ICANN 74 started on June 13. For the first time since 2020, it is taking place in a hybrid format: in The Hague (Netherlands) and online. Experts from the Coordination Center for TLD .RU/.РФ take part in the conference in both formats.
One of the main topics of the first day of ICANN 74 was security and a set of DNSSEC extensions. The workshop participants, representing domain registries in Canada, Australia, Sweden, Japan, as well as Internet companies and public organizations, shared their experience in implementing various solutions to improve DNSSEC. So, Johan Stenstam (Swedish Internet Foundation, .SE registry) spoke about a failure in the Swedish HSM (Hardware Secure Module) system, which led to the publication of several thousand invalid DNSSEC signatures in the .SE zone. Due to the fact that DNSSEC was implemented in the .SE zone about 10 years ago, the mechanism for checking the validity of signatures before their publication was not implemented due to the high resource consumption at that time. And then the Swedish colleagues were guided by the principle "do not touch what works", and the necessary updates were not made. Correct operation was restored only by rebooting the entire HSM system, consisting of 2 synchronized modules. To avoid a repeat of the incident, the stack responsible for generating DNSSEC signatures was completely rewritten, after which a procedure for validating them before publication was introduced.
Dan York (ISOC) presented statistics on the use of DNSSEC around the world, and also spoke about the project of an interactive map of the use of DNSSEC. Eric Osterweil (George Mason University) informed about the plans for the development of this map (George Mason University will continue to work on it in 2022), and also spoke about the use of DANE (DNS-based Authentication of Named Entities) technology as a first step towards a global and scalable system for ensuring the security of network objects. He also spoke about research in the field of security with the help of DANE technology at the level of Internet objects, such as a file, photo, message, letter, etc., and also presented the GMU pilot project – a secure email system, in which he invited everyone to participate in testing.
The seminar continued with a presentation by Steve Crocker (Shinkuro, Inc), who gave an overview of the 8th episode of the thematic session devoted to two problems in the DNSSEC specification: automation of updating DS records (Delegation Signer) and the Multi-Signer procedure of keys when using multiple DNS providers. He spoke about the work already done, about projects and developments in the relevant areas.
At the end of the Episode 8 workshop, participants discussed scenarios for updating DS records, the DNSSEC Bootstrapping automation method, and Multi-Signer projects that are implemented by several registries. Of great interest to the community was a presentation by Kim Davis (ICANN/PTI) on the Root Zone Management System (RZMS), which has not changed in the past 20 years. Clearly, the system needs to be improved, and Kim Davis talked about the current capabilities of the system and ongoing work to improve it in the future. For example, at the moment, changes are being developed in the model of powers in the personal account of the system; considers changes in the approach to technical reviews, in particular the transition from the model "passed/failed" to the model "passed/failed/received a warning"; it is planned to introduce multi-factor authorization; API is being developed. In addition, the speaker shared possible ideas for the future development of the system, such as the creation of a regulation for the revision of supported crypto-algorithms and the introduction of a system for monitoring resource records of subsidiary zones.
On the first day of the conference, there was traditional TechDay, where participants discussed the technical aspects of the work of registries, shared news and the results of research, and also presented their projects and initiatives. The seminar was opened by Briony Hill (Nominet, .UK registry) - she presented the Domain Watch project, aimed at identifying phishing domain registrations and blocking them. Hugo Salgado (Nic.CL, .CL registry) spoke about the experience of introducing support for the new ZONEMD resource record containing a cryptographic digest into the .CL zone. And Moritz Müller (SIDN Labs, .NL registry) gave an overview of the heterogeneous and fault-tolerant infrastructure of the .NL DNS domain and spoke about a bug in the Google resolver, found by SIDN Labs experts in January and fixed by Google specialists in February this year.
ICANN researcher Roy Ahrendts spoke about a scan that was performed on the use of names and IP addresses of root zone servers by resolvers, which revealed a number of errors in responses to a DNS query. Peter Robberechts (DNS Belgium, .BE registry) made a presentation on using machine learning to identify malicious domains at the time of registration. Mats Dufberg (Swedish Internet Foundation, .SE Registry) talked about the new features of Zonemaster - a tool for searching and checking the DNS health parameters of a given zone, for example, the content of NS server responses, DNSSEC parameters, the correctness of resource records, etc.
In the final part of TechDay, Brett Carr (Nominet, .UK registry) spoke about the company's experience in accepting live TLDs from other technical operators for support of key registry services and transferring them to third-party technical operators.
TechDay was finalized by Jordi Iparragirre (EURid, .EU registry). He spoke about the EURid initiative aimed at sharing abuse data and countering DNS abuse. Despite the youth of the project, the registries of the European domains .BE, .DK and .EU have already joined it. The participants created a decentralized infrastructure for the exchange of information and developed a cooperation agreement, taking into account the current requirements of the GDPR.
ICANN 74 continues – follow us!
