ICANN security experts criticise DNS redirections

The Security and Stability Advisory Committee (SSAC) of the Internet Corporation for Assigned Names and Numbers (ICANN) has warned against the increasingly popular practice of Top Level Domains (TLDs) redirecting DNS queries for inactive domains to their own pages. Instead of receiving the correct reply stating that a certain domain doesn't exist, internet users are presented with web pages containing lists of alternative links. Some registries and also internet providers, such as T-Online in Germany, increasingly use similar redirections to attract visitors to their own portals. A few years ago in the US, VeriSign received a cease and desist order from ICANN about these "wild cards".

At an ICANN meeting that began in Sydney today, Afilias CTO Ram Mohan presented a report by ICANN's SSAC. He pointed out that the redirections interfere with basic DNS features and with many core services. Emails that cannot be delivered are no longer returned, which not only erodes users' trust in the DNS, but also creates new opportunities for malicious attacks. The security advisory committee recommended that ICANN should prohibit such use when introducing new top level domains (TLDs) and that existing TLD registries should also be stopped from exercising this practice.

According to Jaap Akkerhuis, a member of ICANN's Security and Stability Advisory Committee, ICANN can't enforce standards. He said this can only be done by the local regulatory bodies. Telephony providers can't simply redirect calls on their own initiative and DNS queries should be handled the same way. Speaking to heise online, The H's associated publication in Germany, Akkerhuis explained that the planned stop signs to prohibit child pornography pages are also "a kind of wild carding". Akkerhuis advised that, if done correctly, it should not cause a stability problem.

(Monika Ermert)

(crve)