Skip to main content

Security Studies on the Use of Non-Delegated TLDs, and Dotless Names

ICANN's mission and core values call to preserve and enhance the operational stability, reliability, security, and global interoperability of the Internet. In pursuing these goals and following the direction of its Board of Directors as well as the advice of the Security and Stability Advisory Committee, ICANN is announcing two studies regarding: 1) the use of non-delegated TLDs and 2) potential risks related to dotless domain names.

On 31 January 2013, ICANN security team received the SAC 057: SSAC Advisory on Internal Name Certificates. On 18 May, the ICANN Board directed staff to commission a study on the use of TLDs that are not currently delegated at the root level of the public DNS in enterprises.

Today, ICANN is announcing that a study has been commissioned on the potential security impacts of the applied-for new-gTLD strings in relation to namespace collisions with non-delegated TLDs that may be in use in private namespaces including their use in X.509 digital certificates. As part of this study, the expert study team will develop a framework for assessing the risk level and classify the risk level for the strings as identified in the study. The report will also provide options for ICANN as to how to mitigate the various risks and will describe the pros and cons of the options.

On 23 February 2012, the SSAC published the SAC 053: SSAC Report on Dotless Domains. A domain name that consists of a single label is referred to as a "dotless domain name". Use of dotless names could provide potential innovations to the domain name industry and new gTLD applicants, but their use also raises usability, functionality, security and stability concerns as described in the SSAC report. On 23 June 2012, the ICANN Board directed staff to consult with the relevant communities regarding implementation of the recommendations in SAC 053 and to provide a briefing paper for the Board, detailing the issues and options available to mitigate such issues. During the period of August to September 2012, a public comment period was held regarding the SAC 053 report. The public comment period made clear that dotless domain names are a subject of active discussion in the ICANN community, that no clear conclusion could be drawn, and that a greater effort to identify and explore solutions to the concerns raised before implementing SAC 053 recommendations could be useful.

Today, ICANN is announcing that it has commissioned a study on the potential risks related to dotless domain names based on SAC 053 report. The study report will identify and describe the potential risks that dotless names raise with particular focus on those related to security and stability. The report will also provide options for ICANN as to how to mitigate the various risks and will describe the pros and cons of the options.

In both cases ICANN intends to deliver the study teams findings before the ICANN 47th meeting in Durban, South Africa.

More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."