October 8, 2004

An Open Letter to NTIA, ICANN, and IANA

I sent the following note to ICANN, IANA, and NTIA:

Concern about inadequately evaluated and tested change to DNS root and major TLDs

I am writing this note in order to express my concern about an impending change in the root of the Domain Name System (DNS) and two of the largest Top Level Domains (TLDs).  I am concerned that there is a risk of disruption to the net that has not been adequately evaluated and I am concerned that this change is being deployed without adequate monitoring or safeguards.

ICANN, IANA, and NTIA are the bodies that are responsible for the stable, continuous, reliable,  and accurate operation of the top tier of the internet Domain Name system.  Whether through positive choice or not  ICANN, IANA, and NTIA are about to allow a change to occur to the top tier of the DNS system.

This change may endanger the stability of the internet.

Neither ICANN, IANA, nor NTIA has investigated this change.  No evaluation has been made to determine whether this change is safe.  No contingency plans have been put into place to reverse the change should adverse side effects occur.

The risks of this change may be small or they may be large - the problem is that no one has studied the issue sufficiently to know the risks.

This situation is troubling.  But what is even more troubling is that neither ICANN,  IANA, nor NTIA have procedures through which this, and future changes to the internet's Domain Name System can be evaluated.  Nor are there procedures through which such a change, if felt to be safe, may be deployed in a way that ill effects can be measured and the change be backed-out if those ill-effects are unacceptably large.

On September 20 the following was posted to the NANOG mailing list:

Date: Mon, 20 Sep 2004 16:58:49 -0400
From: Matt Larson <mlarson@verisign.com>
To: nanog@merit.edu
Subject: IPv6 support for com/net zones on October 19, 2004

VeriSign will add support for accessing the com/net zones using IPv6
transport on October 19, 2004. On that day, AAAA records for
a.gtld-servers.net and b.gtld-servers.net will be added to the root
and gtld-servers.net zones.

We do not anticipate any problems resulting from this change, but
because these zones are widely used and closely watched, we want to
let the Internet community know about the changes in advance.

Matt
--
Matt Larson <mlarson@verisign.com>
VeriSign Naming and Directory Services

Despite the assurance contained in that announcement this change does contain aspects that could engender increased traffic loads, increased name resolution delays, and even result in loss of Domain Name System (DNS) services to users under some circumstances.

This change was announced by Verisign, not by ICANN, IANA, or NTIA.  Yet the tone of the announcement expresses a sense that there are no contingencies and that this change will occur without any further action on the part of ICANN. IANA, or NTIA.

Neither ICANN, IANA, nor NTIA has presented any analysis that enumerates the risks or benefits of this change.

The only documents that exist are an internet draft (http://www.ietf.org/internet-drafts/draft-ietf-dnsop-respsize-01.txt) and a research paper (http://www.nlnetlabs.nl/ipv6/publications/v6rootglue.pdf).  Both of these papers examine only the effect of this change on root servers and do not deal with the effects on other parts of the internet.  The internet draft is a thought-piece that lacks empirical substantiation of its claims and reaches its conclusions without showing the rationale behind those conclusions.  That draft reaches the conclusion that the degree of risk is acceptable without ever explaining how it determines what constitutes an acceptable level of risk.  The research paper does come to the conclusion that operational changes are required, a conclusion that appears to be ignored by the announced change.

Small scale versions of the October 19 change were deployed in some country-code TLDs.  However, because those deployments were performed without any monitoring there is no information available regarding the side effects of that change on internet users, ISPs, or the DNS resolvers they use.

Neither ICANN,  IANA, nor NTIA has presented any plan to monitor the deployment of this change to ascertain whether any unexpected or unacceptable side effects occur.  Nor has ICANN, IANA, or NTIA  presented any plan to roll-back the change should that become necessary.

Since its inception ICANN has adopted the position that any changes to the DNS must  be justified by massive need and be proved to contain virtually no element of risk  That conservative approach has been the expressed reason why ICANN has spent so much time on the question of new top level domains (TLDs).

The change proposed by the Verisign announcement presents at least as much risk of ill side effects as the addition of new TLDs.  In fact, to my mind as an internet technologist, the risk inherent in this proposed change is qualitatively greater than it is for new TLDs.

It is incumbent on ICANN, IANA, and NTIA to justify to the community of internet users that a proposed change to DNS is safe and that its deployment will be carefully monitored and that there are contingency plans should the unexpected happen.

There are those who will argue that the risks associated with the proposed change are small and of a negligible degree.  They may be the right.  However we do not have the research, experimentation, and analysis to know.

Given the centrality of the DNS to the reliable and continuous operation of the internet and the fact that his change is being made to the largest of all of the top level domains it is not prudent to rely on mere assurances, particularly when those assurances are not backed by solid research and objective experimental validation.

It is reckless to deploy such changes without appropriate monitoring, backed by pre-change baseline measurements, to evaluate whether the change, once deployed, should be allowed to remain in place or the status quo ante be restored.

I call upon ICANN, IANA, and NTIA to suspend the change announced in Verisign's email of September 20 until such time that ICANN, IANA, or NTIA can publish an objective and detailed proof, backed by verifiable and repeatable experimental measurements, that the change is safe not only to root servers but that it will also not cause ill effects to ISPs or internet users.  This proof should make explicit the means by which it determines what degree of effects are acceptable and what degrees of risk are not acceptable.

In addition I call upon ICANN, IANA, and NTIA to not deploy any such change without adequate monitoring of the effects and a complete roll-back action plan.

Because DNS and the internet are still evolving, further changes will certainly be proposed.  ICANN, IANA, and NTIA ought to establish a clear mechanism to publish notice of such changes, to scientifically inquire into the effects of such changes, and to safely deploy such changes.

The National Telecommunications and Information Administration (NTIA), because it retains ultimate control of the root zone of the domain name system, should require that ICANN and IANA demonstrate the safety of changes to the DNS before such changes are deployed.  In the absence of such demonstrations, NTIA must step forward and refuse to allow the changes.

                Karl Auerbach
                Former (and only) Director of ICANN elected from North America
                Henry C. Yuen Fellow of Law and Technology at the California Institute of Technology and Loyola Law School
                Norbert Wiener Award
                Member of the Community of Internet Users since 1973.

Posted by karl at October 8, 2004 12:06 PM