Name Collisions in the Domain Name System Burt Kaliski, Verisign USTelecom Webinar April 17, 2014
Verisign Public Agenda Name Collision Problem Timeline Mitigating Name Collisions Remediation: ICANN’s Guidance to IT Professionals Constraints: ICANN’s “Alternate Path” of SLD Blocking Notification: JAS Global Advisors’ “Controlled Interruption” Next Steps 2
Verisign Public Installed System ….SLD.TLD Up to ~1400 (or more!) new gTLDs! 3 Key TLD = top-level domain (e.g., “.com”, “.de”, “.net”) New gTLD = new generic TLD SLD = second-level domain (e.g., “example” in “example.com”) NXDOMAIN = “non-existent domain” error message Global DNS without TLD NXDOMAIN expected Name Collision Problem for Domain Name System (DNS Queries)
Verisign Public Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query collides with Externally Assigned Name Up to ~1400 (or more!) new gTLDs! Root Causes: Best Practice: “.” not required at end of domain name “Private” TLDs (e.g., “.corp”), Shortened Internal Domain Names Search List Processing Mobile Computing 4 Name Collision Problem for Domain Name System (DNS Queries)
Verisign Public Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query collides with Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 5 Potential Risks Installed System Breaks Internal Information Leaks (beyond root) Cyberattacks Exploit Collision Name Collision Problem for Domain Name System (DNS Queries)
Verisign Public Mitigating Name Collisions 6 Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (1) Remediate Installed System (4) Hybrid Approach (2) Constrain Global DNS (3) “Notify” System Operators Internally Generated Query collides with Externally Assigned Name Up to ~1400 (or more!) new gTLDs!
Verisign Public Timeline Nov. 2010: ICANN’s Security and Stability Advisory Committee (SSAC) warns of potential name collision risks June 2011: ICANN launches New gTLD Program Mar. 2013: Verisign Labs publishes first in series of research reports analyzing name collision risk Aug. 2013: ICANN publishes report on name collision risk Oct. 2013: ICANN defines name collision risk management strategy Oct. 2013: First new gTLDs delegated Dec. 2013: ICANN publishes guidance to IT professionals Feb. 2014: JAS Global Advisors publishes Phase One Report on name collision risk management under contract to ICANN Mar. 2014: Verisign Labs holds name collisions research workshop, namecollisions.net namecollisions.net Apr. 2014: Comments due on Phase One Report Jun. 2014: Phase Two Report expected 7
Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (4) Hybrid Approach (2) Constrain Global DNS (3) “Notify” System Operators Internally Generated Query collides with Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 8 (1) Remediate Installed System
Verisign Public Remediation: ICANN’s Guidance to IT Professionals Change Installed System to Avoid Potential Name Collisions Basic steps Replace private TLDs, shortened internal domain names with fully qualified global domain names Turn off search lists at shared DNS resolvers Update application, device configurations Train users and administrators Revoke certificates with private TLDs Monitor, monitor, monitor … Reference: Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, 2013.Guide to Name Collision Identification and Mitigation for IT Professionals. 9
Verisign Public A Good Remediation:.CBA Case Study 10
Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (4) Hybrid Approach (3) “Notify” System Operators Internally Generated Query collides with Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 11 (2) Constrain Global DNS (1) Remediate Installed System
Verisign Public Constraints: ICANN’s “Alternate Path” of SLD Blocking Restrict SLD Registrations to Avoid Potential Name Collisions Basic steps Don’t delegate “.corp”, “.home” for now Block from registration any SLD that received queries in certain “Day-in-the-Life” annual data sets Assume some imply at-risk queries from installed systems All but 25 applied-for new gTLDs eligible This is until full name collision management framework is completed Reference: NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, 2013.NGPC Resolution for Addressing the Consequences of Name Collisions. 12
Verisign Public Challenging Constraints: SLD Variability How to block a moving target? 25 applied-for new gTLDs declared ineligible for SLD blocking by ICANN due to high variability 13
Verisign Public How Much Does Blocking Help? Potentially at-risk queries observed for a newly delegated gTLD, without and with required SLD blocking 14
Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) (4) Hybrid Approach Internally Generated Query collides with Externally Assigned Name Up to ~1400 (or more!) new gTLDs! 15 (1) Remediate Installed System (3) “Notify” System Operators (2) Constrain Global DNS
Verisign Public Notification: JAS Global Advisors’ “Controlled Interruption” Flag Impending Change in Global DNS to Users, System Administrators to Prompt Remediation Basic steps Don’t delegate “.corp”, “.home”, “.mail” for now Return a special IP address (e.g., ) for a period of time before regular delegations begin “Blocked” SLDs only for new gTLDs on “alternate path” Every SLD for other new gTLDs (“wildcard” record) Idea: At-risk queries will fail safely to internal IP address; applications may break, but users, system administrators will notice “interruption” Reference: Mitigating the Risk of DNS Namespace Collisions: Phase One Report JAS Global Advisors, February 24, 2014.Mitigating the Risk of DNS Namespace Collisions: Phase One Report 16
Verisign Public Verisign Comments on Controlled Interruption IssueRecommendation 1. Name collision framework not yet provided Wait until Phase Two Report available and publicly reviewed before implementing 2. Controlled Interruption untested, may not be effective e.g., non-blocked SLDs for “alternate path” gTLDs; WPAD and related protocols Verify that these cases are covered, based on analysis in full name collision framework 3. Controlled interruption may break systems not at risk e.g., if SLD is in use internally, but won’t be registered If SLD won’t be registered, give gTLD operator option not to interrupt it 4. Risk management requires feedback Collect traffic during interruption period for analysis by research community to assess, improve effectiveness Reference: Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name-collision-26feb14 discussion thread, March 31, 2014.Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report 17
Verisign Public Mitigating Name Collisions Installed System Global DNS with TLD ….SLD.TLD Resource record received (if SLD delegated) Internally Generated Query collides with Externally Assigned Name 18 (3) “Notify” System Operators (1) Remediate Installed System (4) Hybrid Approach (2) Constrain Global DNS Up to ~1400 more choices!
Verisign Public Next Steps Phase One Report comment period open through April 21, 2014 Phase Two Report expected in June – completes name collision management framework ICANN to expand outreach to users, system administrators Research community analyzing mitigation techniques, proposing long-term improvements 19
Verisign Public For Further Reading SAC045: Invalid Top Level Domain Queries at the Root Level of the Domain Name System. ICANN Security and Stability Advisory Committee, November 15, SAC045: Invalid Top Level Domain Queries at the Root Level of the Domain Name System. SAC057: SSAC Advisory on Internal Name Certificates. ICANN Security and Stability Advisory Committee, March 15, SAC057: SSAC Advisory on Internal Name Certificates. New gTLD Security and Stability Considerations. Verisign Labs Technical Report # Version 2.2, March 28, New gTLD Security and Stability Considerations. Danny McPherson. Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. Between the Dots, May 9, 2013.Part 1 of 5; Introduction: New gTLD Security and Stability Considerations. 20
Verisign Public For Further Reading Name Collision in the DNS. Interisle Consulting Group. Version 1.5, August 2, Name Collision in the DNS. New gTLD Collision Risk Mitigation. ICANN, August 5, New gTLD Collision Risk Mitigation. New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Verisign Labs Technical Report # Version 1.1, August 27, New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis. Patrick S. Kane, Thomas C. Indelicarto, and Danny McPherson. Letter to ICANN Board of Directors re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study. September 15, 2013.Letter to ICANN Board of Directors re: ICANN’s Proposal to Mitigate Name Collision Risks –.CBA Case Study. New gTLD Collision Occurrence Management. ICANN, October 4, New gTLD Collision Occurrence Management. 21
Verisign Public For Further Reading NGPC Resolution for Addressing the Consequences of Name Collisions. ICANN, October 8, NGPC Resolution for Addressing the Consequences of Name Collisions. Burt Kaliski. Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose. Between the Dots, November 8, 2013.Part 2 of 4 – DITL Data Isn’t Statistically Valid for This Purpose. Burt Kaliski. Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis. Between the Dots, November 13, 2013.Part 3 of 4 – Name Collision Mitigation Requires Qualitative Analysis. Guide to Name Collision Identification and Mitigation for IT Professionals. ICANN, December 5, Guide to Name Collision Identification and Mitigation for IT Professionals. Mitigating the Risk of DNS Namespace Collisions: Phase One Report. JAS Global Advisors, February 24, Mitigating the Risk of DNS Namespace Collisions: Phase One Report. 22
Verisign Public For Further Reading Burt Kaliski. Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated. Between the Dots, February 26, 2014.Uncontrolled Interruption? Dozens of “Blocked” Domains in New gTLDs Actually Delegated. Jeff Schmidt. Mitigating the Risk of DNS Name Space Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.Mitigating the Risk of DNS Name Space Collisions. Andrew Simpson. Detecting Search Lists in Authoritative DNS. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.Detecting Search Lists in Authoritative DNS. 23
Verisign Public For Further Reading Matthew Thomas, Yannis Labrou, and Andrew Simpson. The Effectiveness of Block Lists to Prevent Collisions. Presented at Workshop and Prize on Root Causes and Mitigation of Name Collisions (WPNC ’14), London, United Kingdom, March 8-10, 2014.The Effectiveness of Block Lists to Prevent Collisions. Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report. comments-name- collision-26feb14 discussion thread, March 31, Verisign preliminary comments on "Mitigating the Risk of DNS Namespace Collisions" Phase One Report 24
© 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.