As the number of top-level domains undergoes explosive growth, the Internet Corporation for Assigned Names and Numbers (ICANN) is studying ways to reduce the risk of traffic intended for internal network destinations ending up on the Internet via the Domain Name System.
The draft of a report (PDF) commissioned by ICANN and carried out by JAS Global Advisors includes a series of recommendations — ranging from alerting network operators by returning 127.0.53.53 as an IP address to, in extreme conditions, killing a delegated second-level domain — to deal with the issue.
Earlier this year, ICANN announced that more than 100 new generic top-level domains had been added to the Root Zone. It was a milestone moment for the gTLD program, which will increase the number of top-level domains from 22 up to around 1400 (at least in the first instance; more TLDs are almost certain further down the track).
This expansion carries with it the risk that some of these new domains are already in use by enterprises that employ them to designate destinations on corporate intranets. An ICANN-commissioned report by Interisle Consulting Group (PDF) released in August last year found that the potential for name collision with the new gTLDs was "substantial".
"Based on the data analyzed for this study, strings that have been proposed as new gTLDs appeared in 3% of the requests received at the root servers in 2013," the report stated.
"Among all syntactically valid TLD labels (existing and proposed) in requests to the root in 2013, the proposed TLD string home ranked 4th, and the proposed corp ranked 21st. DNS traffic to the root for these and other proposed TLDs already exceeds that for well-established and heavily-used existing TLDs."
Of the 1409 strings that were applied for in the gTLD process, only 42 did not make an appearance in the TLD position during the 2013 'Day in the Life of the Internet' data capture exercise carried out by the Domain Name System Operations Analysis and Research Center (DNS-OARC), the report said. Only 14 made no appearance at all.
In the wake of the report, ICANN's board in October endorsed a policy titled "New gTLD collision occurrence management", (PDF) which noted that Interisle had found .home and .corp as strings likely to cause significant problems if they were delegated. As a result ICANN's policy would be to indefinitely defer their delegation.
The policy included commissioning a study to develop a name collision occurrence management framework.
"The framework will specify a set of name collision occurrence assessments and corresponding mitigation measures if any, that ICANN or TLD applicants may need to implement per second level domain name (SLD) seen in the DITL [Day in the Life of the Internet] and other relevant dataset (e.g., information from Certificate Authorities regarding the issuance of internal name certificates)," the policy stated.
The policy mandated developing name collision assessments for proposed gTLDs, including problematic second-level domains, and included some potential steps to be taken to avoid problems, such as blocking particular SLDs on a temporary or permanent basis, trial delegations or making an SLD available to an organisation responsible for the domain collision.
Operators of the new gTLDs would have to wait at least 120 days before activating any new domain names (although they can still accept registrations during the period). A process would be implemented to monitor possible collisions after the new gTLD begins operation, including the possible blocking of an SLD.
(The ICANN policy also included an "alternative path to delegation" for registry operators: Proceeding to delegation before receiving a collision assessment, which would require them to block all the internal SLDs that had appeared in the DITL data.)
The new ICANN-commissioned draft report from JAS Global Advisors lays out proposals for the management framework to deal with the collision issue. The report includes recommendations to permanently reserve .mail as well as .corp and .home for internal use (possibly under RFC 6761).
(The report also intriguingly makes reference to a vulnerability that JAS uncovered which is "not directly related to ICANN's New gTLD Program nor to new TLDs in general that has the potential to impact end-systems". "After extensive discussions with impacted vendors, JAS is concerned that publication of the experimental methods and data contained in the complete JAS report may accelerate discovery of the vulnerability and/or serve to facilitate exploitation of the vulnerability after it is discovered," the report states.)
In addition the report recommends emergency response options, which will be employed only in situations "where there is a reasonable belief that the DNS namespace collision presents a clear and present danger to human life".
Emergency response options should not "under any circumstances" include root-level de-delegation of a TLD, but could include using the Emergency Back-end Registry Operator (EBERO) system set up as part of the new gTLD program.
The EBERO system is a group of registry operators to whom ICANN can temporarily delegate TLDs — for example, if there is an SLD collision issue that has potentially dire consequences and a registry operator refuses to take action, ICANN can have an EBERO take over the TLD and take measures including de-delegation of an SLD.
The report also recommends a "controlled interruption" policy, similar to how domain expiration is managed: "The Expired Registration Recovery Policy calls for extensive notification before the expiration, then a period when 'the existing DNS resolution path specified by the Registrant at Expiration ('RAE') must be interrupted' – as a last-ditch effort to inspire the registrant to take action.
"Nothing inspires urgent action more effectively than service interruption."
For this "controlled interruption" JAS recommends returning an address within the 127/8 loopback range: "Responding with an address inside 127/8 will likely interrupt any application depending on an NXDOMAIN or some other response, but importantly also prevents traffic from leaving the requestor's network and blocks a malicious actor's ability to intercede."
Instead of the familiar 127.0.0.1 loopback address for localhost, the report suggests "127.0.53.53". Because the result is so unusual, it's likely to be flagged in logs and sysadmins who aren't aware of a name collision issue are likely to search online for information about the address problems.
"Numerous experiments performed by JAS confirmed that a wide range of application layer software logs something resembling a 'failed connection attempt to 127.0.53.53' which is the desired behavior. We also confirmed that all modern Microsoft, Linux, Apple, and BSD-derived operating systems correctly implement RFC 1122 (albeit with variations) and keep the traffic within the host system, not on the network," the report states.
The proposals in the draft JAS report are open for comment until 31 March.