Skip to main content

Expedited Registry Security Request Process Posted

(Updated on 8 October to extend public comment period to 16 November)

Introduction

The Expedited Registry Security Request (ERSR) is the result of a collaborative effort between ICANN and gTLD registries to develop a process for quick action in cases where gTLD registries:

  • inform ICANN of a present or imminent security incident to their TLD and/or the DNS and
  • request a contractual waiver for actions they might take or have taken to mitigate or eliminate the incident.

A contractual waiver is an exemption from compliance with a specific provision of the Registry Agreement for the time period necessary to respond to the Incident.

The ERSR web-based submission procedure is now available and can be accessed at http://www.icann.org/en/registries/ersr/. This new process is to be employed by gTLD registries exclusively for incidents that require immediate action by the registry in order to avoid deleterious effects to DNS stability or security. This process is not intended to replace requests that should be made through the Registry Services Evaluation Process (RSEP).

For the sake of DNS stability, this process is going into effect immediately. ICANN welcomes comments on it in order to improve its effectiveness and to ensure sufficient safeguards are in place. Comments should be made to ersr@icann.org and can be seen at http://forum.icann.org/lists/ersr/. The comment period will close on 1 November 2009 (extended to 16 November 2009).

Background

In late 2008, Internet security researchers, operating system and antivirus software vendors discovered the Conficker worm. Further, it was understood that the worm could infect millions of computers by using tens of thousands of domain names that would be auto-generated by the Conficker infection during a period of several months. The operational response to containing Conficker was for registries to preemptively block or register the domains that had been identified as targets of the worm.

The response to Conficker however posed a unique contractual issue for ICANN and gTLD registries as registries are restricted in their ability to register names to themselves other than through an ICANN-accredited registrar. Additionally, a waiver of ICANN fees was appropriate. Given the severity of the Conficker threat, ICANN provided verbal approval to registries to facilitate the registrations of targeted domains and agreed to waive all fees associated with these transactions.

As a result of Conficker, ICANN and the gTLD registries worked to develop a process that would enable registries to share information and take action in urgent security situations – actions that might not be covered by their Registry Agreements. ICANN then developed a draft ERSR and conducted consultations on the process with gTLD registries, the gTLD Registry Constituency and ICANN-accredited registrars that had been involved in the early stages of the community response to Conficker. The product of this community effort is the Expedited Registry Security Request.

More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."