On June 12, the ICANN 77 Policy Forum hosted the traditional ICANN TechDay - a technical seminar with discussion of new technologies for the domain industry, sharing of experience in their implementation, and demonstration of the results of new research. The workshop was moderated by Eberhard Lisse, Head of the ccNSO Technical Working Group and Managing Director of the Namibian Network Information Centre, Namibia's .NA TLD registry.
Giovane C. M. Moura, a representative of SIDN Labs, in his report spoke about the study of the parameters of delegation of domain names of public resources in the Netherlands, Sweden, Switzerland and the United States. The study showed significant deviations from the recommended best practices for domain name delegation. For example, about half of the domain names of state websites are delegated to the NS servers of one DNS provider, while it is recommended to use at least two different ones. Moreover, there were cases when the domain names of public resources had only one NS-record in general.
Alain Durand, ICANN Representative, spoke about a study on the implementation of DNSSEC at the second level in various TLDs. Registry representative Mark Elkins spoke about the experience of implementing CDS scanning technology for resource records in child zones in the EDU.ZA zone.
Andy Newton, ICANN GDS Chief Technical Officer, introduced a new command line RDAP client. The purpose of creating such an RDAP client was to make the tool called on the command line as adaptable as possible to various software solutions. This tool is intended primarily for technicians who interact with the Registration Data Directory Service (RDDS) using the RDAP protocol.
The news of the development of a software solution for the registration system CoCCA Registry Services was discussed in the report of the head of the company, Garth Miller. In particular, in addition to various interface improvements and optimizations of the web portal, an RDAP module was integrated into their solution, and monitoring tools were built in DNS abuse supported by IQ global and IWF.
White hacker Ron Seger was also invited to the technical seminar. In his report he considered an example of malicious code in PHP and touched on the topic of generating malicious code by AI-systems, citing ChatGPT as an example.
Mats Dufberg, of the Swedish Internet Foundation, concluded remotely with news about an update to the Zonemaster project, a tool for finding and checking DNS health parameters of a given zone, such as the content of NS server responses, DNSSEC parameters, the correctness of resource records, and etc. The last release of Zonemaster took place on December 19, 2022, and the new release will be released in the coming week and include various improvements to the zone estimation methodology.
A seminar on security issues and the implementation of the DNSSEC protocol was held on the same day. The first part of the workshop, moderated by Steve Crocker, discussed solving two problems in the DNSSEC specification: DS Automation update and the Multi-Signer key procedure. Steve Crocker talked about the work already done, about projects and developments in the field of automating the renewal of DS records, and also mentioned a recent incident in the New Zealand .NZ country code, when resources in this zone became unavailable due to an error during the rekeying. The workshop participants went on to talk about the upcoming SSAC report on DNSSEC Automation and the barriers to implementing DNSSEC Automation, as well as possible new applications for this technology.
Matthew Shears, Chair of ICANN's Strategic Planning Committee, said that while DNSSEC automation is not included in the current Strategic Plan, it is being considered for inclusion in the next one for 2026-2030.
The second part of the seminar was devoted to the issues of automated management of DS-records. Participants presented statistics on the implementation of DNSSEC and the implementation of automation for updating DS records in ccTLDs.
Ondrej Filip spoke about the introduction of automating the update of DS records in the CZ.NIC system, in particular, he noted that the upcoming version of FRED - an open source registration system that CZ.NIC representatives are actively working on - will contain a new "cdnskey-processor" that supports the technology for automating the update of DS records.
The participants next discussed the resource burden associated with high amounts of resource records for scanning in child zones when automating the update of DS records of parent zones. After that, they provided a variety of techniques for updating DS records. According to Steve Crocker, the use of the DNS NOTIFY mechanism will reduce the cost of resources for such scanning.
In conclusion, Steve Crocker invited the audience to think about what kind of technical means are needed to implement automation of updating DS records: new protocols, modification/extension of existing protocols, the ability to validate automatic updates of DS records, or something else.
ICANN 77 Policy Forum continues, stay tuned!
