[dnssec-deployment] A gazillion new TLDs

Edward Lewis Ed.Lewis at neustar.biz
Fri Jun 27 08:38:26 EDT 2008

At 8:18 -0400 6/27/08, George M Jones wrote:

>That's the technical end of it.   A shell script can handle that.

<sarcasm> ;) Yeah, shell scripts really scale well.

>I was wondering about the complexity of dealing with larger #s of
>organizations with differing technical ability, different motivations,
>different processes, more chances for things to go wrong, more keys 
>to manage, >etc....

I think there are technical challenges, but nothing novel.

If the assumption is that there will be a million names in the root 
zone, does ICANN today operate a registry on the scale of today's 
million-name TLD operators?  I.e., does ICANN do EPP, WhoIs, etc.? 
Does ICANN have an established relationship with it's DNS operators? 
These are the questions ICANN asked of the bidders for TLDs in the 
past.  If the growth is explosive, will ICANN rush to out source the 

Maybe the root won't become than mammoth.  Maybe the demand for a TLD 
isn't the same as the demand to have one's names in many TLDs.  I 
don't know what gating function will be able to keep the root zone 
both tractable and stable yet be fair in determining who gets a 
delegation.  If the gating is purely money, then I have a hunch there 
will be all sorts of bureaucratic problems.  If the price is well 
above cost and ICANN develops deep pockets it becomes a target and 
all that money is money not invested in the industry they regulate.

>maybe its a non-issue (I hope) or off topic, but I was wondering if
>anyone sees scaling issues that might impact security/deployability.

It will depend on who the root grows.  Scaling issues are not linear, 
there are thresholds where systems become more complex.  Thresholds 
aren't just fixed numbers, they are bands and often times one crosses 
through one without knowing and then faces the problems.

Besides - change is always a problem for security.  Any change.
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the Dnssec-deployment mailing list