Latest news of the domain name industry

Recent Posts

Domain security arrives in .com

Kevin Murphy, April 1, 2011, Domain Tech

VeriSign announced late yesterday that it has fully implemented DNSSEC in .com, meaning pretty much anyone with a .com domain name can now implement it too.

DNSSEC is a domain-crypto protocol mashup that allows web surfers, say, to trust that when they visit wellsfargo.com they really are looking at the bank’s web site.

It uses validatable cryptographic signatures to prevent cache poisoning attacks such as the Kaminsky Bug, the potential internet-killer that caused panic briefly back in 2008.

With .com now supporting the technology, DNSSEC is now available in over half of the world’s domains, due to the size of the .com zone. But registrants have to decide to use it.

I chatted to Matt Larson, VeriSign’s VP of DNS research, and Sean Leach, VP of technology, this afternoon, and they said that .com’s signing could be the tipping point for adoption.

“I feel based on talking to people that everybody has been waiting for .com,” Larson said. “It could open the floodgates.”

What we’re looking at now is a period of gradual adoption. I expect a handful of major companies will announce they’ve signed their .coms, probably in the second half of the year.

Just like a TLD launch, DNSSEC will probably need a few anchor tenants to raise the profile of the technology. Paypal, for example, said it plans to use the technology at an ICANN workshop in San Francisco last month, but that it will take about six months to test.

“Most people have their most valuable domains in the .com space,” said Leach. “We need some of the big guys to be first movers.”

There’s also the issue of ISPs. Not many support DNSSEC today. The industry has been talking up Comcast’s aggressive deployment vision for over a year now, but few others have announced plans.

And of course application developer support is needed. Judging from comments made by Mozilla representatives in San Francisco, browser makers, for example, are not exactly champing at the bit to natively support the technology.

You can, however, currently download plugins for Firefox that validate DNSSEC claims, such as this one.

According to Leach, many enterprises are currently demanding DNSSEC support when they buy new technology products. This could light a fire under reluctant developers.

But DNSSEC deployment will still be slow going, so registries are doing what they can to make it less of a cost/hassle for users.

Accredited registrars can currently use VeriSign’s cloud-based signing service for free on a trial basis, for example. The service is designed to remove the complexity of managing keys from the equation.

I’m told “several” registrars have signed up, but the only one I’m currently aware of is Go Daddy.

VeriSign and other registries are also offering managed DNSSEC as part of their managed DNS resolution enterprise offerings.

Neither of the VeriSign VPs was prepared to speculate about how many .com domains will be signed a year from now.

I have the option to turn on DNSSEC as part of a Go Daddy hosting package. I probably will, but only in the interests of research. As a domain consumer, I have to say the benefits haven’t really been sold to me yet.

Microsoft spends $7.5 million on IP addresses

Kevin Murphy, March 24, 2011, Domain Tech

It’s official, IP addresses are now more expensive than domain names.

Nortel Networks, the bankrupt networking hardware vendor, has sold 666,624 IPv4 addresses to Microsoft for $7.5 million, according to Delaware bankruptcy court documents (pdf).

That’s $11.25 per address, more than you’d expect to pay for a .com domain name. Remember, there’s no intellectual property or traffic associated with these addresses – they’re just routing numbers.

This, I believe, is the first publicly disclosed sale of an IP address block since ICANN officially announced the depletion of IANA’s free pool of IPv4 blocks last month.

The deal came as part of Nortel’s liquidation under US bankruptcy law, which has been going on since 2009. According to a court filing:

Because of the limited supply of IPv4 addresses, there is currently an opportunity to realize value from marketing the Internet Numbers, which opportunity will diminish over time as IPv6 addresses are more widely adopted.

Nortel contacted 80 companies about the sale a year ago, talked to 14 potential purchasers, and eventually received four bids for the full block and three bids for part of the portfolio.

Microsoft’s bid was the highest.

The Regional Internet Registries, which allocate IP addresses, do not typically view IP as an asset that can be bought and sold. There are processes being developed for assignees to return unused IPv4 to the free pool, for the good of the internet community.

But this kind of “black market” – or “gray market” – for IP addresses has been anticipated for some time. IPv4 is now scarce, there are costs and risks associated with upgrading to IPv6, and the two protocols are expected to co-exist for years or decades to come.

In fact, during ICANN’s press conference announcing the emptying of the IPv4 pool last month, the only question I asked was: “What is the likelihood of an IPv4 black market emerging?”.

In reply, Raul Echeberria, chair of ICANN’s Number Resource Organization, acknowledged the possibility, but played down its importance:

There is of course the possibility of IPv4 addresses being traded outside of the system, but I am very confident it will be a very small amount of IPv4 addresses compared to those transferred within the system. But it is of course a possibility this black market will exist, I’m not sure that it will be an important one. If the internet community moves to IPv6 adoption, the value of the IPv4 addresses will decrease in the future.

I doubt we’ll hear about many of these sales in future, unless they come about due to proceedings such as Nortel’s bankruptcy sale, but I’m also confident they will happen.

The total value of the entire IPv4 address space, if the price Microsoft is willing to pay is a good guide, is approximately $48.3 billion.

IPv4 addresses to run out Thursday

Kevin Murphy, February 1, 2011, Domain Tech

ICANN will announce the final depletion of its pool of IPv4 addresses this Thursday.

The Number Resource Organization will hold a “ceremony and press conference to make a significant announcement and to discuss the global transition to the next generation of Internet addresses”.

The NRO is ICANN’s supporting organization representing Regional Internet Registries, the outfits responsible for handing out IP addresses to network operators.

ICANN, the Internet Society and the Internet Architecture Board will also participate in the event, scheduled for Thursday February 3 at 1430 UTC. It will be webcast here.

Today, APNIC, the Asia-Pacific RIR, said that it has been assigned two /8 blocks of addresses, meaning IANA is down to its Final Five chunks.

Thursday’s ceremony will presumably entail ICANN/IANA officially handing out these last five blocks to the five RIRs, one each, as called for by its allocation policy.

After that, it’s all gone. No more IPv4. The age of IPv6 is upon us.

It is currently estimated that the RIRs will themselves run out of IPv4 in September. After that, if they need IP addresses they’ll receive IPv6.

IPv4 is rapidly becoming a scarce commodity.

Many people, including ICANN chairman Peter Dengate Thrush, have predicted a “gray market” for addresses to appear, with address blocks changing hands for less than the cost of upgrading to IPv6.

The focus on Thursday, however, will be all about the measures network operators need to implement in order to remain viable on an internet increasingly running IPv6 equipment.

DNS not to blame for Egypt blackout

Kevin Murphy, January 28, 2011, Domain Tech

Egypt got disconnected from the internet last night, but it does not appear that DNS is to blame.

It what appears to be an unprecedented move, internet traffic to and from Egypt dried up to a trickle, apparently as a result of a government effort to crack down on anti-presidential protests.

While a number of reports have blamed DNS for the outage, the currently available data suggests the problem is much more deeply rooted.

Traffic monitoring firm Renesys seems to be one of the best sources of primary data so far. The company’s James Cowie blogged today:

At 22:34 UTC (00:34am local time), Renesys observed the virtually simultaneous withdrawal of all routes to Egyptian networks in the Internet’s global routing table. Approximately 3,500 individual BGP routes were withdrawn, leaving no valid paths by which the rest of the world could continue to exchange Internet traffic with Egypt’s service providers. Virtually all of Egypt’s Internet addresses are now unreachable, worldwide.

BGP is the Border Gateway Protocol. It’s used where networks interconnect, enabling ISPs to “announce” what IP addresses they are responsible for and exchange traffic accordingly.

With no BGP routes into or out of Egypt, whether the DNS works or not is pretty much moot.

Blocking individual domain names, such as twitter.com, is one way to stifle communication. Another way is to instruct local ISPs to turn off DNS altogether.

But in both cases users can route around the blockade by choosing overseas DNS servers, such as the services Google and OpenDNS make available for free.

Even without DNS, users can still access web resources using IP addresses, if they know what they are.

But when ISPs stop announcing their IP addresses, even that becomes impossible. Even if you know how to find a web site, it has no way of finding you.

In this case, it seems likely that Egypt has physically unplugged itself from the global internet, which means its traffic is going nowhere, no matter what protocol you’re talking about.

But even this is not foolproof. According to experts interviewed on BBC news in the last hour, ISPs outside of the country are offering free dial-up access to Egyptians.

Egyptians with access to a dial-up modem, phone jack, compatible computer and long-distance service will presumably be able to use these services to reach the outside world, albeit at 1990s speeds.

With all the inter-governmental debate about the management of domain names over the last several years, the Egypt crisis is a useful reminder that DNS is not the quintessential element of internet governance it is often made out to be.

Go Daddy’s new billion-dollar business?

Kevin Murphy, January 25, 2011, Domain Tech

Go Daddy has officially unveiled its Premium DNS service, which will enable its customers to buy and use managed DNSSEC services for the first time.

The price is $2.99 per month, which works out to $35.88 a year.

For the money, buyers also get a bunch of other tools, such as reports and audits, off-site DNS functionality and backup name servers.

There’s also a “Vanity Nameserver” option, which appears to let customers set their domain’s name servers to display as something like brand.domaincontrol.com, rather than ns1.domaincontrol.com.

It also appears that users of Go Daddy’s standard service will now be limited to 100 forwarded sub-domains, with Premium DNS users getting an unlimited number.

But the big deal as I see it is the addition of managed DNSSEC.

DNSSEC is a new security protocol that substantially mitigates the risk of falling prey to a DNS hijacking using, say, a cache poisoning attack.

Remember the Kaminsky Bug? DNSSEC prevents that kind of thing from happening again.

The problem with DNSSEC is that it’s massively complex and quite hard work to manage, requiring frequent key generation and rollover.

Go Daddy users can already manage their own DNSSEC records if they choose, but that’s only really an option if you’re a hard-core DNS geek.

Paying a few bucks a month to have somebody else manage it for you is an absolute bargain, if you care enough about your domain’s security.

I suggest that this could be a lucrative business for Go Daddy primarily because proponents of DNSSEC hope that one day it will be ubiquitous. Every domain will use it.

Go Daddy has over 45 million domains under management today. If customers representing only 1% of its domains choose to upgrade, that’s an extra $16 million into company coffers annually.

If they all do (which is not going to happen) we’re talking about a $1.6 billion business.

I don’t think the new service is going to lead to a massive uptick in the number of signed domains, but it will certainly get the ball rolling. For enterprises, it’s good value.

But individuals and large domain portfolio holders will not flock to return to 1999 .com prices just in order to implement a protocol they’ve been doing just fine without.

The future of broad DNSSEC adoption is more likely to be in open-source and freeware tools and services that can be easily understood by geeks and non-geeks alike.