insight 

You might have read an article in The Independent this week about hacks on the domain name system and the seven “guardians” of the internet. There were a few points made that might cause confusion - we thought it might be helpful to clear them up.

The Domain Name System is not reliant on two servers in the US, and the DNS isn’t just based in the US. It is a highly distributed system with hundreds of root server instances around the world. As such, no one country ‘owns’ the domain name system or has access to turn it on or off. There are 13 logical root ‘servers’ which are actually hundreds of separate machines, and there are over 200 unique locations that contain one or more root nameservers.

While it’s true that a significant attack on the DNS could significantly damage the internet, this is the precise reason why the DNS was designed as it was. By distributing it across so many worldwide locations, it is incredibly difficult to bring down.

The Domain Name System is more vulnerable to social engineering than “hacks”. Rather than directly break into the DNS system, last year’s attacks on Twitter and Baidu were understood to be the result of technically simpler but still sophisticated “social engineering”:tactics targeted at the site registrars. Here, an operator at the registrar would have come under pressure via phone calls or emails to change the entry to an Iranian server -  it is unlikely that any actual ‘hack’ took place. This is an approach that we have encountered before when criminals have targeted .uk sites. It just demonstrates how important human vigilance still is when protecting the  infrastructure of the Internet, in addition to any  other security measures that are in place.  Nominet’s staff undergo rigorous training to ensure that the .uk DNS remains safe from these threats.

Bringing down the DNS is not straightforward due to its distributed, resilient infrastructure - so the Internet as a whole is unlikely to need “restarting”. The “7 Guardians” referenced in the article are actually there to support the security extensions to the domain name system called ‘DNSSec’ - which has been under developement for 10 years by the International internet community. In short, we have less reason to be concerned than you might otherwise have thought from reading the feature in the Independent. The web is extremely resilient and there is a big community of experts - in DNSSec, the registries, and beyond - working hard to ensure its ongoing stability.

I must admit to being intrigued to be invited to talk at the inauguration of the new ‘Global Cyber Security Center’ (or GC-SEC for short) initiative. This new body has been set up by the Poste Italiane postal company with a host of supporting parties, such as the Universal Postal Union (UPU) and United States Dept. of Homeland Security. At first glance they seem very odd bedfellows and the slightly stilted opening procedures did little to change that perception.

But as the event moved forward and one by one, each presenter took to the stage, the whole thing started to make a little more sense. With the application for the ‘.post’ top level domain recently having been granted to the UPU, they had realised that in order to bring their already high reputation for trust with them from the physical world of postal delivery, to the electronic world of ecommerce they had better take a front-row seat at the security table. They had taken a look at the security challenges of operating a trusted business across a wide portfolio of e-services and seen that making sure that their underlying technical platform – the DNS, was as secure as possible. They had chosen to focus on DNSSEC as their opening initiative and had invited a wide range of speakers, with a vast array of experience to address both governmental and business representatives from across Europe.

Looking back, it seems much clearer to me now why Poste Italiane want to sponsor and support a not-for-profit security Center. It keeps them firmly in the loop, and hopefully in future, the driving seat of the latest security issues and challenges. More importantly however, they bring some welcome experience into the realm of the DNS. They bring over 100 years of trusted delivery services, a federated model that ensures that a single stamp can reach any destination in the world and identity management services ranging from the simple to the highly sophisticated. Many of these services have a direct parallel in the electronic world and new experience will be very welcome as we look at interoperability, future certification options and prevention of interception and fraud.

More cynical voices have said that this is simply a land-grab for an organisation that is facing a decline in physical deliveries as electronic communication prospers. Whilst I don’t doubt that they are looking at other opportunities for their businesses, this is no reason in itself to prevent them from sponsoring and supporting security initiatives. I welcome new thinking and a fresh approach to some old problems. It will be interesting to watch and see the effects of their involvement.

And so, on the 16th June 2010, ICANN and IANA finally added DNSSEC keys to the root of the Internet. In an elaborate ceremony, much discussed and sometimes derided amongst the community, a group of ICANN staffers and volunteers from around the globe added DNSSEC keys to the root. Nothing happened: which was good news for all. This relatively simple act of mashing up DNS information and creating an encrypted key belied the 10 years of effort by the technical communities to make this moment happen.

In our own slightly less glamorous way, we at Nominet underwent the same process earlier this year in March. Standing in a side-room to our data centre, three directors of the business typed in their own unique passwords to kick off the key generation process for the .UK zone. A few days later these keys were added to the zone and .UK was signed with DNSSEC information.

Some have said that DNSSEC is too-little, too-late and that it solves only one small problem with the DNS. Certainly, it’s no cure-all for the much documented ills of the internet, but it is a small but significant milestone in the evolution of a safer internet for all. DNSSEC is a triumph for the technical working groups that have managed to engineer a solution to harden our domain name system. It cleverly uses and expands upon an existing protocol, takes into account older equipment and is backwardly compatible across the board.

The simple fact that signing the root was such a non-event is something worth a small, but quiet celebration.

I’m in Brussels for this week’s ICANN meeting.  It’s a great opportunity for those in the UK who don’t usually attend ICANN meetings to make the short hop across the channel to get together and help influence the development of the Internet.

As the conference gets going, I thought I’d take a quick moment to update on some of the key topics that will be discussed this week, as well as the usual ICANN constituency business.

Securing the domain name system

This week saw a significant milestone in the securing of the domain name system at a ceremony in the town of Culpeper, Virginia, where a collection of volunteers from over ten countries witnessed and participated in the generation of the cryptographic key that will be used to secure the root zone of the Domain Name System using DNSSEC for the first time.  The root will be signed in mid-July and with many country codes now signing their zones, DNSSEC is increasing in take up, and there will certainly be much discussion on this topic and where it goes from here. We’ve now signed .uk and are working on the signing of .co.uk for next year, but for us there is much more to be done in terms of developing .uk registrar awareness and involvement and I’m planning to learn from others who have already started on this.

There is also the discussion about the possible creation of a Domain Name System Computer Emergency Response Team (DNS-CERT). Many Country-Code Managers, such as Nominet, support and share ICANN’s focus on ensuring the security and stability of the Domain Name System. But that is not to say that we all agree with the case made for a DNS-CERT to date and/or that this needs to be an ICANN function and/or that this proves the need for a brand new co-ordination body. This week will likely see the creation of joint working groups on DNS threats and how we respond to them, together with talks about whether other organisations, such as DNS-OARC, might be able to take on an enhanced role.

Affirmation of Commitments Reviews

Last September saw ICANN sign up to an Affirmation of Commitments, in effect the guiding principles by which it will be operated.  The first review required by the Affirmation of Commitments is now in progress, on ICANN accountability and transparency. The review team are holding several sessions in Brussels to seek community feedback.  I’ve already heard some questions and comments about the transparency of the review team workings, but so far they appear to be pro-actively seeking inputs and making good progress on a demanding work programme in order to deliver the review on time.

Decision on .XXX?

The long-running saga of .XXX continues and there were 222 pages of comments made in response to the report on options going forward - I do hope that this will not turn into some sort of ‘X factor’ popularity/unpopularity vote. Whatever the final decision, it will be controversial. I earnestly hope that, as we move into the launch of the new gtTLD process, there has been learning from this whole saga, both for ICANN and the ICANN community.

New TLDs

In preparation for the meeting, ICANN has published the latest version of the applicant guidebook for new Top Level Domains (TLDs).  Many issues remain unresolved, so it will be interesting to see how far this meeting moves this topic forward.  There are those who are very keen for ICANN to get moving and open for applications in the very near future and others who remain strongly opposed to any forms of new TLDs at all.  With Canon being the only brand to have declared their hand and say they will be applying for a TLD, it is the many community bids and generic words that seem to be the subject of some debate.

At Nominet, we want to see ICANN take the time to get this process right and deliver a process with suitable safeguards in place both for registrants and also to ensure that the safety, stability and security we all expect from the Domain Name System remains.  We are supportive of the concept of community bids being run in the public interest, with the support of local bodies and we have been approached by some UK-based potential community applicants.  We are watching the outcomes of the ICANN debates and looking at options before deciding how to proceed with any such opportunities.  We’ve discussed this topic with members of Nominet over the last few years - If you’re a member of Nominet and have a strong opinion on the process or any of the potential new TLDs, then do feel free to let me know your views in person or to drop me a line and let me know your thoughts.

Aside from the meeting agenda, there is also a busy social and networking aspect to ICANN meetings. We are holding a drinks reception on Monaday night for our registrars and I’m looking forward to seeing our registrars who are at the meeting there.

That’s my brief summary, I’m looking forward to this ICANN meeting and I hope you all are too.

Last night I attended the Verisign celebration of 25 years of .com at the City Hall, San Francisco.   There were 300 people there and it was great to see many friends and familiar domain name contacts from all around the world.

Scott McNealey, co-founder of Sun Microsystems presented the .com 25 – the list of companies & people that have most shaped the past, present & future of .com, such as Steve Jobs, Vint Cerf, Tim Berners-Lee and himself. Scott also provided a personal list of ‘undesirables from .com’ such as chat roulette!

We then had the presentation of awards to the top 10 domain pioneers, the major .com registrars: Godaddy, Demand Media, Tucows, Network Solutions, Melbourne IT, Oversee, 1 & 1, Directi, Register.com and Dotster. Almost all of these are also .uk registrars and it was great to see them acknowledged.

Peter Dengate-Thrush, Chairman of ICANN announced the Verisign Internet Infrastructure grant programme (or program to use the US version). There are four $75k grants on offer, open to non-profits, academia and researchers for topics of internet infrastructure, domain name security, the internationalization of the Internet and domain name security. Further info is at: http://www.25yearsof.com/grants/

The evening presented a great moment for reflection on how far the Internet has developed in just 25 years.  The Verisign Internet Infrastructure grant programme looks interesting and we shall look forward to seeing the projects that receive funding and the impact they may have on the future of Internet infrastructure.  A truly memorable event for all and we’re going to have to think about how we can make the 25 years of .uk event just as good. Many thanks to Verisign for a great evening and many congratulations on the 25^th anniversary.

Like many of my friends, I was able to do almost all of my Christmas shopping online last year. But those who shop on the web need to remain careful so that we do not get ripped off with scams or fake or non-existent goods. There was a story in the Money section of The Times the other day, talking about the risks of shopping online. The piece was also rather critical of Google and it will be interesting to see how they will respond, particularly given their ‘do no evil’ mantra. 

Online shopping risks came up back in August 2009 and we wrote a blog post outlining Nominet’s processes and how consumers can protect themselves when buying goods online. Although there is loads of good advice around, people are still forgetting the basics, so it might be helpful to re-iterate the key points to consider when shopping on the web.  Get Safe Online and Consumer Direct provide some of the best advice out there and we have used some of their points, in conjunction with our own, to pull together top tips that ensure consumers are READY to shop online:

Research web sites 

• Look for a telephone number for the company. Ring it and check it works if you have any concerns
• Is the web site secure? Look for ‘https://’ and the padlock that should be present on the page you are using when you are giving any payment details (credit card), or personal information
• Do they have clear privacy and returns policies?
• If you’re not convinced, take a few minutes to search for the company on the Internet and check their reputation. Trust your common sense and if necessary buy elsewhere.

Educate others

• Share your knowledge with family and friends if you have spent time researching web sites, had a positive experience with buying from a site, or have spotted a dud (as well as reporting it). It is important to spread the word about how to be safe online.

Actively protect your money

• If you purchase goods online, make sure you use web sites that have a secure way of paying (known as an encryption facility) - these show a padlock at the bottom of the screen when you are filling in the payment details
• Have a dedicated credit card for shopping online. If you do fall victim to cybercrime and the value is over £100, it is easier to claim money back using a credit card than a debit card. It also makes it easier to keep track of your online purchases. 

Do not assume…

• An Internet company is based in the UK just because its web address has ‘uk’ in it. Visit the Nominet WHOIS site to check where the web site is registered. If the company is based outside the UK you might have to pay import tax on any goods you purchase
• That a web site is an official reseller of well known brand name goods. Before buying goods, you should visit a brand’s main web site to check that the web site you intend purchasing from is legitimate. For example, GHD, a company that manufacturers hair straighteners, has a dedicated section on its official web site outlining fake GHD web sites. Goods should not be purchased from any of the sites on that list. 

Yes, report it

• If you do fall victim to cybercrime, call your local trading standards office, report the incident and ask for their best advice on how to deal with the situation.

Remember, as always, if the offer looks to good to be true, it probably is.

Back in February I wrote about the ‘Perfect Storm’ developing in the area of international and national Internet Governance. Whilst weather prediction is a notoriously difficult and sometimes dangerous business, recent developments suggest there may be a calmer period with a few sunny intervals ahead.

What has provoked this unseasonal optimism, you may ask? It’s mainly due to the announcement that the Joint Project Agreement between the US Department of Commerce and ICANN has come to an end.  In its place are a series of commitments such as ensuring that decisions are made in the public interest, preserving the security and stability of the Domain Name System and promoting consumer trust and choice. A series of ongoing regular reviews will also be introduced with the aim of ensuring ICANN’s accountability to the wider Internet community, and Internet users in particular.

Nominet strongly supports the private-sector led, bottom-up model for the technical co-ordination of the domain name system, and we believe the end of the JPA confirms that this model is the right one for such a fast-moving, innovative sector.

There’s clearly an interesting parallel here with what’s happening in the UK Internet industry. The outcomes of Nominet’s Independent Governance Review and the Digital Britain Report, suggest that there is strong support for Nominet to commit to a ‘public purpose’ role. So, I guess my forecast that representation and protection of end-users would become a major Government focus appears to have been quite accurate (albeit that was rather easy to predict).

I’m clear that this is the right way forward, but this approach will certainly bring its own challenges. Working for a public purpose means balancing an even wider range of conflicting interests from the many different groups involved in the Internet and the Internet governance process. In particular, it will mean balancing commercial pressures and end user interests - always tricky on a national scale, even more so when these are on a global scale. However, responding responsibly to the dynamic and ever changing demands of Internet stakeholders is essential to both keep pace with developments and to make the Internet a trusted and safe place going forward.

The Internet governance landscape is changing and there are some bright patches appearing over the horizon, but the many challenges of engaging with and seeking to satisfy such a wide range of users suggests that there may be some cloudy patches on the way too!

There have been a couple of stories in the media over recent weeks from Trading Standards Officers in the UK and the US Federal Trade Commission about consumers being tricked into buying fake goods on the Internet by companies pretending to be based in the UK. As online shopping becomes increasingly prevalent in the UK, and with 72% of UK consumers preferring to search for a .co.uk web site than a .com, it is more important than ever that consumers take sufficient care when shopping on the Internet. Whilst it’s great to see more and more people buying and banking online and consumer confidence reaching new heights, it does not remove the need for vigilance and care. When Nominet took over the operation of .uk in 1996, a decision was taken to operate .co.uk and .org.uk as “open” second level domains, meaning that any type of organisation based anywhere in the world could register these domain names on a first come, first served basis. This early decision means that whilst the vast majority of registrations are from the UK, a small proportion of registrants are from non-UK businesses and consumers. Many will be perfectly legitimate, for example by trading businesses or organisations wanting to protect their trademarks overseas.

Domain names in .co.uk are allocated on a first come, first served basis and there are currently 140,000 new registrations every month. Whilst we don’t police applicant locations, it does not automatically follow that consumers in countries with stricter registration policies or application vetting are necessarily any better protected. In practice the physical address used to register a domain name does not of itself provide any guarantee of legitimate supply of goods. Nor does dealing with a business based in the UK. As ever, it is imperative that internet shoppers are careful, especially when dealing with a new site for the first time or in response to unsolicited email.

As an organisation we are keen to find ways to create a safe on-line environment for UK consumers and business. Given the technology involved, there are not many quick or easy fixes. However, an example of a simple safeguard is for people to carry out a Nominet WHOIS check if they have any concerns or want to do a quick check - sites who trade online are not able to opt out of having their information displayed in the Nominet WHOIS. Where these details are out of date or inaccurate, we reserve the right to cancel the domain name and regularly do if the details are not updated/corrected promptly. We also work closely with the Police where issues arise and Nominet’s Policy Advisory Body are already engaged and working with the UK Payments Administration Ltd (formerly APACS) to look at how we can better work together against on-line fraud.

So, if you’re shopping online and you have any doubt about the web site you are using then you can reduce the risks by performing a WHOIS search or other simple checks. There is good advice on how to reduce the risks when purchasing goods online readily available, for example, see Get Safe Online. As they say: if the offer seems too good to be true, it probably is.

I participated in a public hearing in Brussels last week on the Future of Internet Governance. The hearing brought together representatives from Internet players such as ISOC, ICANN, IGF, CENTR etc. with business and civil society representatives to gather inputs on key questions posed by The Commission. These will inform its ‘official’ position on Internet Governance, which should be announced shortly.

Viviane Reding, EU-Commissioner for Information Society and Media, released her personal thoughts on the subject via a video message and press release earlier in the week. She called for a new governance model for the Internet that would include a fully privatised ICANN, as well as a “G12 for Internet Governance.” This confused people somewhat as they believed Viviane’s views and the EU Commission’s views were one and the same. This is clearly not the case and the timing of the statement in advance of the hearing was rather unfortunate (!).

Having said that, many agreed with Reding’s view that ICANN should be independent of the US Government, provided that ICANN accountability can be fully established. However, the notion of ICANN being answerable to an “Internet G12” was not popular. It just would not be suitable for a small group of only twelve selected Governments to set global Internet policies.

At the hearing itself, there was strong support for the continuation of the IGF and numerous interventions about ICANN, particularly in view of the status of the Joint Project Agreement. There were some suggestions that there should be a new Internet Governance model for a new era of the Internet, with some pushing for  an over-arching inter-governmental role. I cannot yet understand why new would necessarily be better.  Surely it would be easier to identify what the issues are and how they can be better addressed, rather than seek new structures.

It is widely recognised that the Internet is now fundamantal to global economies and therefore governments have a strong interest and a role to play going forward. But it is important to also recognise that the usual timescales for government and inter-government actions, the difficulty of developing effective legislation and the international nature of many of the issues, just do not fit easily with the nature of the Internet.

Therefore, no single universal regulatory or purely inter-governmental global oversight can ever align itself successfully with the diversity and sheer pace of change in this sector. The only model of global  Internet Governance that will achieve this is one that allows all concerned to work together, through multi-stakeholder participation and partnerships.

Participation is really key and more Governments and stakeholders need to be much more involved so that Internet Governance is truly representative of our worldwide and multi-stakeholder Internet community. If the people who attended the hearing are an indication, there are certainly lots of issues for all participants to talk about.

I’m celebrating ten years working at Nominet today. As is traditional on such occasions, we’ve celebrated with cakes! I’ve also been thinking back to the early days and how much has changed…..

I joined Nominet in 1999. This was the year that: Nominet turnover was £1.6m (it’s now almost £20m), there were 883 Nominet members (there are now 2,825), there were 28 staff (there are now 120) and there were 236,000 registrations (there are now 7,500,000).

I remember being asked by Dr Willie Black and Keith Mitchell, two of the Nominet Founders, in my job interview whether I was up for a challenge and whether I was used to change. I believe I answered “Yes” to both questions. 1999 was certainly a challenging time to start. My first few months saw a group of members advocating the privatisation of Nominet, moving the company to new offices (I recall someone moving the nameservers in the back of his car) and my challenge of developing forecasting almost from scratch, to predict domain name growth, scaling costs and financials. This became known as ‘the spreadsheet from hell’ and we calculated that if the register grew in line with forecasts we would need an extra 140 staff just to process reply forms! There was also my very first ICANN meeting of many and the first ever meeting of the Nominet Policy Advisory Body.

The challenges have continued (mostly unabated) since then. Some of the more difficult ones have been the attack on our WHOIS in 2003 which resulted in the Australian Court Case and the more recent attempts to change the Nominet constitution.

However, the good times have far outweighed the difficult times in the last 10 years. There have been lots of awards, such as Best Companies to work for, Best in-house legal team and the award for our customer support, to name but a few. We’ve also made huge changes and improvements to our systems and services,  created the Nominet Trust, the Best Practice Challenge awards and have been able to play more of an active and leading role in Internet governance and development.

People sometimes ask what my/our motivations are for doing all this. Apart from loving the Internet and what we do, our motivations are set out in the Nominet vision and mission statements. The Nominet vision is of a world where the Internet is a trusted place, which everyone can be part of and has a positive impact on people’s lives and our mission is to make a positive difference to UK Internet users and to shape the development of the Internet. These two statements show the way ahead for the next 10 years. The one thing that is certain is that we’re in uncertain times. However, I’m sure that the next 10 years will be just as challenging and as full of change as the last 10 years.