The PayPal information risk management team warns that the introduction of new generic top-level domains, or gTLDs, could impact security.


For many years it has been common for enterprises to configure DNS domains with suffixes that are not in the set of public TLDs. The practice has been recommended by software vendors and security experts. The public delegation of these suffixes as new gTLDs will impose serous security risks on unprepared systems and roaming enterprise laptops.

Domains to be concerned are the top-10 invalid queries from the ICANN SAC 045 report, plus those gTLD suffixes identified in RFC 6762 for Multicast DNS. They are: belkin, corp, domain, home, internal, intranet, invalid, lan, local, localdomain, localhost, private and wpad.

The CAs are particularly concerned with .corp. This suffix is proposed as a new gTLD that is most often used by CA customers. If .corp is approved as a new gTLD, then correcting its use in an enterprise will have the greatest cost; and not correcting will carry the greatest risk.

Any domains that are approved as new gTLDs will have to be addressed by the CAs. The CAs will have to review the certificates they have issued and advise customers that have certificates with a new gTLD. The customers will then have to register their domain. If the customer cannot or does not register the domain, then the CA must revoke the certificates within 120 days from the gTLD being approved, as required in the CA/Browser Forum Baseline Requirements.

If you have certificates that use a proposed new gTLD, then please take precautions. You will have to make plans to either register the domain, change to a domain that you already have registered, or obtain your certificate from a non-publicly trusted CA.

Image Source: