Afilias plans to deploy Domain Name System Security Extensions in 13 more top-level domains 

DUBLIN, IRELAND  – 23 August 2010 – Afilias, a global provider of Internet infrastructure services, today announced that it will deploy Domain Name System Security Extensions (DNSSEC) across its registry platforms, signing 13 more top-level domains (TLDs) and increasing DNSSEC deployment among domain registries by 50 percent.

“Afilias has been a leader in DNSSEC deployment, including working closely with .ORG to plan, design and implement the .ORG DNSSEC strategy as early as 2007,” said Ram Mohan, Executive Vice President and Chief Technology Officer for Afilias. “We are pleased to introduce DNSSEC across our registry and DNS platform, protecting TLDs in our care from DNS cache poisoning and man-in-the-middle attacks, while maintaining consistency and convenience for registrars and their customers."

DNSSEC development began in the early1990s, but only recently became ready for broad deployment as an additional security measure to protect the DNS from cache poisoning exploits. Recently referred to as the Kaminsky bug, this exploit can allow malicious entities to intercept Internet users’ requests to access a website, and redirects or eavesdrops on these users without their knowledge, and with no ability to reassert control. DNSSEC introduces digital signatures to the DNS infrastructure and automatically ensures that users’ are not hijacked and taken to an unintended destination.

To deploy DNSSEC for these additional TLDs, Afilias is introducing a new global strategy, launched under its “Project Safeguard” initiative.  Project Safeguard includes a registry and DNS infrastructure upgrade across Afilias’ global technology platforms to support DNSSEC. It also includes a year-long registrar training initiative to address technical issues concerning implementation of DNSSEC in registrar-registry transactions.

As part of Project Safeguard, Afilias conducted research across domain name registrars to understand the issues they face with DNSSEC deployment. Afilias’ Registrar DNSSEC Readiness Report found that:·       

• Registrars think DNSSEC is a good idea, but are not yet fully prepared to offer consumer services.  80 percent of registrars believe that top-level domain (TLD) registries should offer DNSSEC. However 90 percent of registrars currently feel completely unprepared or only somewhat prepared to actually offer DNSSEC services to their customers as this time.        
• 69 percent of Registrars plan to offer DNSSEC services in 2011 or beyond. 32 percent have no plan to introduce DNSSEC within the next 12 months.      
• Consumer demand is the biggest challenge for registrars. 56 percent cite a lack of consumer demand as their biggest challenge impeding their DNSSEC implementation.       
• Registrars also cite issues with deploying DNSSEC technology:  For example, nearly 20 percent cite the management of DNSSEC keys as their number one concern, followed by more than 18 percent that cite overall DNSSEC technology and expertise.  

“Our goal is to help registrars navigate the challenges of enabling the next generation of Internet security with DNSSEC, by providing a simple and singular enablement process to easily deploy DNSSEC across Afilias-supported domain registries,” said Mohan. “The Project Safeguard initiative should ease the technical burden of DNSSEC deployment and could spur user adoption."

Afilias will deploy DNSSEC first in the .INFO domain in September, to be followed by TLDs that it supports in Asia, the Latin America/Caribbean, and Europe. Based on the proven strategy for the .ORG registry’s successful DNSSEC deployment effort, Afilias will adopt a similar, careful, step-by-step approach.  This strategy will include a “friends and family period” which will coincide with registrar outreach.

About Afilias

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit www.afilias.info.

###

DNSSEC statistics source: DNSSEC Deployment Initiative https://www.dnssec-deployment.org/wp-content/uploads/2010/06/TLD-deployment-Table1.pdf  As of 13 August 2010 26 TLDs had deployed DNSSEC. 

If the rise of phishing has taught us anything, it's that on the Internet, if a digital asset has value, there's somebody out there who wants to steal it. Whether it's a bank account password, a credit card number, a PayPal login, or even a magic sword in an online game, there's a fraudster somewhere trying to misappropriate it for his or her own nefarious purposes.

Domain names have always been a target for such criminals. Companies and individuals doing business online have few assets more valuable than their domain name. It may cost $10 or less to register one, but the domain name is the glue that connects a company to its customers; revenue and brand equity depend upon its security.

Domain theft is not a new phenomenon, of course. Sex.com, for example, was hijacked all the way back in 1995, when there was only one registrar. Its true registrant had to spend years in court to retrieve it. In more recent years, high-profile domains such as Panix.com, Baidu.com and even ICANN.org have been temporarily stolen by attackers using social engineering to exploit process vulnerabilities at domain name registrars.

It's surprising, given that domain name hijacking predates the creation of the competitive registrar market itself, that the industry has not done more in the last decade to mitigate the risks. ICANN's Security and Stability Advisory Committee (SSAC) noted as recently as last year that "pure play, secure registration service providers are rare, in part due to the fact that evaluating security measures does not play as prominent a role in customer decisions when choosing a registrar as it should."

However, registrant apathy regarding security may already be changing, according to a recent survey of savvy registrants.

There are three areas where registrars, in general, have room for improvement when it comes to security.

1. Better Authentication

The simple username/password authentication approach so common at Registrars has repeatedly been found vulnerable to social engineering attacks and should not be considered strong enough security for high-value domain name accounts. This is especially true when automated password reminders are available. If all an attacker needs to do is compromise a password or e-mail address in order to have complete control over a domain portfolio, registrants have the right to ask for stronger authentication.

Nowadays, it's common practice for large financial institutions to allow, or even require, multi-factor authentication before giving customers access to valuable assets. But it's not just banks. After the phishing black market put a dollar value on World of Warcraft accounts, the game's developer had to start offering players one-time password tokens, in the form of key fobs, as a second authentication factor, to decrease fraud.

When you think about it, the fact that magic swords are sometimes offered a greater degree of protection than domain names is pretty crazy.

2. Notifications

When someone logs into a registrar domain account they are given virtually the “keys to the kingdom” for that organization’s entire domain portfolio and DNS settings. If domain account access is compromised, then all it takes for the criminal is to login to the registrar account, change the registrant and other contacts associated with the domain, and then either change the DNS information to point to a new site or transfer the domains to a completely different registrar where it is difficult for to reclaim the names.

It is time registrants get routinely notified when such changes are made to their domain name portfolio, whether via e-mail, text or perhaps even telephone for the most critical items. The best scenario is to notify two or more authorized employees to provide for shift changes and/or redundancy. Social engineering is the attack of choice for hijacking domains, and it's harder to impersonate two people than one.

Because e-mail accounts are easier to compromise than phone numbers, using out-of-band communications channels, such as telephone or SMS text message, could also increase security.

3. Access Control

Usually, authenticated registrants have global privileges: they can change name servers, transfer out domains or cancel renewals, for example. The risk of domain hijacking could be further mitigated by employing more granular access controls once a customer has been "authenticated". Many registrants may wish to use a higher level of security on their primary domains, limiting critical privileges to certain high-status users. The learning curve here could be eased somewhat by the fact that existing registrar Whois records already usually describe at least three roles – the administrative, technical and billing contacts.

Registrars should enable Registrants to designate different contacts for different authority levels. This would accord Registrants the choice of better protection.

 

None of these measures need to be a drain on registrars' margins. Indeed, once in place, these will save money that is now spent resolving disputes after the fact by making criminal activity more difficult. Further, with domain name registrants increasingly looking at registrars' security provisions before they make their purchasing decisions, the opportunity presented by value-added premium services, designed for security and marketed to customers with high-value domain portfolios, should be obvious. Criminals look for the softest targets; with a little effort in just 3 areas, registrars can significantly improve the security they provide for registrants.

For more reading on this topic, see SSAC’s advisory to registrars on improving security: SAC040

(Disclosure: I am one of the charter members of SSAC)

Almost exactly nine years ago, the .INFO domain first started accepting registrations.  This was an historic event as it was the first time a new generic top-level domain (TLD) was launched to an existing domain marketplace and, in fact, was the first new TLD to be added since .com.  We’ve seen (and provided technology to power) many other TLD launches since then, with many business models.  As you seek to introduce your own new TLD however, you should carefully evaluate the different launch models that have been tried before and determine which one will work best for your specific TLD.

Trademark Protection
All new TLDs will require some form of trademark protection to ensure that Intellectual Property (IP) holders’ rights can be protected prior to live, public registrations.  Afilias has implemented a number of different types of trademark protection plans from pre-registration without trademark verification, to those with extensive application and verification processes.  We’ve seen the best success with a very focused trademark pre-registration period that has clear trademark parameters and works with a known trademark verification agent to weed through all of the submissions.  We also recommend that all registries lock pre-registered trademark domains for up to 60 days following their registration award to allow for any potential UDRP claims that IP owners may wish to file.  

Landrush
Landrush will be the most critical time for your TLD as it places the heaviest load on the technical registry system.  We’ve seen in excess of 300,000 names coming in through initial landrush opening minutes, so you want to be very careful about who you select as your registry partner.  You should make sure that their registry has been tested to withstand a significant landrush load.

In addition, you will have to make some policy decisions about how you want landrush to work. In almost all cases you should avoid pre-registration fees with a “chance” at getting your name. These can be viewed as lottery-based systems that can subject your organization to new legal restrictions.  We highly recommend that clients not charge for applications, but only for awarded names.

Regardless, you need to decide if you will open the floodgates all at once, or if you want to have multiple, specialized application periods (see below) in advance of the “public” opening.

Premium Names and Auctions
In recent years TLDs like .info, .mobi, .asia and .me have seen good success by reserving premium names, which are highly desirable generic or category terms.  In .info’s case, we reserved a number of country domains and have awarded them for use by their respective governments (some great examples are spain.info and germany.info).  Other TLDs have used reserved name lists for auctions following landrush.

Premium or other reserved names can fit well into your new TLD’s strategy, particularly if you will be representing a certain category or key community where they will present more value.  An auction approach helps to raise the price, and therefore perceived value of these names, and can help put your registry on a sound financial footing more quickly.  

RFPs
If auctions are not to your taste, other domains have also seen success by simply launching a period where interested users can respond to a “request for proposal” with a business and launch plan for a highly desirable name.  As a registry, you can offer additional promotion, partnerships or advertising to help assist with the launch of these sites, which can also act as great brand ambassadors for your fledgling TLD.

 

Each new TLD will have its own priorities. However, at the end of the day, you need a plan that will get lots of names into your target market quickly, generate awareness of your TLD (so it will be viewed as a legitimate place to visit by Internet users), and demonstrate actual use in the market (i.e. real sites and e-mail).  Your launch plan is critical to establishing these building blocks quickly. If you are not a TLD expert, consider teaming up with someone who has been there before.

If you are a new TLD applicant, one of the key pieces of your plan is how you intend to go to market. Many applicants will be required by ICANN to use registrars, and there are many good reasons for this. Registrars understand the domain business, they are experienced domain marketers and most importantly, they have existing business relationships with many of the same registrants you will need to make your TLD successful.

The question is: HOW do you get registrars to support YOUR new TLD? Afilias has more experience introducing new TLDs to registrars than anyone, and we’d like to suggest 3 principles for success:

1. First, choose an attractive string: The most important reason for a registrar to support you is if your TLD will sell. Make sure your string has a strong reason for being—that it adds value to the Internet and will serve a market that will buy it!
2. Second, Provide Support: Be sure to give registrars tools that will help them sell your TLD. For example you’ll need to ensure competitive pricing and provide marketing materials and promotional support. Plan to work as a TEAM with your registrars
3. Third, Keep it simple: Registrars are going to be swamped with new offerings. If YOUR TLD is simpler to implement, your chances for success are better.
   • Simplicity begins with the accreditation process—Study what new TLDs have done in the past and don’t re-invent the wheel.
   • Pricing should also be simple and sustainable. Look at how registrars sell domains today and try to replicate that model.
   • And last, Technical systems must be familiar and standards-compliant: Registrars don’t have time to learn a whole new system. They will support TLDs that use systems they are familiar with, as it saves them time and money.

Registrars are the key to distribution so you must learn how to succeed through them. How? Choose an attractive string, provide appropriate support for your registrars, and keep it simple for them.

Of course, it isn’t quite that simple. That’s why you should work with an expert who is already dealing with registrars and has done this for many new TLDs before. Afilias already has a group of accredited registrars that together support over 90% of the active domain name marketplace. This coupled with our registry technology which already supports 15 different TLDs, has the kind of experience you’ll need in gaining distribution to make your new TLD successful.

Afilias is a sponsor of the 12th AfriNIC Public Policy Meeting and AfNOG.

• ‹ previous
• 65 of 78
• next ›

The deployment of Domain Security Extensions (DNSSEC) has crossed another milestone this month with the publication of DURZ (deliberately unvalidatable root zone) in all DNS root servers on 5 May 2010.

While this change was virtually invisible to most Internet users, this event and the remaining testing that will occur over these next two months will dictate the ultimate success of DNSSEC deployment across the Internet.

Until now, ICANN and its partners have been rolling out DURZ to each of the root servers individually. With this step, all root servers now have DURZ. We will now get to see, before a validatable root zone is published, how the DNS infrastructure will behave as more queries for DNSSEC information result in larger responses. Answers to the important question about how the DNS scales with the addition of DNSSEC will hopefully start to filter in, as well as the opportunity to watch for abnormalities in the system. The final step in the root’s DNSSEC deployment will occur in July when a validatable root zone is published.

If you are an application provider, ISP, or a TLD registry thinking of DNSSEC deployment you should take this event as an actionable item and allow your technical teams time to participate in DNSSEC testing.

The next milestone will be the deployment of a validatable signed root. Signed TLDs will be able to submit their keys to the root zone after it is signed, creating a single, hierarchical, secure infrastructure, in contrast to the islands of trust we have today.

We have spent the better part of the past three years working closely with .ORG and the Public Interest Registry towards the deployment of DNSSEC in .ORG throughout the domain name system. This June, second level .ORG names will be able to submit their key information and be signed, which will propagate throughout the DNS, a first-ever in a major gTLD. We look forward to learning, sharing and helping the system become stronger across this and future DNSSEC deployments across the other TLDs we support.

Afilias' Desiree Miloshevic will be chairing this panel discussion entitled 'How long will the Internet remain a level playing field?' on Net neutrality at the University of Surrey, Guildforde. Networking and refreshments at 19.00 with the debate starting at 19.30. Visit the Web link to register for this free event!

Afilias is a sponsor of the 13th LACNIC conference. 

Afilias' Dr. James Galvin will be a Keynote speaker.  The session, entitled Trust and confidence at the Internet domain level, will be held at 9:40 AM.  

In this session speakers will talk about challenges we face when it comes to trust on the Internet. Talks will center on trust with TLD, domain name system and business practices used to enhance trust.

If you are a prospective new top-level domain (TLD) applicant, one of the most important questions you must answer is: how many registrations will my TLD have? This will be an essential element of your submission to ICANN, and if profit or even economic sustainability is your goal, getting the volume right is critical.

Although the market has never seen hundreds of new TLDs launched in rapid succession, it has experienced many new TLD launches, and each applicant should study these as they develop their volume estimates.

In 2000, when 47 applicants submitted bids to ICANN for all types of TLDs, there were already over 20 million .com domains in a total market that was less than 50 million names. Many applications relied on the belief that “all the good .com names had run out and that new TLDs were needed to serve market demand.”

Of these 47, only 7 applications were chosen and the first new TLDs were launched in 2001. A second round for “sponsored TLDs” was hosted in 2004, and 6 additional TLDs were launched. .EU and .ME have also launched. In all, more than 15 new TLDs have launched since 2001.

Well, here we are in 2010 and the industry has now grown to over 190 million domain names. If you think it was because of new TLDs, you’d be wrong.

COM, NET and ORG have grown by over 80 million names. ccTLDs, like China’s CN and Germany’s .DE, have grown about 45 million names in total. But new TLDs have added less than 15 million names. Indeed, from a market share standpoint, new TLDs have never comprised more than 7% of the market.

This shouldn’t be bad news for prospective new TLD applicants. .INFO, for example, launched in 2001 and now has nearly 6 million domains. And many of the other new TLDs are considered successful and sustainable. With over 13 million total registrations in a growing segment, new TLDs can be quite successful.

So while it may not be realistic to assume millions of registrations, what should you plan on?

First, look at the history: Afilias has supported more launches than any other provider, so we have more history. The .info, .mobi, .asia, and .me domains had enough time to successfully build demand among registrars and gain some awareness to the target market. They were able to obtain an initial Landrush of between 50,000 – 300,000 names within the first year. After 1-2 years, if you have the same determination and market penetration, you may be able to sustain daily new creates as much as 100-200 per day, which would put you roughly at a growth of 30,000-75,000 domains per year.

Second, consider pricing: To be competitive, you will need to price your TLD against others in the market. This July, .com will raise its wholesale price to $7.34 per year. But you should be aware that some gTLDs are offered as low as $1.99 in the market at retail pricing.

Third, leverage launch revenue: To generate revenue early, you should consider revenue streams such as premium name auctions or RFP bids. These often provide higher revenue per name and may result in the creation of flagship Web sites that can drive branding, awareness and usage. In addition, if your TLD is a high-margin specialty domain or it offers add-on services, those advantages may provide more revenue.

Fourth, address channel needs: As more and more new TLDs come on the market, obtaining shelf space at registrars will be a critical challenge. The fastest, cheapest and most effective way to gain access is to use a registry provider that registrars are already connected to. While no provider can guarantee distribution, it stands to reason that existing connections will deliver results faster than having to start from scratch.

Of course, community or corporate TLDs are not as subject to these types of market conditions. But even these applicants will find it easier to leave the technology to experienced providers so they can focus on their unique community and corporate needs.

As you consider your own TLD, carefully consider the above points and tap the experience of those who have gone before. Few clients we have talked with have the special registry and DNS knowledge needed to address the complex needs of today’s TLDs—and even fewer already have relationships with registrars. As the applicant, you should focus on what makes your TLD unique and valuable, not on the nuts and bolts of registry systems, DNS and channel connections. Experience matters—seek a partner that can help you steer clear of the potholes.