The Internet Corporation for Assigned Names and Numbers (ICANN) is looking at new ways to reduce the risk of traffic intended for internal network destinations ending up on the internet via the Domain Name System (DNS).
Collisions in the DNS namespace have the potential to expose significant security-related issues for users of DNS.
While the ICANN report did not find that new generic top level domains (gTLDs) will fundamentally increase the risks associated with DNS namespace collisions, it is dedicated to reducing the risks of the events occurring.
The research commissioned by ICANN did indicate that every TLD that has been added to the root since 2007 has exhibited some symptoms of collision activity prior to delegation, with the most problematic DNS namespace collisions occurring not just at the TLD level, but wherever collisions cross administrative control boundaries in the DNS.
The report commissioned by the organisation included a host of recommendations, from minor fixes to the extreme of killing a delegated second-level domain to deal with the issue.
ICANN described the report and its recommendations as a “comprehensive” approach to reducing current and future DNS namespace collisions. This will be carried out by altering operations of potential namespace issues and providing the emergency response capabilities needed if systems are adversely impacted.
In total, 11 recommendations were made in the report, which it is hoped will go a long way to reducing namespace collisions and the potential security issues that may occur as a result.
The recommendations include permanently reserving the .corp, .home and .mail TLDs, making more technical information available regarding the introduction of new gTLDs and the issues surrounding DNS namespace collisions.
Emergency response options are limited to situations where there is a reasonable belief that the DNS namespace collision presents a clear and present danger to human life. Another recommendation would see ICANN require new TLD registries to publish the controlled interruption zone immediately upon delegation in the root zone, with collision-related restrictions then removed after a 120-day period.
Other recommendations included relieving the prohibition on wildcard records during the controlled interruption period and the monitoring of the implementation of controlled interruption by each registry to guarantee the correct procedures are followed and standards are upheld.