ICANN: structure, role and influence of the organisation in the world

What is ICANN and what does it do?

The Internet Corporation for Assigned Names and Numbers (ICANN) is an international corporation that manages domain names and IP addresses. It works to make the Internet convenient and accessible to all users by coordinating technical standards and the structure of the global network. But ICANN has nothing to do with what you see on websites — it does not control the content of the Internet or how people use it. Its main task is to ensure that the Internet works smoothly for every user.

ICANN consists of several communities that together make decisions about the development of the Internet:

• Three supporting organisations:
  1. Responsible for IP addresses.
  2. Responsible for country domain names.
  3. Country top-level domain managers.
• Four committees:
  1. Governments and international organisations.
  2. Root server operators.
  3. Organisations that work on Internet security issues.
  4. The general community (ordinary Internet users, like you and me).
• A technical group that works with organisations that develop protocols for Internet technologies.

ICANN has a Board of Directors consisting of 21 members (15 of whom have voting rights). All groups and committees working under the auspices of the organisation provide the Board with their advice and recommendations. Based on this information, the Board makes decisions that affect the development of the Internet worldwide.

How does ICANN work and how is it funded?

ICANN operates on a multi-stakeholder basis, which means that various interested groups (governments, companies, academic institutions, public organisations and even ordinary users) have the opportunity to participate in the decision-making process.

ICANN is a non-profit organisation. It is funded from several key sources:

• Domain registration fees.
• Fees for other services it provides (e.g., changing DNS records).
• Voluntary contributions from organisations that support its activities.

In addition, ICANN has a fund that supports research and innovation in the field of Internet technology.

ICANN's interaction with the domain name system (DNS)

When you enter a website address in your browser, such as google.com, your computer consults the Domain Name System (DNS) to find the exact address of that site on the Internet. It's like a phone book, where instead of phone numbers, there are websites, and instead of names, there are domain addresses.

What is a domain on the Internet? A domain address consists of two parts:

1. The domain name is the name of the website, for example, google.
2. The domain extension (or TLD, top-level domain) is the part after the dot that indicates the type or country, for example, .com (for commercial websites) or .eu (for websites from the EU).

ICANN is responsible for the stability and security of this domain name system. The organisation develops technical standards and rules for the operation of domains, regulates the market, and cooperates with national organisations and domain name registrars.

In fact, to register a domain name, you need to contact a domain name registrar — a company that acts as an intermediary between you and ICANN. Registrars are licensed by ICANN to register domains that are located in different areas of the Internet, including national domains such as .us for the United States or .ua for Ukraine.

Registrars not only help you register a domain, but often offer additional services, such as website hosting (where your web pages will be stored) or personal data protection.

ICANN is also actively working on developing domain name policy. This means:

• Allocation of new domain zones. For example, ICANN defines new domain zones such as .blog or .shop, which expands the possibilities for creating new websites.
• Personal data protection. The organisation is also working to improve the protection of personal information on the Internet and combat cybercrime.

Thanks to ICANN's work, the Internet remains safe and convenient for users.

How ICANN affects IP addresses

ICANN does not directly allocate IP addresses, but it plays an important role in coordinating the entire Internet system. Its task is to set standards for how the Internet should work and to coordinate how data is transmitted between computers.

Although IP addresses (unique digital identifiers for devices on the Internet) are not allocated by ICANN, the organisation works closely with other groups that do. Regional Internet Registries (RIRs) are specialised organisations that are directly responsible for allocating blocks of IP addresses in different regions of the world. They ensure that these addresses are used correctly and in accordance with established standards.

Thanks to ICANN, the Internet operates according to certain rules and protocols. For example, when you register a domain name (such as example.com), ICANN determines what rules should apply to that domain, including the use of IP addresses. It also develops policies to ensure that all these processes run smoothly and without problems.

ICANN's control over root servers

ICANN is not only involved in domain registration and developing rules for IP address usage, but also ensures the security and stability of the Internet through various mechanisms:

• DNSSEC (Domain Name System Security Extensions) is a technology that protects the domain name system from attacks and falsification.
• Management of the Internet root zone — ICANN ensures that all Internet root servers operate stably and without failure.

If we imagine the Internet as a huge city, then root servers are the «streets» that indicate where specific buildings (websites) are located in that city. In other words, these are the main servers that store information about the location of other servers where websites and Internet resources are located.

Root servers are located at the top of the Internet «tree». Below them are servers for second-level domains (e.g., ukr.net), and below them are servers for third-level domains (e.g., blog.ukr.net). Each server knows where other servers are located and how to access the necessary information.

There are a total of 13 root servers located around the world. ICANN is the organisation that coordinates the operation of these servers. It establishes rules for managing the root zone and organises its updates and changes. ICANN is also responsible for assigning top-level domain names, such as .com, .org, or national domains, such as .ua for Ukraine.

Thanks to the coordinated work of ICANN and root servers, the Internet remains stable and accessible to everyone. This also allows for the creation of new domain zones and maintains competition among different companies that register domains.

The key to the Internet and the key signing ceremony: the role of ICANN

Now let's take a closer look at the «keys to the Internet» mentioned at the beginning of this article. We are talking about seven real physical keys that are used to control the Internet. More precisely, the domain name system. ICANN is responsible for these keys and keeps them in its possession. For security reasons, the keys are not kept by one person at ICANN, but by seven employees selected by the organisation. Seven more people are selected as backup key holders.

The physical keys open deposit safes scattered around the world. Inside these safes are smart cards, the combination of which activates the so-called «master key» or special key for signing keys (KSK). It can be compared to a «seal» that certifies the authenticity and integrity of data in the domain name system.

Hardware security module that is activated using a set of 3 or 7 smart cards

Essentially, a KSK is a regular computer file. But it is not stored on a regular computer. The key for signing keys is stored in special devices called hardware security modules (HSMs). These are specialised devices that function as advanced hard drives with additional security options. One of them is located in Los Angeles, California, and the other in Culpeper, Virginia.

To ensure the continued reliability of DNS and avoid potential security breaches, the signing key is verified every three months. This is done through a special public «key signing ceremony». Each stage of the process is observed by experts from around the world (about 50 people) who must certify that the key has not been damaged or copied. If the experts are satisfied that the KSK is in order, they sign the ZSK — the zone signing key.

If it is discovered that the key has been used without authorisation (e.g. it has been copied or replaced), then there is a procedure for replacing the KSK. Since DNSSEC was introduced, this replacement has only happened once, in 2017. And it wasn't because the KSK was replaced, but to test the replacement process itself. It took two years to get ready for the procedure, and everything went smoothly. So, no need to worry — the domain name system is in good hands.