with the relevant communities regarding implementation of the recommendations in SAC053.
On 24 August 2012, ICANN staff published the SAC053 Report for public comment requesting input to consider in relation to implementing the recommendations of the SSAC report. Public Comment period was closed on 5 November 2012.
On 27 November 2012 the staff posted a report of the public comments [PDF, 137 KB] that showed a substantial number of comments both in favor of adopting the SSAC recommendations as well in opposition to the recommendations.
In May of 2013 ICANN commissioned a study [PDF, 85 KB] on the stability and security implications of dotless domain name functionality to help ICANN prepare an Implementation plan for the SAC053 recommendations.
On 10 July 2013 the Internet Architecture Board (IAB) released a statement on dotless domain names, recommending against the use of dotless domain names for TLDs.
On 29 July 2013 Carve Systems delivered their report to ICANN. Consistent with the SSAC report, the Carve Systems report identifies security and stability issues that require mitigation before gTLDs can safely implement dotless domain names. The Carve Systems report identifies several risks, ten (10) of which are considered key risks that dotless domain names pose.
Consistent with SSAC’s SAC 053 recommendation, a contracted gTLD wishing to operate as dotless domain name must submit a proposal to be evaluated as part of the standard Registry Services Evaluation Process (RSEP).
Similarly, section 220.127.116.11 of the Applicant Guidebook (AGB) prohibits the use of dotless domain names prior to approval by ICANN, stating that the only permissible DNS Resource Records for the apex in a TLD zone are: Start of Authority (SOA), Name Server (NS), and related DNSSEC records. The same section also states: "An applicant wishing to place any other record types into its TLD zone should describe in detail its proposal in the registry services section of the application. This will be evaluated and could result in an extended evaluation to determine whether the service would create a risk of a meaningful adverse impact on security or stability of the DNS."
The ICANN Board New gTLD Program Committee (NGPC) will consider dotless domain names and an appropriate risk mitigation approach at its upcoming meeting in August.
ICANN wishes to thank the SSAC for their efforts in identifying and explaining the issues, and the community for their participation in the public comment process.