Verisign report addresses risks with ICANN’s execution of new gTLDs

A report issued today by Verisign Research Labs says that ICANN is rushing the launch of new gTLDs without allowing time for changes to stabilize, thereby adding risk to the security and stability of the internet

Verisign issued a report today entitled “NEW GTLD SECURITY AND STABILITY CONSIDERATIONS” that calls out deficiencies in ICANN’s plans to launch new TLDs. A copy of the report has been sent to ICANN with a cover letter.

The conclusion of the report says:

“Addressing these issues doesn’t simply mean publishing a specification and expecting the community to have immediately implemented it and be capable of responding to all operational and security corner cases conveyed therein. It means working with the community in attempts to identify these issues before problems arise in operational systems.

It also means that adequate buffers should exist in ICANN published timelines that account for implementation, internal testing, security auditing and vulnerability testing, pilots and early field trials, and deliberate transition to operations;

it’s apparent little consideration has been given to this in the current timelines published by ICANN. In order to ensure a successful implementation of each new gTLD, it is essential that proper planning be conducted in advance. This entails the development of a project plan (to include: a detailed schedule, communications plan, risk management plan, and deployment plan) for each new gTLD to be implemented. These plans should align with ICANNs timelines, thus minimizing impacts to current registry operations, as well as the overall DNS and broader Internet ecosystem.

Any party concerned with consumer and operator privacy, trust, confidence, and overall security of new gTLDs and the broader Internet would be well served by the ICANN Board addressing these issues as appropriate before delegating any new gTLDs, as the risk of a misstep in this direction could have far-reaching and long-lasting residual implications.”

The report, labeled “Verisign Labs Technical Report # 1130007 version 2.2”, does not list who wrote the report.

While focusing on risks associated with “Operational Readiness for gTLD Registries”, it is silent on the risks associated with operational readiness for gTLD Registrars.

The list of major issues include:

A. Trademark Clearinghouse (TMCH)
B. Pre-Delegation Testing (PDT)
C. Emergency Back End Registry Operator (EBERO)
D. Escrow
E. Zone File Access
F. SLA Monitoring
G. WhoIs Change Requirements
H. Government Advisory Council (GAC) Advice

The full report can read here:
Verisign Research Report

Verisign letter to ICANN
Verisign letter to ICANN