SSAC report and apology for the ALAC Monthly meeting on 26/08
Dear Colleagues, please find below my report. I apologize for not being able to attend the ALAC Monthly meeting on August 26th. Have a nice day! Best, Matthias Publications: SAC130: SSAC Comments on Name Collision Guidelines in the Proposed Language for the Draft Next Round Applicant Guidebook The SSAC welcomes the opportunity to comment on ICANN's Draft Applicant Guidebook (AGB) for the New gTLD Program: Next Round. Our comments focus on improving Section 6.7 on Name Collisions, with an emphasis on risks arising from collisions between DNS and alternative naming systems (e.g., blockchain-based systems), as outlined in the Name Collision Analysis Project Study 2 Report (NCAP2). SUMMARY OF KEY RECOMMENDATIONS: * Clarify TRT's Role in Initial Assessments AGB §6.7.2 does not clearly state that the Technical Review Team (TRT) conducts the initial name collision risk assessment. NCAP2 indicates TRT is responsible from the outset. _Recommendation:_ Explicitly assign the initial assessment to the TRT. * Enable Pre-Delegation Action on High-Risk Strings Current language suggests high-risk strings are identified only after temporary delegation. NCAP2 supports action based on existing data. _Recommendation:_ Allow TRT to recommend withholding delegation if early analysis shows high risk. * Broaden TRT's Assessment Scope Beyond DNS Data Limiting analysis to DNS logs misses collisions from alternative namespaces that resolve via DNS (e.g., users accustomed to _.wallet_ from blockchain). _Recommendation:_ Permit use of OSINT, qualitative assessments, and external data sources per NCAP2. * Allow TRT Flexibility to Evolve Assessment Methods AGB cites four NCAP2 methods (NI, CI, VI, VIN), but doesn't state whether TRT may adopt new techniques. _Recommendation:_ Affirm TRT's discretion to evolve methods to address future risks. These updates will better align the AGB with NCAP2 and ICANN Board guidance, while improving transparency, security, and technical rigor in handling name collisions. The SSAC appreciates the efforts of the ICANN org and Subsequent Procedures IRT, and we are available for further discussion. Link: https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee.... Ongoing work parties: * DNSSEC Operational Considerations Work Party * Open-Source Software Work Party * Responsible Integration of External Technologies into the DNS * SSAC Workshop Work Party SSAC Membership Applications: The application deadline is closed now and potential candidates are being assessed by the Membership Selection Committee. SSAC Workshop: For SSAC members only, will be held in September in Mexico City.
Dear Colleagues, please find below my report below. Have a nice day! Best, Matthias Publications: SAC132: The Domain Name System Runs on Free and Open Source Software (FOSS): Overview * The Domain Name System (DNS) is critical infrastructure, mapping names to IP addresses for nearly all online activity. * Research confirms the DNS overwhelmingly relies on FOSS. * 9 of 12 root server operators use FOSS exclusively. * 9 of the 10 largest TLD providers use FOSS. * FOSS dominance comes from its economic efficiency, transparency, collaborative security, and resilience. * FOSS is not inherently more or less secure than proprietary software; outcomes depend on processes and maintenance. * However, the FOSS development model differs fundamentally from proprietary supply chains, raising unique risks. * Introduction * Policymakers are increasingly intervening in software security (UK voluntary code, US attestation, EU Cyber Resilience Act and NIS2, China's IT plan). * Risk: regulations designed for proprietary models may harm critical Internet infrastructure if applied to FOSS without adaptation. * Aim: provide context to policymakers to recognize FOSS's role and avoid destabilizing interventions. * DNS Primer * DNS = "address book of the Internet." * Functions: * Registration: registries manage the authoritative database of domain names. * Publication: authoritative servers publish DNS records. * Resolution: resolvers fetch IP addresses for users. * Structure: Root → TLDs → individual domains. * Resolvers answer ~90% of queries from cache; authoritative servers publish definitive records. * The FOSS Model: Characteristics and Implications * Key roles: * Maintainers: guide project direction. * Contributors: submit code/docs/bug fixes. * Operators: deploy and run software. * Four freedoms: use, study, share, change. * Unique characteristics: * Global collaborative development. * No contractual relationships. * Funding decoupled from use. * Often no single responsible legal entity. * Proprietary systems also depend on FOSS components. * Strengths: * Transparency & collaborative security . * Stability & long-term support by non-profits/companies. * Resilience via software diversity. * Enabler of innovation and digital autonomy. * Risks : * Financial sustainability & maintainer burnout. * Shared dependency risks. * No warranties or support guarantees. * Operational risks in deployment. * Prevalence of FOSS in DNS * Registration: Platforms like FRED, Nomulus, CoCCA widely used. Large registries use proprietary extensions but built atop FOSS. * Publication: Root and TLD servers overwhelmingly use FOSS. 9 of 12 root operators rely on FOSS. * Resolution: BIND, Unbound, Knot Resolver, CoreDNS common. ISPs, enterprises, and cloud resolvers widely deploy FOSS. * Contemporary Cases in FOSS Regulation * Policymakers are adapting rules to reflect FOSS realities. * Examples: * US 2023 Cybersecurity Strategy: exempts volunteer maintainers; responsibility on deployers. * UK 2025 Code of Practice: voluntary guidance. * EU CRA/NIS2: introduces "FOSS steward" role, avoids treating maintainers as suppliers, harmonizes obligations. * Policy lessons: * Allocate responsibility to those best able to act. * Incentivize cross-industry collaboration on maintenance. * Avoid supply chain assumptions based on proprietary models. * Avoid conflicting regional obligations. * Key Findings * FOSS is the foundation of DNS; proprietary is the exception. * FOSS model is fundamentally different from proprietary software supply chains. * FOSS is not inherently more/less secure; security depends on processes. * DNS FOSS strengths: transparency, collaborative security, diversity, long-term stability. * Risks: sustainability, burnout, shared dependencies -- not solvable by proprietary regulations. * Traditional liability is ill-suited: imposing burdens risks discouraging maintainers and harming infrastructure. * FOSS enables autonomy and innovation: lowers entry barriers, supports local industry, diversifies markets, reduces cloud dependence. * Actionable Guidelines for Policymakers * Acknowledge the Critical Role of FOSS * Explicitly recognize in law/regulation that critical infrastructure depends on FOSS; treat it as a strength to preserve. * Consult the FOSS Community * Engage maintainers, contributors, non-profits, and companies in policymaking. * Make Use of Contemporary Cases * Apply lessons: responsibility on deployers not maintainers, support FOSS steward models, avoid proprietary assumptions, prevent conflicting regional regimes. * Incentivize FOSS Sustainability * Promote public/private funding of critical FOSS projects as investments in shared goods. * Address Systemic Risks Collectively * Fund ecosystem-wide resilience (dependency tooling, research, security initiatives) instead of overburdening individuals. Conclusion The SSAC concludes: The DNS runs on FOSS, a global public good central to Internet stability. * Policymakers must avoid treating FOSS with proprietary assumptions. * Following the five guidelines -- acknowledge, consult, learn, incentivize, collaborate -- ensures security and sustainability of DNS and the Internet as a whole. Link to the report: https://itp.cdn.icann.org/en/files/security-and-stability-advisory-committee.... Ongoing work parties: * DNSSEC Operational Considerations Work Party * Responsible Integration of External Technologies into the DNS Upcoming Work Parties: * DNS Abuse and Artificial Intelligence * DNS Transparency SSAC Membership Applications: The Membership Selection Committee has completed its selection and voting process. The selected members will be introduced to the SSAC members, who will then be asked whether they have any objections.
Dear Colleagues, please find below my report. I apologize for not being able to attend today's ALAC Monthly meeting. Have a nice day! Best, Matthias General: Planning for ICANN 85 has begun, and the SSAC is in the process of reaching out to various community groups to explore participation in a cross-community plenary session (ICANN 85: Plenary on Internet Resilience to Survivability). The support and perspectives of ALALC would be greatly appreciated. The proposal is as follows: _Title: From Stability to Survivability: ICANN's Role in the Future of Internet Resilience_ _Goal: Shift the community mindset from technical stability--keeping the DNS running--to strategic resilience--ensuring the Internet ecosystem survives inevitable shocks across power, regulation, software supply chains, and third-party dependencies._ _Drawing on our SAC132 work, the session will highlight four systemic resilience challenges that no single part of the community fully controls:_ * _Increasing system complexity_ * _Underinvestment in preventive measures_ * _Intensifying regulatory pressures_ * _Software supply-chain vulnerabilities_ _The focus is not on explaining how the Internet works, but on exploring what happens when external systems fail--and what role ICANN and its community should play._ Publications: There are presently no new publications available. Ongoing work parties: * DNSSEC Operational Considerations Work Party * Responsible Integration of External Technologies into the DNS * DNS Abuse and Artificial Intelligence Upcoming Work Parties: * DNS Transparency SSAC Membership Applications: The Membership Selection Committee has completed its selection. The selected members have been accepted by the SSAC members and will now be forwarded to the Board for final approval.
Dear Colleagues, please find below my report. Have a nice day! Best, Matthias General: ICANN 85: Plenary on Internet Resilience to Survivability is confirmed for 09/03.The proposal is as follows: _Title: From Stability to Survivability: ICANN's Role in the Future of Internet Resilience_ _Goal: Shift the community mindset from technical stability--keeping the DNS running--to strategic resilience--ensuring the Internet ecosystem survives inevitable shocks across power, regulation, software supply chains, and third-party dependencies. __Drawing on our SAC132 work, the session will highlight four systemic resilience challenges that no single part of the community fully controls:_ * _Increasing system complexity_ * _Underinvestment in preventive measures_ * _Intensifying regulatory pressures_ * _Software supply-chain vulnerabilities_ _The focus is not on explaining how the Internet works, but on exploring what happens when external systems fail--and what role ICANN and its community should play._ Publications: There are presently no new publications available. Ongoing work parties: * DNSSEC Operational Considerations Work Party * Responsible Integration of External Technologies into the DNS * DNS Abuse and Artificial Intelligence Upcoming Work Parties: * DNS Transparency SSAC Membership Applications: The SSAC welcomes three new members: * Wes Hardaker, * Sourena Maroofi, * Raffaele Sommese. The SSAC is look forward to the contributions these new members will make to our ongoing work and also want to thank departing member Joe Abley for his service over the years. He has been a champion for SSAC since 2014 and a dear friend to us all. Technical Apprenticeship Program: The SSAC is excited to foster talent development and strengthen the pathway for ICANN Fellowship alumni into deeper ICANN community engagement through this program. It provides a structured pathway for alumni of the ICANN Fellowship program with technical or security backgrounds to gain hands-on experience with the SSAC. Our selected apprentice for 2026 is Gustavo Ortega Alvarado, who will support SSAC activities and undertake an independent research project relevant to the SSAC's remit concluding with the 2026 SSAC Annual Workshop in late-September or early-October. Gustavo will work with a dedicated mentor from within our leadership committee for guidance on navigating the SSAC and facilitating their successful work within the program.
Dear Colleagues, please find below my report. I apologize for not being able to attend today's ALAC Monthly meeting. Have a nice day! Best, Matthias General: 1. Webinar Series: After three months of planning with ISPCP and ICANN OCTO, SSAC is ready to launch a year-long webinar series focused on securing the DNS ecosystem. By leveraging the Safer Cyber model with the ALAC, combining our subject matter expertise with their dissemination networks-we aim to drive a deeper understanding of DNS security and policy across the community. The series theme: _Securing the DNS Ecosystem - Policy, Practice, and Partnership._ Proposed 2026 Roadmap: * Feb: Emerging DNS Abuse Trends and Mitigation Strategies * Mar (ICANN85): (1) AI and Machine Learning in DNS Security & (2) Universal Acceptance * Apr: The New gTLD Program 2026 & Future DNS Ecosystems * May: Responsible DNS Blocking Implementation * Jun (ICANN86): (1)Post-Quantum Transition & (2) Privacy vs. Security * Sept: The Evolving Role of SSAC in Global Governance * Oct: DNSSEC and the Future of Trust * Nov (ICANN87): (1) Routing Security (MANRS) & (2) DNS Configuration Best Practices 2. ICANN 85: SSAC Plenary on Internet Resilience to Survivability on 09/03. Title: _From Stability to Survivability: ICANN's Role in the Future of Internet Resilience_ Publications: There are presently no new publications available. Ongoing work parties: * DNSSEC Operational Considerations Work Party * Responsible Integration of External Technologies into the DNS * DNS Abuse and Artificial Intelligence * DNS Transparency SSAC Membership Committee: The new members for this year's SSAC Membership Committee have been selected.
Dear Colleagues, I respectfully submit my Liaison Report ahead of the ALAC Monthly Call. Please accept my apologies that I will be unable to participate in the call itself due to competing professional commitments. *GAC Liaison Report: ALAC Monthly Call* *By:* Joanna Kulesza, EURALO, ALAC Liaison to the GAC *Reporting Period:* January/February 2026 *Submitted:* 17 February 2026 ------------------------------ *1. ICANN 85 Mumbai – ALAC–GAC Bilateral Agenda and Agreed Topics* Following recent guidance from GAC Leadership and coordination with the GAC Liaison to ALAC, the agenda for the *ALAC–GAC bilateral meeting at ICANN 85 in Mumbai* has now been agreed. Given the 60-minute format and the need to prioritise focused and actionable exchanges, three core topics have been retained: *Agreed Substantive Topics* 1. *Linguistic Inclusion – Latin Script Diacritics (15 minutes)* A focused exchange on supporting linguistic and cultural inclusion, including how to address Latin script diacritics within implementation timelines, while avoiding delays to the Next Round of new gTLDs. 2. *DNS Abuse – Government Expectations and End-User Harm (20 minutes)* Discussion will cover: - Data, reporting, and enforcement expectations - End-user impact and trust considerations - Coordination related to the DNS Abuse PDP Phase 1, including Associated Domain Checks - Potential coordinated advisory signals to ICANN org and relevant PDP processes 3. *WSIS+20 and Global Digital Governance Processes (15 minutes)* A forward-looking exchange on: - Information sharing regarding timelines and preparations - Early identification of areas for possible ALAC–GAC coordination - Linkages with broader UN digital governance processes The previously discussed Review of Reviews topic was not retained due to time constraints and the need to focus on two to three priority areas. *Agenda: Draft* 1. Staff Introduction - Staff (2 minutes) 2. Welcome and Opening Comments -Jonathan Zuck, ALAC Chair and Nico Caballero, GAC Chair (3 minutes) 3. *Linguistic Inclusion: Latin Script Diacritics (15min)* – Supporting linguistic and cultural inclusion – Managing timing constraints without delaying the Next Round 1. ALAC Speaker: 2. GAC Speaker: 4. *DNS Abuse: Government Expectations and End-User Harm (20min)* – Data, reporting, and enforcement expectations – End-user impact and trust considerations – Coordinated advisory signals to ICANN org and relevant PDPs 1. ALAC Speaker: 2. GAC Speaker: 5. *WSIS+20 and Global Digital Governance Processes (15min)* – Information exchange on preparations and timelines – Identifying areas for possible GAC–ALAC coordination 1. ALAC Speaker: 2. GAC Speaker: 6. Closing - Jonathan Zuck, ALAC Chair and Nico Caballero, GAC Chair (5 minutes) GAC speaker confirmations for each segment are currently being coordinated. ALAC speaker coordination will proceed in parallel. ALAC members are invited to review the proposed structure and to indicate readiness to contribute to the individual segments. ------------------------------ *2. GAC Participation in DNS Abuse Plenary – Martina Barbero* In relation to the At-Large DNS Abuse Plenary at ICANN 85, GAC Leadership has confirmed that DNS Abuse remains a priority topic for governmental engagement. Martina Barbero, in her capacity as a designated GAC representative in the DNS Abuse PDP Phase 1 on Associated Domain Checks, has been identified as the most appropriate GAC participant for the plenary panel. Coordination is also foreseen with the leadership of the Public Safety Working Group, where relevant. Further updates will be provided as confirmations are received. Kind regards, *Joanna Kulesza* ALAC Liaison to the GAC
Dear Colleagues, Please find below my report. Due to a work commitment, I will unfortunately not be able to attend today's ALAC Monthly meeting. Have a nice one! Best regards, Matthias General: 1. On 9 May 2025, the SSAC submitted its public comment in response to ICANN's "How We Meet: An Initial Project Report" (SSAC2025-02), which examines proposed updates to ICANN's 2014 Public Meetings Strategy. The SSAC expressed support for several key proposals, including shortening the Community Forum by one day, prioritizing economical and geographically diverse meeting locations -- with the additional recommendation that venues in countries inconsistent with ICANN's core values of diversity and inclusion be avoided -- and establishing a formal policy to automatically shift meetings to an online format under unforeseen circumstances. The SSAC did not support proposals to convert one ICANN Public Meeting per year to a virtual-only format, citing the importance of in-person engagement to the community's work. 2. Webinar Series with ISPCP The next planned ones are: * May: Responsible DNS Blocking Implementation * Jun (ICANN86): (1)Post-Quantum Transition & (2) Privacy vs. Security * Sept: The Evolving Role of SSAC in Global Governance * Oct: DNSSEC and the Future of Trust * Nov (ICANN87): (1) Routing Security (MANRS) & (2) DNS Configuration Best Practices 3. ICANN 86: BC & SSAC Plenary on Artificial Intelligence and DNS Abuse The ICANN community has approved the joint proposal submitted by the Business Constituency (BC) and the Security and Stability Advisory Committee (SSAC) to host a plenary session on Artificial Intelligence and DNS Abuse at ICANN86 in Seville. This collaborative session reflects the growing recognition within the ICANN community of the need to address the evolving intersection of AI technologies and DNS abuse, and underscores the value of cross-community cooperation in tackling emerging challenges. 4. AtLarge Webinar: Overview on DNS Abuse Mitigation On 14 April, SAC115 was presented at the AtLarge Webinar: Overview on DNS Abuse Mitigation. A valuable opportunity for the SSAC to bring SAC115 to the broader ICANN community. 5. SSAC's comment on the Proposed Root KSK Algorithm Rollover will be pulished soon. Publications: There are presently no new publications available. Ongoing work parties: * DNSSEC Operational Considerations Work Party * Responsible Integration of External Technologies into the DNS * DNS Abuse and Artificial Intelligence * DNS Transparency SSAC Membership Committee: The newly selected members of this year's SSAC Membership Committee have begun their work, and the application window for SSAC membership is now open. Interested candidates are encouraged to submit their applications during this period. Further details on the application process and eligibility criteria can be found on https://www.icann.org/en/ssac.
participants (2)
-
Joanna Kulesza -
Matthias M. Hudobnik