Tag Archives: linkedin

At-Large Summit news from ICANN Mexico

I was appointed to the ICANN’s Security and Stability Advisory Committee recently and I am very proud of that. This group of esteemed security experts are a crucial element of the ICANN community, because their task is to identify threats to the good working fo the Internet and suggest possible remedies. This is not a glamourous position, but rather behind the scenes work in the interest of the Internet user community at large.

On a similar note, I had the pleasure to co-chair the At-Large working group on DNS security issues, with came up with a statement we were reasonably happy with.  The best part was actually today, where we received kudos from other parts of the community, which tend to view the At-Large more as a political obligation of ICANN that a really useful component.

I hope this will both help the recognition of the At-Large as serious players in the ICANN context, but also motivate the At-Large members, who are often depicted as jerks and end up believing they are.

The ICANN new generic TLD process (Las Vegas edition)

I have not submitted any comments on ICANN’s new gTLD process, mostly because many other people have said more diplomatically what I think, but I thought I could blog about it.

My main concern from the beginning was that the process should allow any serious candidate to run with a reasonable chance to be able to actually start running a gTLD. This includes small and medium sized communities and startup companies with little seed money.  This also includes registry models that may not favour mass registrations. For all these, the current model is flawed.

Communities based on values, whether cultural or ethnic are by definition limited in scope. So are communities based on geography, although they could larger.  These communities could get their TLD, if they have strong political support and  the attached financing. It this case, the short term profits are not the registration fees themselves, but the prestige linked to a community having its own TLD. I bet the application for the  .VLA TLD will succeed, because it has the strong political support of a wealthy community.

For the startup registries wishing to enter the gTLD arena and compete to a certain degree with the incumbents, the skies are cloudy, to say the least. First and foremost: you need money. A lot of it. Anthony Van Couvering  at Names@Work has a timeline, which details the associated costs. However, a lot of the costs are not appearing. My personal estimation is that the whole process, up to the contract signing ceremony with ICANN,  is USD 1 million at the very minimum. More realistically, you need  50% more to be on the safe side.

400K will go to ICANN and its subcontracted  evaluators. The associated costs with the evaluations can quickly add up.  At this stage, there is no way to know exactly how much they will cost, because there are many parameters.  ICANN tells you these costs will be payed directly to the evaluators, not through ICANN.  This will make it even more opaque.

The rest needs to cover consultants,  lawyers, salaries, ICANN meeting sponsorships, meetings with your community leaders to gain support for your application (and everything that goes with it: profits sharing, gadgets, gourmet dinners, escorts, you name it) and travel to ICANN meetings for you and your staff.

On top of that, ICANN wants you to be able to guarantee the operation of the TLD for 3 years, even if your TLD is not a success.

Note that this will not guarantee at all that your application will succeed.  But at least it will guarantee one an a half year of hard work and travel to exotic places for two or three people, and others on a as-needed basis.  Now go out and tell your banker, if he has not gone bankrupt already.

If you are lucky enough to reach the contract signing stage, the real work begins: hire staff, build an infrastructure, convince registrars to carry your TLD, set up a sunrise period . These are another four or five months without a single cent falling on your bank account.  In conclusion, this whole new gTLD process will be most profitable for established actors, who will not have to cover many of the above-mentioned costs, or have the reserves to cover them.

Even if ICANN revises parts of their RFP, I am not sure it will attract the 500 applications it expects. This RFP should have been published 8 years ago, at the height ofthe Internet bubble, when everything related to the Net received full funding. Now, in this recession period, investors and bankers are cautious. It will not be easy to find partners who are willing to potentially loose USD 1.5 million, if it cannot be demonstrated with certainty they can recoup their investment in less than two years.

Good luck. May the farce be with you.

This host is DNSSEC-enabled – Part 2

Last year, I started signing the DNS records for this domain (and isoc.lu). At the time, it was what is called an ‘island of trust’ in DNSSEC-speak. Being a firm believer that one should eat his own dogfood, I took this now one step further. Both domains vande-walle.eu and isoc.lu are now added to ISC’s DLV registry. In addition, they are also in UCLA’s Secspider DLV repository. DLV stands for Domain Lookaside Validation, it “is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain”, according to RFC 5074.

There are a few lessons to be learned from this experience. First and foremost, the tools are now not yet ready for a general audience. If the dnssec-signzone man page is your favourite late night reading and if you like Unix shell scripting, you will have plenty of fun. On the other hand, if you are an overworked system administrator being told by the boss to ‘By the way, please switch on DNSSEC before your leave this afternoon’ , you are out of luck.  The best tool I found to make it a bit easier is ZKT.  However, this is not the friendly Graphical User Interface you would expect.

Lesson 2 is ‘check you secondaries’. I had secondaries with Xname.org. Although these nice folks provide good and free DNS service, their machines do not answer DNSSEC queries. Hence, I had to switch to new secondaries.

Lesson 3 is that few DNS resolvers currently support DLV. Bind does. Unbound will in the next release (the current development code already does).

Lesson 4 is that the current system to register a domain in the DLV does not seem to scale and looks more like a proof of concept. It would need to be seriously industrialized to be helpful for a bigger deployment.

Lesson 5 stems from 4 above. The whole thing would be a bit easier to deploy if the root zone was signed. But this is another debate.

Many thanks to the folks at NLNet Labs and the RESTENA Foundation for providing DNS secondary service, and ISC for running the DLV registry.