Background and Context: The new generic Top Level Domain Program and South Africa
The Internet Corporation for Assigned Names and Numbers (ICANN) is a multi-stakeholder, non-profit organization, incorporated in California, USA. It is responsible for the delegation of generic Top Level Domains (gTLDs) on the Internet, such as the familiar .COM or .ORG domain names, or the lesser known .AERO or .MUSEUM. These gTLDs stand apart from country code TLDs such as .ZA and .UK, which are allocated based on the United Nations ISO country code list.
In 2012, ICANN embarked on a program to facilitate the application and launch of new gTLDs into the Internet. In June 2012, ICANN announced that it had received 1930 applications, several of which have been applied for by the ZA Central Registry (ZACR), namely: dotAfrica (.Africa), dotCapeTown (.CapeTown), dotJoburg (.Joburg) and dotDurban (.durban).
A prominent feature of the new gTLD program is the appearance of Geographic Name gTLDs. Several other prominent international cities and regions have also submitted applications to ICANN for their corresponding Geo TLDs.
As at the beginning of July 2013 the ZACR’s applications had all passed Initial Evaluation (IE). As the project entered its next phase the ZACR started preparations to launch these new gTLDs to the South African and African public.
The ZACR, in consultation with its direct stakeholders, has proposed a launch date of 1 March 2014 for the commencement of Sunrise proceedings for all 4 (four) of its gTLDs. However, the results of a newly released Study, commissioned by ICANN, may cause disruptions to this proposed timeline.
The new gTLD Collision Study and ICANN’s Risk Assessment
With reference to: ICANN’s Media Announcement
In May 2013, ICANN commissioned a study to determine the likely technical impact that the release of new gTLDs may have on the stability and integrity of the Internet, in particular the Domain Name System (DNS), which is a critical infrastructure underpinning the operation of the Internet. The study, conducted by the US based Interisle Consulting Group LLC, was eventually released to ICANN on 2 August 2013, who in turn released the above media statement titled "Addressing the Consequences of Name Collisions".
As mentioned above the purpose of the study was to identify categories of new gTLD strings according to the risk they represent to the global DNS. In attempting to achieve this objective the Study looked at the likelihood of name space collisions between applied-for new gTLD strings and non-delegated TLDs. Additionally, the study also reviewed the possibility of collisions arising from the use of X.509 digital certificates.
In a nutshell the experts looked at existing Internet infrastructure to determine if, and to what extent, proposed new gTLD names are currently being used. It stands to reason that if the global Internet already uses (or relies on) a name that is identical, or very similar, to a new proposed gTLD the actual delegation of that gTLD could upset the Internet apple cart and thus have unanticipated, and possibly detrimental, consequences. Once a gTLD has been delegated (made authoritative on the Internet) the proverbial horse would have bolted and your stuck with the consequences.
ICANN is therefore trying, some would argue belatedly, to hedge its risks in terms of the new gTLD process. For those more technically inclined, a complete version of the Study is available here: http://www.icann.org/en/about/staff/security/ssr/name-collision-02aug13-en.pdf
The Study has essentially identified that 80% of the new gTLD applications held little or no risk to the stability of the Internet, whilst at least two applications (.home and .corp) posed a serious risk and should therefore not be delegated. According to the Study, the balance of approximately 280 applications holds an unknown risk and therefore requires further investigation. The delegation of these 280 new gTLDs has therefore been placed on hold until further studies have been concluded.
Criticism of the ICANN’s Position and the Consequences for the ZACR’s Applications
Whilst the release of the Interisle Study has generally been welcomed, the conclusions drawn by ICANN and its subsequent assessment of the risks has drawn widespread criticism from the global DNS community.
Perhaps in anticipation of the Interisle Report, Versign who is the worlds largest gTLD registry, conducted its own comprehensive study , incorporating additional threat vectors. The results of this study together with the results of the Interisle study have been used as motivation by the NTAG (New TLD Applicants Group) as to why ICANN should not delay the delegation of all but 5 new applications. In short, the NTAG believes that the problem has been over-stated and that consequently ICANN has made an incorrect, and overly harsh, assessment of the risk concerning the remaining 20% of the names.
Notwithstanding the criticism, according to ICANN’s media statement of 5 August 2013, ICANN will only proceed to delegate a new gTLD when the risk profile of such string had been mitigated to a "Low-Risk" status as per the Study.
Consequently, the ZACR city TLD applications for dotCapeTown (.CapeTown), dotDurban (.Durban), dotJoburg (.Joburg), which all fall into the low-risk category, should experience little or no delays in relation to their delegation or launch dates (currently proposed at 1 March 2014).
The dotAfrica application, however, which falls into the "uncalculated-risk" category could experience minor delays in terms of its delegation and ultimate launch although we do not believe that this will materialise. The exact extent of any delays really depends on the outcome of further studies being conducted by ICANN, which could take anywhere between 3 - 6 months to complete. This in itself should not have a significant impact on the dotAfrica (.Africa) proposed launch date of 1 March 2014.
Further Context and Summary of the ICANN / Interisle Study
Names that belong to privately-defined or “local” name spaces often look like DNS names and are used in their local environments in ways that are either identical to or very similar to the way in which globally delegated DNS names are used. Although the semantics of these names are properly defined only within their local domains, they sometimes appear in query names (QNAMEs) at name resolvers outside their scope, in the global Internet DNS. The context for this study is the potential collision of labels that are used in private or local name spaces with labels that are candidates to be delegated as new gTLDs. The primary purpose of the study is to help ICANN understand the security, stability, and resiliency consequences of these collisions for end users and their applications in both private and public settings.
The Study used as input:
- samples of DNS requests to root servers from the “Day in the Life of the Internet” initiative from DNS-OARC; and
- Information from Certificate Authorities regarding the issuance of internal name certificates (e.g., TLS/SSL certificates for un-delegated names).
The delegation of almost any of the applied-for strings as a new TLD label would carry some risk of collision. Of the 1,409 distinct applied-for strings, only 64 never appear in the TLD position in the request stream captured during the 2012 “Day in the Life of the Internet” (DITL) measurement exercise, and only 18 never appear in any position. In the 2013 DITL stream, 42 never appear in the TLD position, and 14 never appear in any position.
ICANN Staff Recommendation Paper: New gTLD Collision Risk Mitigation
A) LOW-RISK (~80% OF STRINGS):
As described in the Study, a "reasonable threshold for “low risk” could be established by reference to the number of queries for existing TLDs that are empty (meaning that their zones contain only the necessary DNS meta-data)." In other words, applied-for new gTLDs that appear in the query stream at the root less frequently than existing TLDs with "empty zones" in the 2013 Day in The Life of the Internet (DITL) data used for the Study, will be considered to fit in the low-risk profile. This will include almost 80% of the proposed new gTLDs, i.e., the strings with frequency ranks between 282 and 1395, inclusive, as shown in Appendix B of the Study report.
LOW-RISK MITIGATION: (Ranked 282 and upwards)
The Study establishes a low-risk profile for 80% of the strings. ICANN proposes to move forward with its established processes and procedures with delegating strings in this category (e.g., resolving objections, addressing GAC advice, etc.) after implementing two measures in an effort to mitigate the residual namespace collision risks.
1. dotCapeTown (.CapeTown) - Ranked 947;
2. dotDurban (.Durban) - Ranked 608; and
3. dotJoburg (.Joburg) - Ranked 873
all fall into the Low-Risk Category.
B) HIGH-RISK (HOME, CORP)
The Study identifies two strings that would likely cause problems (as described in section 6 of the Study report) if delegated given their high frequency of appearance in queries to the root. Both home and corp will be considered high-risk strings given that they occur an order of magnitude more often in the 2012 and 2013 DITL data than the next most frequently occurring string. The Study identifies these strings as having a level of queries in the realm of heavily used TLDs. Additionally, in the case of corp, it is identified as the string that has the most internal name certificates as shown in Appendix C of the Study report.
HIGH-RISK MITIGATION: ICANN considers that the Study presents sufficient evidence to classify home and corp as high-risk strings. Given the risk level presented by these strings, ICANN proposes not to delegate either one until such time that an applicant can demonstrate that its proposed string should be classified as low risk based on the criteria described above.
C) UNCALCULATED-RISK (20% of Strings, ranked between 3 - 281)
The remaining 20% of the strings, i.e., those between ranks 3 and 281, inclusive, as shown in Appendix B of the Study report will be considered part of the uncalculated-risk category. The Study did not find enough information to properly classify these strings given the short timeline.
MITIGATION: For the remaining 20% of the strings that do not fall into the low or high-risk categories, further study is needed to better assess the risk and understand what mitigation measures may be needed to allow these strings to move forward. The goal of the study will be to classify the strings as either low or high-risk using more data and tests than those currently available. While this study is being conducted, ICANN would not allow delegation of the strings in this category. ICANN expects the further study to take between three and six months.
dotAfrica (.Africa) - Ranked 236, falls into this risk category.
 New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis- [Verisign Labs Technical Report #1130008 Version 1.0]
 Firstly, registry operators will implement a period of no less than 120 days from the date that a registry agreement is signed before it may activate any names under the TLD in the DNS. Secondly, once a TLD is first delegated within the public DNS root to name servers designated by the registry operator, the registry operator will not activate any names under the TLD in the DNS for a period of no less than 30 days. During this 30-day period, the registry operator will notify the point of contacts of the IP addresses that issue DNS requests for an un-delegated TLD or names under it.