12 September 2014
RE: Name Collision SLD Controlled Interruption Variations
Dear Registry Operator:
Following release of the Name Collision Occurrence Assessment (the “Assessment”), ICANN received requests from registries to implement variations of the SLD Controlled Interruption measure. Specifically, registries have requested to implement "Delegation-to-Self" and “Wildcard” SLD Controlled Interruption variations.
After careful consideration, ICANN believes “Wildcard” SLD Controlled Interruption (in the manner further described below) to be a more effective measure than the “Flat” SLD Controlled Interruption method set forth in the Assessment. Accordingly, ICANN strongly recommends that registries eligible under its Assessment to implement SLD Controlled Interruption implement “Wildcard” rather than “Flat” SLD Controlled Interruption in the manner permitted and further described herein below.
I. Flat vs. Wildcard SLD Controlled Interruption
"Flat" SLD Controlled Interruption, which was set forth in Section II.A of the Assessment, is a configuration in which only queries exactly matching the SLD receive the Controlled Interruption response. "Wildcard" SLD Controlled Interruption on the other hand, is a configuration that includes a wildcard subdomain of the SLD in which queries matching all domain names to the left of the SLD also receive the Controlled Interruption response.
For the purposes of implementation, Wildcard SLD Controlled Interruption is defined as the insertion of the following DNS records (substituting "TLD" and "label" appropriately) in the TLD zone for a given label on the List of SLDs to Block:
label.TLD. 3600 IN MX 10 your-dns-needs-immediate-attention.label.TLD.
*.label.TLD. 3600 IN MX 10 your-dns-needs-immediate-attention.label.TLD.
label.TLD. 3600 IN SRV 10 10 0 your-dns-needs-immediate-attention.label.TLD.
*.label.TLD. 3600 IN SRV 10 10 0 your-dns-needs-immediate-attention.label.TLD.
label.TLD. 3600 IN TXT "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
*.label.TLD. 3600 IN TXT "Your DNS configuration needs immediate attention see https://icann.org/namecollision"
label.TLD. 3600 IN A 127.0.53.53
*.label.TLD. 3600 IN A 127.0.53.53
Registries eligible for SLD Controlled Interruption that wish to implement Wildcard SLD Controlled Interruption may do so at their option, even if implementation of the Flat variation is already underway, beginning 22 September 2014 00:00 UTC.
II. In-TLD-Zone vs. Delegation-to-Self SLD Controlled Interruption
"In-TLD-Zone" SLD Controlled Interruption refers to configuring all Controlled Interruption records as authoritative records inside the TLD zone itself. "Delegation-to-Self" SLD Controlled Interruption refers to placing NS records at each SLD directing queries to registry-administered subzones. In turn, each subzone will contain the required records for either Wildcard or Flat SLD Controlled Interruption as described herein or in the Assessment.
Delegation-to-Self subzones may be on the same set of name servers as the TLD or on another set of name servers. The subzones must be DNSSEC signed, with DS records for each RRSet in the TLD zone complying with DNSSEC requirements as described in section 1.3 of Specification 6 of the Registry Agreement. The subzones must be transferrable to ICANN via the same manner (e.g., AXFR/IXFR, SFTP) and with the same credential set as for the transfer of the TLD zone. For example, the TSIG keys must be the same. If using SFTP, the registry operator must use the naming conventions described in section 2.1.3 of Specification 4 of the Registry Agreement and make available a file per each subzone.
Registries eligible for SLD Controlled Interruption may implement the “Delegation-to-Self” variation, if so desired, beginning 17 November 2014 00:00 UTC.
Registries eligible for SLD Controlled Interruption may implement any of the following four variations of SLD Controlled Interruption (subject to the aforementioned start date for each variation and listed by measure in order of ICANN’s recommendation):
1) In-TLD-Zone, Wildcard SLD Controlled Interruption;
2) Delegation-to-Self, Wildcard SLD Controlled Interruption;
3) In-TLD-Zone, Flat SLD Controlled Interruption; and
4) Delegation-to-Self, Flat SLD Controlled Interruption.
For the avoidance of doubt, and in accordance with the terms of the previously issued Assessment, registries eligible for SLD Controlled Interruption are hereby provided with a temporary waiver as to the provisions of Section 2.2 of Specification 6 (i.e., to allow the use of wildcard records) of the Registry Agreement. This waiver is only for purposes of implementing the Wildcard SLD Controlled Interruption measures described above, and will immediately cease upon termination of the Controlled Interruption measures in the TLD.
Should you have any questions, please feel free to submit an enquiry through the GDD portal (https://gddportal.icann.org/).
President, Global Domains Division