DNS – Claiming and Protecting Virtual NameSpace

It’s like a scene out of a Dan Brown novel – seven levels of security, to be accessed simultaneously by seven different individuals, recorded in detail and streamed live for auditing. Any false move may cause a time-out, which leaves those individuals locked in security cages. Armed guards standing watch. 

Seven keys to seven safety deposit boxes in seven different rooms. Each safety deposit box containing a smart card in a tamper evident bag. Each smart card, a portion of the cryptographic key that protects the integrity of a central computer function.

Access to world-ending weaponry? No – access to the Internet. This is the Key Signing Ceremony, an elaborate ritual performed four times a year on fundamental Internet infrastructure. (For a first-hand description of the security involved in the Key Signing Ceremony, listen to the Olaf Kolkman interview on “A Day in the Life of a Man with a Key to the Internet”)

All this carefully constructed security is in place to authenticate the Domain Name System, the largest and most widely-distributed database on the planet, and a central – utterly essential – tool for the functioning of the Internet. Every single time you sit down at your laptop or on your smart phone and surf the Internet, each request you make in your browser for a particular website (be that via a link in another website or a URL that you type in manually), your computer needs to request information from the Domain Name System to find the location of the web server where that website is hosted, so that it can then contact that web server and provide you with the information you want. 

The common metaphor for the Domain Name System is that it’s like a massive global telephone book. Instead of connecting people’s names with addresses and telephone numbers, the DNS connects the domain name of a website (www.dotmagazine.online) with the IP address of its web server (46.31.121.34). Far be it from me to describe how the DNS works – other people have done it far better ( for example, Verisign, or this entertaining video) – suffice to say that, while a telephone number is identified with increasing specificity going from left to right (international country code – state – city- local number), the reverse is the case for a domain name – so the text to the right of the last dot is least specific (what is known as the top-level domain, .com, .net, or, in our case, .online). 

Now, domains names are strictly hierarchical, so we have three levels of domain – in the case of dotmagazine, the third-level is www(.dotmagazine.online), the second-level is dotmagazine(.online), and the top-level is .online, each inheriting the features of the ones above it. (The third-level, a sub-domain, could also have its own name, such as international.eco.de, or numbers.eco.de.) But to the far right, after your top-level domain, there is actually another (invisible) dot and a further zone, the “root zone” (your domain name will also function if you put a final dot after the top-level domain – try it in your browser). 

The root zone is a highly distributed and redundant set of name servers which contains all the information relating to the location of top-level domains (TLDs). So it would be the first port of call for your DNS resolver (the machine in your network that actually does the searching for you) when you send out a look-up query to find a website. The root zone points your resolver in the direction of the appropriate TLD names server (in our case, giving us the IP address for the .online name server), which in turn has information about the second-level domains (where to find dotmagazine.online). This to-ing and fro-ing between different name servers in order to return the IP address we need to access the website we want takes place in a matter of milliseconds – far less time than it would take me to recall the telephone number of my mobile phone.

Securing the DNS – enabling validation and trust

The Domain Name System needs to be technically trustworthy – you want to know that when you type www.mybank.com into your browser, you will actually be directed to your bank, and not to a spoof website where a man-in-the-middle can then harvest your account details and drain your funds. And this is where the seven keys in seven safety deposit boxes come in. The Domain Name System Security Extensions (DNSSEC for short) allows zones within the DNS to be digitally signed so that they can be authenticated. This means that you know that the information has not been tampered with, and that the results of the search are authentic. This prevents malicious attacks like DNS spoofing, where your company domain name may be hijacked for the sending of spam under fake names, for example, or man-in-the-middle attacks. 

DNSSEC was applied to the root zone in 2010, meaning that answers returned can be validated if your network’s DNS resolver is DNSSEC aware – so you can trust that the answer has not been manipulated. The majority of TLDs are signed and deploy DNSSEC – so far, so good. But unfortunately, that’s where the deployment grinds to a halt. The vast majority of second and third-level domains are not validated with DNSSEC. As Olaf Kolkman, Cryptographer and Root Zone Key Holder, comments, 

“In [many] parts of the world, the success rate of percolating and maintaining those signatures is not very high. So that answers the question of how well the DNS is secured: not very well, because there are not that many signatures around. And this is a point of concern. In the Internet, we sometimes find it hard for people to invest in the security of others, so to speak. And this is an investment. Creating signatures is really an investment for any of the entities that need to do it...  I think that is an issue because this whole infrastructure – almost everything we do on the Internet – starts with a DNS query. Being able to validate that nobody tampered with that is, I think, an incredibly good thing.”

Now, making sure that your company domain name is signed with DNSSEC is not something you are likely to take care of yourself – the responsibility for this lies with the registrar through which you register your domain. ICANN (the Internet Corporation of Assigned Names and Numbers) maintains a list of registrars that deploy DNSSEC and the TLDs that they do it for. 

Claiming the namespace - company branding through domains

So the Domain Name System is an ingenious system which saves us a lot of hassle and confusion online. But wait, there’s more: Marketers should be clear that a domain name is a very powerful marketing tool for a company or a brand. Companies have several options for securing their namespace online. One of these is to purchase the same second-level domain with a wide range of TLDs (not just with a .com, but also .biz, .net, and any number of a whole range of new generic TLDs that have come onto the market in the last couple of years. This means that you can fill the namespace and have your company name under your control throughout the web. 

But with the new generic TLDs, you can also be selective and clever in your choices. This means that you can find highly memorable, appropriate TLDs that add relevance to your domain name (dotmagazine is an online magazine, so dotmagazine.online works nicely, but your sports club might like to have a .club domain, your online shop a .shop domain, and so on). Another option is giving your domain name geographical relevance – if your company is a local company based in New York, for example, what about using .nyc as an option (see Mapping Virtual Space to the Geographical Environment – The Growth and Management of New geoTLDs for more on geo TLDs). The wonderful thing about domain names is that they are memorable, and the new TLDs give you the chance to make your website domain stand out even more. 

Another option that companies have is to apply directly to ICANN (it is unclear at this stage when the next round of applications will be opened) to register your brand as an independent top-level domain – as Barclay’s Bank did with .barclays & .barclaycard. As well as being memorable, the bank notes that “In the long term, the move will also add an extra layer of security for customers and clients as only Barclays and Barclaycard will be able to set up websites ending in .barclays and .barclaycard.” 

For companies and brands, there are also further initiatives to help with the growing potential of the new TLDs, like the Trademark Clearing House (TMCH) and industry initiatives like the Domains Protected Marks List (DPML) offered by Donuts.

Acceptance of new gTLDs

With the wealth of potential for the new gTLDs to open up opportunities for companies in their naming and marketing messages, another step is also important: Making sure that all systems are updated to be ready for new, longer top-level domains, and for new internationalized TLDs in a range of non-Latin alphabets. Systems architects and developers can find information here on how to ensure that browsers, website logins, email clients, discussion forums, and so on are ready for what ICANN has dubbed “Universal Acceptance”. To achieve Universal Acceptance, Internet applications and systems must treat all TLDs in a consistent manner, including new gTLDs and internationalized TLDs. Specifically, they must accept, validate, store, process, and display all domain names. “Although it is now possible to have domain names and email addresses in non-Latin characters, such as in the Cyrillic, Hangul, Thai, Arabic, Hebrew, and Greek alphabets, the majority of Internet applications and systems still do not support them,” is the criticism of Lars Steffen, from eco – Association of the Internet Industry, and also Community Outreach Co-Coordinator for the Universal Acceptance Steering Group (UASG) at ICANN.

ICANN’s multi-stakeholder approach as model for global governance

The Internet is a distributed, borderless conglomeration of autonomous networks – with root zone servers and name servers, data centers, and fiber backbone spanning the globe and falling under the auspices of multiple governments and a whole array of corporations and operators. So it really is fair to ask “Who Rules the Internet?” In the process leading up to becoming independent of the US government in 2016, ICANN developed a model of governance based on the multi-stakeholder approach – bringing together the technical community, the private sector, governments, academia, and civil society around the table to find consensus on the future operation of Internet administration outside of the control of any one government. Thomas Rickert, Director of the Names & Numbers Forum in the eco Association and Co-Chair of the Cross Community Working Group on Enhancing ICANN Accountability, describes the process of developing this model and its remarkable effectiveness in building democratic consensus – and sees here a model for tackling many of today’s global challenges by ensuring widespread representation of the interests of the many stakeholders involved in these issues.

Find more information about the new gTLDs and Universal Acceptance on eco International, or visit eco's Names & Numbers Forum.