Skip to main content

Security, Stability, and Resiliency Review (SSR)

Under the Bylaws (Section 4.6(c)), ICANN is committed to a periodic review of ICANN’s execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes that are affected by the Internet’s system of unique identifiers that ICANN coordinates.

The ICANN organization (org) has conducted two iterations of the Security, Stability, and Resiliency (SSR) Review and is now in the process of implementing SSR2 recommendations the Board approved in July 2021, May 2022, and November 2022. For more information on SSR2 Review work, see here

The Board took action on 10 March 2022 to defer the third Security, Stability, and Resiliency (SSR3) Review. See the Board resolution here.

Click here to learn more about ICANN Reviews.

Status of SSR2 Recommendations

24 Board Approved Recommendations:

Implementation Status
  • Documentation of SSR related budgeting: 3.2, 3.3 
  • Security Risk Management framework: 4.1
  • Information security management system: 5.1, 5.2
  • External parties: 5.3 
  • Business Continuity and Disaster Recovery plans: 7.1, 7.2, 7.3
  • Compliance: 9.1, 13.2
  • DNS abuse webpage: 10.1
  • Access to Centralized Zone Data Service: 11.1
  • Web improvements: 16.1
  • DNSKEY algorithm rollover: 23.2
  • EBERO: 24.1, 24.2
In Progress
  • SSR1 implementation: 1.1
  • Reporting: 5.4
  • Business Continuity and Disaster Recovery plans: 7.5
  • Root Zone Management System: 21.1
  • Reporting: 22.1
Not Started
  • Community feedback: 22.2
  • DNSSEC Practice Statement: 23.1

1 Recommendation Pending Board Consideration: Recommendation 17.1

Recommendations Passed Through to Community Groups: N/A

38 Rejected Recommendations: Recommendations 2.1, 2.2, 2.3, 2.4, 3.1, 4.2, 4.3, 6.1, 6.2, 7.4, 8.1, 9.2, 9.3, 9.4, 10.2, 10.3, 12.1, 12.2, 12.3, 12.4, 13.1, 14.1, 14.2, 14.3, 14.4, 14.5, 15.1, 15.2, 16.2, 16.3, 17.2, 18.1, 18.2, 18.3, 19.1, 19.2, 20.1, 20.2

Implementation status of recommendations should be understood as follows:

  • Complete: a recommendation's intent which is considered implemented or addressed and for which implementation documentation is available.
  • In progress: a recommendation for which work has started to address deliverables identified during the implementation design. Implementation design is the preparatory phase for implementation during which a cross-functional project team develops guidelines that include deliverables for implementation, costing out resources, risk assessment, as well as an inventory of existing work etc.
  • Not started: Work has not started due to, for instance, a dependency on another recommendation and/or process.

Quarterly Updates on Specific Reviews

Review Progress and Milestones

The graphic below illustrates phases and status of the review - a  indicates that all activities within a given phase have been completed.  The chart that follows the graphic provides further details of key activities and milestones within each phase – you can view these details by clicking on each of the phases in the graphic.  The table also contains links to relevant documents.

PhaseActivityDescriptionStart DateDocuments
Conduct ReviewCall for VolunteersPublic announcement inviting volunteers to submit application30 Jun 2016
Call for Volunteers ExtensionApplication Extended for the Second Security, Stability and Resiliency (SSR-2) Review Team12 Aug 2016
Review Team AnnouncedSelection of the Second Security, Stability, and Resiliency of the DNS Review Team Members Announced14 Feb 2017
Appointment of Board DesigneeBoard appoints a member to the Second SSR Review Team3 Feb 2017
Second Security, Stability, and Resiliency of the DNS Review (SSR2) RestartsThe Second Review of the Security, Stability, and Resiliency of the Domain Name System (SSR2) formally restarted 7 June 2018 7 Jun 2018
Additional FundingBoard resolution approving additional funding7 Nov 2019
Draft ReportDraft Report for Public Comment24 Jan 2020
Public Comment on Draft ReportPublic comment on Second Security, Stability and Resiliency (SSR2) Review Team Draft Report24 Jan 2020
Public Comment ExtendedPublic Comment Period Extended: SSR2 Review Team Draft Report3 Mar 2020
Final Report Executive SummaryExecutive summary of the SSR2 Final Report22 Jan 2021
Final ReportSecond Security, Stability, and Resiliency (SSR2) Review Team Final Report25 Jan 2021
Board Action*Public Comment on Final ReportFinal report and recommendations posted for Public Comment28 Jan 2021
Board Receipt of the Final ReportBoard receipt of the Final Report3 Mar 2021
Board Action on Final Report and RecommendationsBoard resolution taking action on 63 recommendations22 Jul 2021
Board BlogBoard Action and Next Steps on the SSR2 Review26 Jul 2021
Deferral of Third SSR ReviewDeferral of the Third Review of Security, Stability and Resiliency of the Domain Name System10 May 2022
Board Action on RecommendationsBoard resolution taking action on three pending recommendations1 May 2022
Board Action on RecommendationsBoard resolution taking action on 21 pending recommendations16 Nov 2022
Board Action on RecommendationsBoard resolution taking action on nine pending recommendations10 Sep 2023

*Some recommendations are pending Board consideration and/or prioritization. See above for more information.

For information on the first SSR Review, click here: SSR1

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."