Skip to main content

Welcome to the new ICANN.org! Learn more, and send us your feedback. Dismiss

Domain Name Security Paper Released

This page is available in:

Marina Del Rey, Calif: For many years, the Internet community has been developing and enhancing a Domain Name System (DNS) security technology called DNSSEC.

ICANN's strategic and operating [PDF, 480K] plans call for ICANN to be operationally ready to deploy DNSSEC at the root level and work with relevant stakeholders to determine how this should be implemented. With input from many stakeholders, ICANN has prepared a document describing this path to operational readiness for signing the root.

The purpose of this paper [PDF, 342K] released today is to:

a) articulate ICANN's initiatives toward operational readiness for DNSSEC signing; and

b) help determine the right structures so ICANN is "…prepared to digitally sign the root using DNSSEC technology by late 2008", as directed in the July 2008 – June 2011 ICANN Strategic Plan after consultation with stakeholders and having sought the necessary approvals.

Specifically, this document is not a roadmap for DNSSEC deployment.

Ultimately, this roadmap will be developed by a community consultation process, and require relevant approvals through ICANN's IANA functions contract with the U.S. Department of Commerce. A public forum has been established at http://forum.icann.org/lists/dnssec-consultation/ and ICANN actively seeks your input on this important matter. Email comments to dnssec-consultation@icann.org

In addition recently, a prominent security researcher privately reported two domain name system (DNS) vulnerabilities to many DNS name server developers.

DNSSEC would be a solution to these vulnerabilities.

The details of the vulnerabilities have not yet been disclosed publicly at this stage so that developers can produce patches to reduce the threat these vulnerabilities pose. Private disclosures of this kind also give DNS operators an opportunity to patch systems before the vulnerabilities can be exploited for malicious or criminal purposes. ICANN understands there will be a public announcement of these vulnerabilities by the researcher in coming weeks.

This vulnerability does not affect root-level servers or services that provide authoritative name service at the top level. But it does represent a threat for domain name servers that operate between end users and the root; servers operated by Internet Service Providers or large enterprises. Commercial service providers in general are aware of this issue, and are working with vendors to update their software to the latest versions.

ICANN's Security Stability Advisory Committee will be examining this issue and may report more fully later. ICANN urges any entity operating name services to update to the current versions to provide greatest protection.

About ICANN:

ICANN is responsible for the global coordination of the Internet's system of unique identifiers like domain names (like .org, .museum and country codes like .uk) and the addresses used in a variety of Internet protocols that help computers reach each other over the Internet. Careful management of these resources is vital to the Internet's operation, so ICANN's global stakeholders meet regularly to develop policies that ensure the Internet's ongoing security and stability. ICANN is an internationally organized, public benefit non-profit company. For more information please visit: www.icann.org.

Media Contacts:

Jason Keenan
Media Adviser, ICANN
Ph: +1 310 382 4004
E: jason.keenan@icann.org

International:

Andrew Robertson
Edelman (London)
Ph: +44 7921 588 770
E: andrew.robertson@edelman.com


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."