insight 

We were delighted to welcome one of the ‘fathers of the internet’, Vint Cerf, to the Nominet offices in Oxford earlier today. As many will be aware, Vint was the co-designer of TCP/IP and basic infrastructure of the internet. After discussions about international developments and domain name developments in the UK, he very kindly offered to meet Nominet staff for a Q&A session. Questions posed to Vint included: IPv6 adoption, which he feels should be a matter of urgency, new top level domains - where the possibility of thousands of new suffixes raises concerns for brand holders, current internet risks - botnets, IPv4 exhaustion etc, etc, the future of the domain name system, Google’s position re search in the Chinese market and the new Google browser - which is open source. As always, Vint provided all the answers as well as some entertaining and interesting insights.

He then went on to give an excellent presentation at the Oxford Internet Institute on the future of the internet, noting that there are now 1,464 million internet users, which represents just 21% global penetration. He warned that IPv4 addresses will run out in the summer of 2010, which means that there needs to be a real push on IPv6 before it becomes a matter of dire urgency. He forsees geo-location based services growing rapidly as the number of mobile users increases and users will want local information directly relevant to their location. He also predicted the growth of the ‘internet of things’, where devices will increasingly link to the internet to deliver added value to users. I can see my family using the digital photo frame which automatically downloads and shares your latest snaps with friends and relatives, but probably not the electronic scales that link to your fridge in order to recommend heathier menus!

Vint also touched on the idea of an ‘interplanetary internet’, which I had previously thought of as an internet for the star ships and planets of the future. However, the penny dropped today when I understood that the protocols and tools being tested that facilitate connectivity over vast distances and frequent disruptions are of course the very things that could allow the global internet to be much more mobile and versatile in the future.

The issue that ICANN community process has been least able to tackle is that of access vs privacy in the WHOIS databases of Generic Top Level Domains (gTLDs). On the one side you have registrants, both individuals and organisations who want to maintain privacy for some very sound reasons. If you ran a web site offering abortion advice from a country where that was illegal then you would register in a gTLD, not the local country code and also want some degree of protection of your identity.

On the other side you have law enforcement who regard WHOIS, quite genuinely, as a very important tool in fighting online crime. Obviously that means that either there are a lot of dumb criminals who use their real identities to register domains or, more charitably perhaps, the protections in place to stop fake registration data do actually work.

This side is joined by the formidable Intellectual Property Community for whom domains names and the Internet are a huge problem of detection and enforcement. They, like law enforcement, want free and unfettered access to all WHOIS data.

Stalemate

The current position at ICANN is stalemate. Views are becoming so entrenched that the most recent discussion was on whether or not to commission more research into the problem, with some groups saying quite vehemently that enough research had been done over the years so no more was needed!

Jurisdiction

If we just concentrate on the issue of access for law enforcement you should hopefully understand just how complex and potentially intractable this problem is.

In the UK our policy is pretty straightforward. If you are a UK law enforcement agency and you ask for the data then we give it, even if the registrant has opted for privacy in the WHOIS. If you are a law enforcement agency outside of the UK then you must contact one inside the UK and ask them to ask us. So we deal exclusively with law enforcement agencies in our local jurisdiction.

In the gTLDs however the problem is much more complex. Let’s say PIR were to adopt the same policy and only deal with US agencies, since that is where they are based. Can you really imagine other countries being happy at asking US law enforcement agencies for data from what is supposedly a global domain name? Can you even imagine Iranian or Cuban law enforcement agencies asking or receiving an answer?

So this is altogether a global problem, in a world where mechanisms for establishing credentials over long distances are, at best, informal.

This is why one camp just wants it freely accessible, without limits and with all the data in it checked regularly. That way their access problem is simplified. Of course those who care about privacy would never agree to that.

There was a lot happening in the DNSSEC world at this ICANN, far more than any other forum and far more than previous ICANN meetings.

Signing .org

Public Internet Registry (PIR) announced their intention to sign .org, with the help of their registry partner, Afilias. This will be the first big Top Level Domain (TLD) to sign. The best bit is the reasons they give for doing are exactly the right reasons - they want to make the Internet a safer place by doing the right thing and signing .org.

Implementation is a while off but all the pre-work has been done and the ICANN board voted to give PIR the go-ahead. This is a brave step forward from the progressive CEO of PIR, Alexa Raad, and we wish them all the best.

IANA preparations and the new TAR

IANA announced their plans for a Trust Anchor Repository (TAR) as an interim measure until the root is signed. This will be a web site that us TLDs can populate through our normal processes with our keys. Anyone ISP or business who wants to use DNSSEC on the nameservers now has only the one place to visit to get keys rather than going to lots of different places.

This will certainly make life easier but it is still a poor second to signing the root. That unfortunately is out of IANA’s hands otherwise they would have done it by now, they have a well designed and well built (we’ve audited it) infrastructure in place to do it when they get the go ahead.

One thing IANA have been clear about is that they do not want any API access to the TAR. They are clear that this will develop into a competing technology to signing the root and almost everyone knows that is the best way forward.

US Government internal mandate

I haven’t checked this independently but I’ve been told that some departments of the US Government are going to mandate the use of DNSSEC internally. I’ve no idea how this will work but it shows a genuine recognition of the value of DNSSEC that I hope manufacturers take note of.

Resistance is fading

As knowledge and understanding of DNSSEC and the benefits it brings are spreading, the resistance amongst it from registries is fading. There are two public refuseniks but even then the picture is different depending on which part of the organisation you talk two.

The first is DENIC (.de) who are in the unenviable position of having a zone with more than just nameservers in it, they also have direct customer data of the type normally only seen on registrar nameservers. This means that DENIC have no choice but to sign their whole zone and cannot take advantage of the latest revision to DNSSEC that allows the rest of us to only sign those domains that are actually using DNSSEC. For us that means a gradual and low impact implementation of DNSSEC, but for DENIC it means the kind of big bang implementation us larger TLDs have all been frightened of.

The second, and most recent dissident, is apparently Verisign. Their CTO Ken Silva has been quoted in the media as saying that the urgency for DNSSEC is not there any more. I’ve no idea what is driving that, but I suspect it is the cost and complexity of adding DNSSEC support to their proprietary nameserver cluster. There is no doubt that bandwidth costs will increase for TLDs because the size of the response we are giving is increasing dramatically. But then with the likely gradual increase in DNSSEC takeup I expect this to be naturally absorbed in our rolling upgrade programme.

What this statement does do though is throw the spotlight on their contract with the US Department of Commerce (USDoC) to be the Root Zone Maintainer (RZM). It sits a bit uneasily when the rest of us are all pushing for the root to be signed, IANA are prepared and yet Verisign is going soft on the whole idea.

The exit plan

It might be more accurate to describe this as a lack of an exit plan. It is becoming clear that there is no way currently for a zone to signal that it intends to stop signing itself. If it just does so without such a mechanism then any validators operating in strict DNSSEC mode (nobody would do this just yet) would decide that all replies from that zone were bogus, effectively losing contact with it. Thankfully this is just a theoretical risk for now and our DNSSEC expert, Roy Arends, already has a solution so this should not take long to spread amongst implementors.

So, overall a lot is happening in the push for a secure DNS. All we need now is the root signed!

The most reported news from this ICANN meeting was the apparent go ahead for many new Top Level Domains (TLDs) to be bid for. Some of us here have even been on the new media commenting on it. But as with many of these things the devil is in the detail, so here is some more in depth explanation of this decision.

The background

ICANN is split into various constituencies and all of the work on this has been within the Generic Names Supporting Organisation (GNSO) the consitutuency that represent registries of Global TLDs (gTLDs) and Sponsored TLDs (sTLDs), registrars and the business community including the powerful intellectual property community. They were asked by ICANN to come up with a policy for how more TLDs might be allowed into the root, which they duly have done. Other than two policy guidelines that had dissenting views, this was largely a full consensus decision. First hurdle crossed.

There was also an investigation into whether or not there were any technical issues with adding many more domains to the root. This concluded that there weren’ t any such issues. Second hurdle crossed.

Finally ICANN itself evaluated the GNSO policy to determine whether or not it is implementable. Not to actually create the implementation plan but to check carefully for any hidden showstoppers in the details. This they did at the cost of $10 million, as reported by their CEO Paul Twomey, and concluded that the policy was indeed implementable.

The decision ICANN actually took

So with all those pre-conditions met the ICANN board voted to ask the executive to go away and come up with an implementation plan, accepting the principle that there is no reason why there cannot be many more names added to the root.

This is going to take some months and may well cost another $10 million to do.

However, during the vote some ICANN board members raised strong concerns with two of the policy guidelines (the same ones that had dissenting views) and there was general agreement that they needed to see how these would be handled in the implementation plan, before the concerns were allayed.

The details of the policy and the two contentious guidelines

The one thing ICANN wants to avoid is having to make judgements on whether or not a new TLD is a “good thing”. They wanted a policy that took much of the decision away from them into a community driven process. Of course, quite what the community is for any new TLD, is still to be decided, but the principle is there.

The policy the’ve got does that with these two exceptions:

• Strings must not be contrary to generally accepted legal norms relating to morality and public order that are recognized under international principles of law. This obviously is completely open to interpretation and interpretations vary wildly by country. I have no idea how ICANN is going to get a workable solution to this even with the long list of potentially applicable internationally laws.
• An application will be rejected if an expert panel determines that there is substantial opposition to it from a significant portion of the community to which the string may be explicitly or implicitly targeted. Again this is highly subjective in so many different ways. What is substantial? What is a significant portion? And what is the applicable community?

So we wait with anticipation the implementation plan. I’m glad I’m not writing it.

What kind of new gTLDs might we see?

This is the question that everyone is asking and anything said here is purely speculation. Albeit speculation based on the ideas that have been circulating at ICANN, but speculation nonetheless.

1. Generic wordsThese are popular in any TLD, plain generics like colours, animals, vegetables, emotions and so on, mainly because they have such a widespread usage.
2. Regional names that cannot be applied for through the ccTLD process So this might include .sco or .cym. There is already an established precedent for this in .cat for the Catalan language and culture.
3. Global brands I’m writing the application for .nominet as we speak … no hang on … erm …
4. Common word endings For example .tion should get you around 3,000 cool domain names like litiga.tion or rejec.tion. Domains names can be fun and creative.

Before you get carried away the application fee could well be $100,000 and non-refundable, based on previous processes. Furthermore ICANN may have a cunning plan for TLDs where there is more than one applicant - they have already selected an auction provider to build the necessary system to auction the domains. Interestingly though, this is by no means fully decided and is another element that has to go into the implementation plan for further approval.

How many will there be?

This is the most interesing bit and one where I think ICANN has not looked far enough into the future. Currently the application cost is expected to be $100,000, to recoup the $10 million spent so far on this, and the millions more to go. But then what happens?

The root is the ultimate registry, the ultimate domain to have, so the demand is going to be enormous. the policy is designed not to judge except in the very edge cases and so the only thing that will stop a proliferation of names in the root is the price. ICANN has no other lever to hold back the flood because it has specifically not given itself one in this whole policy and process.

So when the initial outlay is recouped and ICANN has made say another $50 million from new applications, will it really be able to sustain such a high price? Granted the assessment for many of the initial applications will be high, possibly covering most of the fee, but soon standard questions, standard answers and a much cheaper process cost will appear. This will then leave ICANN open to a huge pressure to reduce the price to a cost-recovery level, and if does that then the floodgates open and we could get millions of registrations in the root.

That leaves us moving from a distributed, resilient, multi-level hierarchy, towards a concentrated, flat and vulnerable root. It’s all a question of numbers.

But will they be a success?

The problem in answering this has been the apparent ’success’ of .com. Yes it’s huge and yes it is vastly profitable but both of those attributes may not be the best thing for the Internet. The whole Domain Name System is designed to be distributed and putting too many names under one TLD, both as an absolute and as a proportion of the whole, goes against that. Furthermore is sets an unrealistic standard for growth and absolute size that new TLDs are highly unlikely to achieve. China (.cn) and India (.in) will probably exceed .com adding to the imbalance.

So the new TLDs should really be judged by how well they are adopted by their target community (where they have one), how stable they are, and what quality they bring to the market. If this happens then the whole Internet will benefit.

Note: Edited the bit about the application fee as Phil pointed out this had not been confirmed one way or the other.

My diary seems to have been crammed full with preparations for the forthcoming ICANN meeting, including drafting the Nominet response to the NTIA review (more on both later).

It was therefore really nice to have a non-domain name related day recently, talking about how to become an employer of choice and to receive our Best Companies accreditation award. It takes a certain amount of bravery to agree to enter this scheme as the independent ratings are based on what your staff really think about working for your company. Whilst we’ve still got things to do to make Nominet an even better place to work, we’ve improved our results from the previous year.

The event also saw the launch of a Best Companies guide web site that allows you to compare prospective employers and find out if the recruitment blurb is matched by reality. I can see this becoming a useful job hunters resource:

http://www.bestcompaniesguide.co.uk/index.php

No escaping domain names though - it was good to catch up with a retired Nominet registrar who was also at the event :o)

On Wednesday last week, we launched our domain name industry report at our first .uk registrar conference. This seems to have been well received by all in attendance and has got a couple of mentions in the media.

Some, though by no means all, of the content was already in the public domain. The challenge for us was to bring together a large amount of disparate information and present an overview picture of the .uk domain name industry within a global context, including some previously unpublished statistics (.uk renewals, registrant and registrar trends).

Since presenting this information, we’ve had some requests for other data to be presented in the future and are already investigating various strands of research. We’d like to know what you think of the report and what other data you’d be interested in seeing us produce. So if there’s data you think we’re in a position to obtain and publish, then please ask and we’ll see if it’s possible to get at it.

The conference itself was also a first for us. We wanted to present a day that would be of interest to our registrars, increase the understanding of the various issues that we are all faced with in the market at the moment and impart some of the latest information about how we’re trying to support our registrar community. Judging by the feedback on the day, we seem to have hit the mark for most people.

If you were there and feel we could have done better then, let us know how and we’ll bear it in mind for future events.

If you weren’t there and want to know what happened then take a look at the presentation slides here.

I attended the launch event for the UK Inspirational Women’s network this week. The whole idea is to get together a group of inspirational women to coach and inspire other women to develop meaningful and rewarding careers. We’re all up for this work.

You couldn’t help but be inspired by some of the speakers and fellow members. Read more