Skip to main content

Office of the CTO Activities Brief: January to June 2018

Octo update 751x450 03jul18 en

The first half of 2018 has been busy for the ICANN organization's Office of the Chief Technology Officer (OCTO) team. We have been involved in endeavors around the globe to increase engagement with our peers and partners and improve knowledge of the Internet's system of unique identifiers per ICANN's mission. Some of our efforts include:

  • Providing capabilities and support to key actors to maintain the security, stability, and resiliency of the Internet's system of unique identifiers.
  • Providing technical analyses to support ICANN's positions.
  • Collecting and analyzing data to prepare stakeholders for the upcoming root zone Key Signing Key (KSK) rollover.
  • Studying and measuring components of the Domain Name System (DNS).

In this brief, we'd like to highlight a few of our recent activities.

Root Zone Key Signing Key (KSK) Rollover

OCTO continues its work on the plan to update the root zone Key Signing Key (KSK) as part of the Internet Assigned Numbers Authority (IANA) Names function as operated by ICANN's affiliate, Public Technical Identifiers (PTI). Following the suspension of the rollover last year, and leveraging data generated by the processes described in Request for Comments (RFC) 8145, Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC), we have been collecting telemetry to help us better understand the potential impact of rolling the KSK of the root of the DNS and to help the community to self-assess its readiness. The analysis of this data, including automated graphs on RFC 8145 announcements available at http://root-trust-anchor-reports.research.icann.org, is helping to improve the understanding of the situation around the KSK rollover and has given us better information to share with the network operator community, including Internet service providers and Internet Exchange Point operators, to help track down root zone trust anchor misconfiguration.

The updated plan to roll the root KSK remains on track with an intent to use the new KSK on 11 October 2018. Prior to this, we anticipate advice from the Security and Stability Advisory Committee (SSAC) and the Root Server System Advisory Committee (RSSAC) on the KSK rollover to be provided to the Board, and that the Board will make a decision to go ahead with the roll in September 2018. More information is at http://icann.org/kskroll.

Domain Abuse Activity Reporting (DAAR)

The Security, Stability, and Resiliency (SSR) team within OCTO has continued refining the DAAR project. DAAR is a system for studying and reporting on domain name registration and security threat (i.e., domain abuse) behavior across top-level domain (TLD) registries and registrars. While the work has been mainly focused on generic TLDs (gTLDs), we are working to provide a way to open this to country code TLDs (ccTLDs) that are interested in participating in DAAR on a voluntary basis. The main purpose of DAAR is to provide statistics related to four specific security threats – phishing, malware distribution, botnet command and control, and spam – to the ICANN community in order to facilitate informed policy decisions.

Recently, two domain name reputation and DNS abuse experts have conducted independent reviews of DAAR. One review focused on methodology while the other review examined the data feeds DAAR uses. OCTO is in the process of publishing these reviews for community review in the coming days. Post-ICANN62, we are planning to provide a platform for daily private reporting of DAAR abuse statistics, along with a monthly report that will be made public. More information on DAAR can be found at https://www.icann.org/octo-ssr/daar.

Root Servers Data Equivalence Study

The Root Server System comprises over 1,000 individual machines operated or overseen by 12 organizations known as root server operators on 13 pairs of Internet Protocol (IP) addresses – 13 IP version 4 (IPv4) addresses and 13 IP version 6 (IPv6) addresses. The ICANN org is one of these organizations. For some time, the ICANN org has obtained root data from three other root server operators, namely USC-ISI, University of Maryland, and the Internet Systems Consortium. To understand the similarities and differences in traffic to the different root servers, and to allow us to assess the accuracy and credibility of studies of data from a limited number of servers, OCTO has undertaken an examination of three months of traffic from the root servers. In the coming months, OCTO will be publishing an analysis of the equivalence of traffic to these root servers.

Object eXchange (OX) Project

The usage of the Internet is evolving and so is the DNS. Over the past few years, the OCTO team has been studying some of the new challenges emerging around use cases of the DNS beyond the typical mapping of domain names to IP addresses. In particular, the team is studying the temporal property of identifiers in the DNS that can vary from temporary to persistent. This work has led to a proposal to add a new Resource Record (RR) type to the DNS – Object eXchange (OX) – that points to user-defined structured data.

At ICANN60 in Abu Dhabi, a presentation introduced a proof of concept that used the new RR type to store information that allows an Internet of Things (IoT) device to find the information needed to automatically update its firmware. Currently, a new real-world experiment is extending such use of information stored in the DNS, combined with Blockchain and IoT, to track cattle in rural areas based on the persistence of identifiers.

In many countries, cattle roam free. As a result, there is conflict between ranchers and farmers when cattle graze in farmed fields (or when the farmers claim they did). In collaboration with teams from universities in La Plata, Argentina, and Cape Coast, Ghana, OCTO has been providing technical assistance to a project to address the issue by bringing together the technologies of IoT, Blockchain, and the OX entry in the DNS. By attaching an IoT device on each cow's collar and uploading the location data into a database in the cloud, the team is able to track the movement of cows at regular intervals with non-repudiation of the information through Blockchain technology. In doing so, the researchers are showing a new and innovative use of the DNS, combined with new technologies, that demonstrate the applicability of the DNS to areas not previously anticipated. We will be working with our collaborators to publish more information about this project in the near future.

ICANN Think Tank

Overall, the OCTO team strives to be a reliable technical resource for the ICANN org, Board, and community for the fulfillment of ICANN's core mission. A recent process for a "think tank" approach to technical studies within the OCTO team will help further streamline our work and publications for the community. The new process in place helps the team prioritize requests for studies that take into consideration alignment with ICANN's mission, strategic objectives, and the timeliness of the topic. It also ensures that outcomes of studies that have public scope are properly published and referenced on the ICANN website with the availability of translation.

Summary

As the landscape of the Internet identifier systems evolves and the use the Internet itself reaches new heights, it is important that ICANN, as an organization and as a community, has the tools and mechanisms to understand the underlying technologies. The diversity of experience within the OCTO team gives us a broad view on relevant topics which will help tackle these studies and research in a more open manner. Projects like DAAR and OX take a new approach that will advance the community's awareness of the changes we are witnessing. We will continue to report to the community on our work at future ICANN Public Meetings and through briefs like this one.

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."