Verisign is just not going to let the issue of the risks to the Domain Name System caused by the new gTLD program go.
The company that operates .COM has already raised numerous concerns on technical issues such as name collisions. Recently, it has also stepped up its "new gTLD warning campaign" with claims that ICANN is not being true to its pledge for accountability. My predecessor as GNSO Chair Chuck Gomes, a deeply respected member of the ICANN community and a Verisign employee, penned a scathing assessment of the areas where ICANN has, in his words, shown that its "first priority is protecting itself and therefore it avoids accountability and works very hard at transferring risks to others."
Now Verisign is publishing the results of a deep-dive they have carried out on .CBA. This string was applied for by the Commonwealth Bank of Australia and was recently ranked as a risky proposition by ICANN. In response, the bank claimed that most of the instances of name collisions involving "cba" were actually caused by its own internal use of the term.
"Commonwealth Bank simply cannot know this," responds Verisign, "without broad root server system instrumentation and qualitative analysis (…) We conducted our own analysis of the .CBA queries. We believe our data and analysis shows without a doubt that CBA's initial conclusions are incorrect."
Verisign's findings are that the cba queries come primarily out of Japan, with NTT-ME Corporation alone generating 79% of the queries. Some of the queries come from "DNS Service Discovery" protocols such as Bonjour, which are used for local networks but can "leak" to the global network, resulting in a potential name collisions (if a .CBA was delegated). "The namespaces conducting Bonjour and other DNS-SD queries account for 80% of all queries seen in CBA," says Verisign.
Verisign also identified cba queries from malware detection service McAfee Global Threat Intelligence, or GTI for short, saying "30 different namespaces are making McAfee queries."
The study's conclusions appear damning for Commonwealth Bank of Australia. "Does CBA own .cba," asks Verisign, referencing the bank's claims to ICANN that the cba leakage was mostly emanating from its own systems and was therefore under its control. The answer is harsh. "There are no labels being queried in .cba that explicitly indicate "Commonwealth Bank of Australia" or obvious derivatives."
Verisign ends by calling for ICANN to implement its own security committee's recommendations and not leave it up to applicants to self-determine whether they are a DNS security risk. "Most applicants do not seem to be qualified to assess the risks of delegating their strings," Verisign concludes.