Security Takes Center Stage at ICANN Meeting

If there is one consistent underlying topic of the whole of this ICANN meeting in Brussels this week, it is Internet security. From ICANN’s CEO Rod Beckstrom’s opening statement on DNSSEC (DNS Security Extensions), international law enforcement input to domain registrar agreements, and virtually every other session, security is clearly on the agenda.

To the surprise of ICANN, and most observers on Monday and Tuesday, the news that hit most headlines was not Rod’s speech or the official launch of DNSSEC, it was an independent report from a small anti-spam group, KnujOn about illicit registrar activity. This report and the core information within gained 700+ news links on Google, compared to only 20+ achieved by official ICANN news releases for the opening day.

Just to explain what all the fuss was about, KnujOn’s report, which is based on its ongoing research, alleges that at least 162 ICANN authorized domain registrars are in some form non-compliant with ICANN’s requirement for a public WHOIS link indicating the contact information behind each registered domain.

One of the major registrars, eNom, came in for the most criticism for an alleged 4,000-plus pharma (rogue Internet pharmacy) domains under its control, despite constant complaints from KnujOn and others in the security community. (For those interested in the details, see my more comprehensive analysis on hostexploit.)

Meanwhile, at ICANN there were several significant sessions involving security. First, the greatest interest from law enforcers, who are attending Brussels in force, was to seek amendments or improvements to the registrar agreement (RAA) with ICANN. There are the obvious requests, such as proper WHOIS information, but, increasingly, many are challenging anonymity of domain registrants. The consensus is “yes” to privacy and proxy registration for the individual, but “no” for businesses. Law enforcers are insisting that the “real” WHOIS must be available to law enforcement even for individuals with anonymous or proxy registrations.

The next big security issue for ICANN is DNSSEC, with several presentations, and Rod Beckstrom leading most of the sessions on this. On this topic and the whole area of DNS vulnerabilities I have created a detailed analysis on hostexploit.

It would be a mistake to assume that all the DNS vulnerabilities can be resolved in one sweep. Steve Crocker, chairman of the Security and Stability Advisory Committee of ICANN, was obliged to respond to queries from attendees, explaining there are two very broad classes of threats:

One is that the information is going to be modified or corrupted. And the other is that the systems are going to be made unavailable by denial-of-service attacks. So if you take those two pairs and, you know, all the combinations, DNSSEC closes big holes in one-quarter of that space, that is, it protects the information during the lookup side... If incorrect information is put into the system or is modified at registration, then you're in trouble. And in either case, if the registration side or the lookup side is attacked from a denial-of-service attack or taken down in some other way, DNSSEC doesn't help at all.

So, basically, DNSSEC does not provide confidentiality of data; DNSSEC does not protect against DDoS attacks.

One further note, as Michele Neylon from Blacknight in Ireland and registrar representative for EURid explained, “DNSSEC will produce extra cost for each domain it is implemented on. So who pays?”

So it seems DNSSEC will resolve only one-quarter of the DNS vulnerability problem, an important part admittedly, but still only one element. Registrar agreements will change per the requirement of law enforcement, but as one delegate from that contingent ominously pointed out, “Either ICANN and the community acts rapidly to resolve these WHOIS issues, or we will.”