<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
p.MsoFootnoteText, li.MsoFootnoteText, div.MsoFootnoteText
        {mso-style-priority:99;
        mso-style-link:"Footnote Text Char";
        margin:0in;
        font-size:10.0pt;
        font-family:"Calibri",sans-serif;}
span.MsoFootnoteReference
        {mso-style-priority:99;
        vertical-align:super;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
p.MsoIntenseQuote, li.MsoIntenseQuote, div.MsoIntenseQuote
        {mso-style-priority:30;
        mso-style-link:"Intense Quote Char";
        margin-top:.25in;
        margin-right:.6in;
        margin-bottom:.25in;
        margin-left:.6in;
        text-align:center;
        border:none;
        padding:0in;
        font-size:12.0pt;
        font-family:"Calibri",sans-serif;
        color:#4F81BD;
        font-style:italic;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.FootnoteTextChar
        {mso-style-name:"Footnote Text Char";
        mso-style-priority:99;
        mso-style-link:"Footnote Text";}
span.IntenseQuoteChar
        {mso-style-name:"Intense Quote Char";
        mso-style-priority:30;
        mso-style-link:"Intense Quote";
        color:#4F81BD;
        font-style:italic;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
/* Page Definitions */
@page
        {mso-endnote-separator:url("cid:header.htm\@01D6CD82.C1057050") es;
        mso-endnote-continuation-separator:url("cid:header.htm\@01D6CD82.C1057050") ecs;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Verisign offers the following comments on the document <i>ICANN’s Root Name Service Strategy and Implementation</i> that was recently published by ICANN’s Office of the CTO (OCTO).<a style='mso-footnote-id:ftn1' href="#_ftn1" name="_ftnref1" title=""><span class=MsoFootnoteReference><span style='color:black'><span class=MsoFootnoteReference><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:black;mso-fareast-language:EN-US'>[1]</span></span></span></span></a>  <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:black'>We appreciate ICANN’s continued investment in the Domain Name System Security Extensions (DNSSEC) and encourage further efforts to promote DNSSEC validation by resolvers. While DNSSEC will help ensure the integrity of the data delivered, the document puts forth concerns around the confidentiality of DNS queries. <o:p></o:p></span></p><div style='mso-element:para-border-div;border-top:solid #4F81BD 1.0pt;border-left:none;border-bottom:solid #4F81BD 1.0pt;border-right:none;padding:10.0pt 0in 10.0pt 0in;margin-left:.6in;margin-right:.6in'><p class=MsoIntenseQuote style='mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:.25in;margin-left:0in'>“Specifically, in the case where the query/response streams to the root servers are subject to eavesdropping, the deployment of privacy-enhancing mechanisms that may be standardized in the future would mitigate the risk”.<o:p></o:p></p></div><p class=MsoNormal><span style='color:black'>Unless we are misunderstanding, this refers to DNS encryption, a mechanism that is not yet standardized for resolver-to-authoritative exchange. DNS encryption, at any part of the DNS resolution ecosystem introduces operational risk</span><a style='mso-footnote-id:ftn2' href="#_ftn2" name="_ftnref2" title=""><span class=MsoFootnoteReference><u><span style='color:#0563C1'><span class=MsoFootnoteReference><u><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0563C1;mso-fareast-language:EN-US'>[2]</span></u></span></span></u></span></a><span style='color:black'>. The strategy for DNS encryption in this document is unclear and foregoes considerations of the </span>appropriate risk / benefit tradeoff and motivation to deploy DNS encryption at the navigational levels of the DNS hierarchy,<span style='color:black'> including the root and top-level domains</span>.<span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>While the document recognizes the privacy benefits of techniques such as qname minimization as being on a “different front”, </span>we believe<a style='mso-footnote-id:ftn3' href="#_ftn3" name="_ftnref3" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[3]</span></span></span></a> that rather than focusing on <i>whether </i>to deploy encryption for a particular exchange in the DNS resolution ecosystem, it is better to ask <i>how </i>to address the information protection objectives for that exchange — whether by encryption, alternative techniques or some combination thereof.<span style='color:black'> Qname minimized DNS traffic from resolvers is inherently less sensitive, particularly at the root and TLD levels. In addition to qname minimization, we encourage ICANN to also draw attention to other low-impact techniques for reducing the sensitivity of the resolver-to-root exchange, including NXDOMAIN Cut Processing and Aggressive DNSSEC Caching.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal>The resolver-to-root exchange enables DNS resolution for all underlying domain names.  This exchange provides <i>global navigation </i>for all names, benefiting all resolvers and therefore all clients, and making availability and robustness paramount.<o:p></o:p></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal>Finally, we would encourage ICANN to better distinguish the strategy and implementation plans discussed in this document that will be enacted by ICANN for its own root server and those for the root server system more generally. While we understand the intention of this document to be focused on the ICANN managed root server (IMRS), various strategies, such as encryption, are ambiguous in their distinction between the IMRS and the entirety of the root server system.<b><o:p></o:p></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>We are grateful for ICANN OCTO’s ongoing attention to the development of their IMRS, and appreciate the opportunity to comment on the new strategy document.<span style='color:black'><o:p></o:p></span></p><p class=MsoNormal><b><span style='color:black'><o:p> </o:p></span></b></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[1]</span></span></span> ICANN Office of the Chief Technology Officer.  <i><span style='color:black'>ICANN’s Root Name Service Strategy and Implementation.</span></i><span style='color:black'>  OCTO-016, October 26, 2020.  </span><a href="https://www.icann.org/en/system/files/files/octo-016-26oct20-en.pdf">https://www.icann.org/en/system/files/files/octo-016-26oct20-en.pdf</a> <o:p></o:p></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[1]</span></span></span> K. Henderson, T. April, and J. Livingood.  <i>Authoritative DNS-over-TLS Operational Considerations.</i>  Internet-Draft draft-hal-adot-operational-considerations, October 2019 (expired).  <a href="https://datatracker.ietf.org/doc/draft-hal-adot-operational-considerations/">https://datatracker.ietf.org/doc/draft-hal-adot-operational-considerations/</a> <o:p></o:p></p><p class=MsoFootnoteText><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[1]</span></span></span> Kaliski, B., <i>A Balanced DNS Information Protection Strategy: Minimize at Root and TLD, Encrypt When Needed Elsewhere.</i>  Verisign blog, December 7, 2020.  <a href="https://blog.verisign.com/security/a-balanced-dns-information-protection-strategy-minimize-at-root-and-tld-encrypt-when-needed-elsewhere/">https://blog.verisign.com/security/a-balanced-dns-information-protection-strategy-minimize-at-root-and-tld-encrypt-when-needed-elsewhere/</a><o:p></o:p></p><p class=MsoNormal><b><span style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal><b><span style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal><span style='color:black'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Pat Kane<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=371 style='width:278.25pt'><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal><img border=0 width=371 height=2 style='width:3.868in;height:.0208in' id="_x0000_i1025" src="file:///C:/Users/pkane/AppData/Roaming/Microsoft/Signatures/dots.gif" alt=Verisign><span style='font-size:12.0pt'><o:p></o:p></span></p></td></tr><tr><td style='padding:11.25pt 0in 15.0pt 0in'><p class=MsoNormal style='line-height:10.5pt'><b><span style='font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#006AAA'>Patrick Kane</span></b><span style='font-size:8.5pt;font-family:"Helvetica",sans-serif;color:#6B6D71'><br>Senior Vice President<o:p></o:p></span></p><p class=MsoNormal style='line-height:10.5pt'><span style='font-size:8.5pt;font-family:"Helvetica",sans-serif;color:#6B6D71'>Verisign Naming Services<br><br>12061 Bluemont Way<o:p></o:p></span></p><p class=MsoNormal style='line-height:10.5pt'><span style='font-size:8.5pt;font-family:"Helvetica",sans-serif;color:#6B6D71'>Reston, VA  20190<o:p></o:p></span></p><p class=MsoNormal style='line-height:10.5pt'><span style='font-size:8.5pt;font-family:"Helvetica",sans-serif;color:#6B6D71'><br><a href="http://www.verisigninc.com/"><span style='font-size:9.0pt;color:#006AAA;text-decoration:none'>Verisign.com</span></a> <o:p></o:p></span></p></td><td valign=top style='padding:11.25pt 0in 0in 0in'><p class=MsoNormal><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="Picture_x0020_3" o:spid="_x0000_s1026" type="#_x0000_t75" alt="Verisign™" style='position:absolute;margin-left:3.55pt;margin-top:0;width:54.75pt;height:48pt;z-index:251659264;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:0;mso-wrap-distance-top:0;mso-wrap-distance-right:0;mso-wrap-distance-bottom:0;mso-position-horizontal:right;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:line;mso-width-percent:0;mso-height-percent:0;mso-width-relative:page;mso-height-relative:page' o:allowoverlap="f">
<v:imagedata src="file:///C:/Users/pkane/AppData/Roaming/Microsoft/Signatures/logo.gif" />
<w:wrap type="square" anchory="line"/>
</v:shape><![endif]--><![if !vml]><img width=73 height=64 style='width:.7638in;height:.6666in' src="file:///C:/Users/pkane/AppData/Roaming/Microsoft/Signatures/logo.gif" align=right alt="Verisign™" v:shapes="Picture_x0020_3"><![endif]><span style='font-size:12.0pt'><o:p></o:p></span></p></td></tr></table><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p></div><div style='mso-element:footnote-list'><br clear=all><hr align=left size=1 width="33%"><div style='mso-element:footnote' id=ftn1><p class=MsoFootnoteText><a style='mso-footnote-id:ftn1' href="#_ftnref1" name="_ftn1" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[1]</span></span></span></a> ICANN Office of the Chief Technology Officer.  <i><span style='color:black'>ICANN’s Root Name Service Strategy and Implementation.</span></i><span style='color:black'>  OCTO-016, October 26, 2020.  </span><a href="https://www.icann.org/en/system/files/files/octo-016-26oct20-en.pdf">https://www.icann.org/en/system/files/files/octo-016-26oct20-en.pdf</a> <o:p></o:p></p></div><div style='mso-element:footnote' id=ftn2><p class=MsoFootnoteText><a style='mso-footnote-id:ftn2' href="#_ftnref2" name="_ftn2" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[2]</span></span></span></a> K. Henderson, T. April, and J. Livingood.  <i>Authoritative DNS-over-TLS Operational Considerations.</i>  Internet-Draft draft-hal-adot-operational-considerations, October 2019 (expired).  <a href="https://datatracker.ietf.org/doc/draft-hal-adot-operational-considerations/">https://datatracker.ietf.org/doc/draft-hal-adot-operational-considerations/</a> <o:p></o:p></p></div><div style='mso-element:footnote' id=ftn3><p class=MsoFootnoteText><a style='mso-footnote-id:ftn3' href="#_ftnref3" name="_ftn3" title=""><span class=MsoFootnoteReference><span class=MsoFootnoteReference><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;mso-fareast-language:EN-US'>[3]</span></span></span></a> Kaliski, B., <i>A Balanced DNS Information Protection Strategy: Minimize at Root and TLD, Encrypt When Needed Elsewhere.</i>  Verisign blog, December 7, 2020.  <a href="https://blog.verisign.com/security/a-balanced-dns-information-protection-strategy-minimize-at-root-and-tld-encrypt-when-needed-elsewhere/">https://blog.verisign.com/security/a-balanced-dns-information-protection-strategy-minimize-at-root-and-tld-encrypt-when-needed-elsewhere/</a><o:p></o:p></p><p class=MsoFootnoteText><o:p> </o:p></p></div></div></body></html>