Latest news of the domain name industry

Recent Posts

New (kinda) geo-TLD rules laid out at ICANN 66

Kevin Murphy, November 2, 2019, Domain Policy

The proposed rules for companies thinking about applying for a geographic gTLD in the next application round have been sketched out.

They’re the same as the old rules.

At ICANN 66 in Montreal today, a GNSO Policy Development Process working group team discussed its recently submitted final report (pdf) into geographic strings at the top level.

While the group, which comprised over 160 members, has been working for over two years on potential changes to the rules laid out in the 2012 Applicant Guidebook, it has basically concluded by consensus that no changes are needed.

What it has decided is that the GNSO policy on new gTLDs that was agreed upon in 2007 should be updated to come into line with the current AGB.

It appears to be a case of the GNSO setting a policy, the ICANN staff and board implementing rules inconsistent with that policy, then, seven years later, the GNSO changing its policy to comply with that top-down mandate.

It’s not really how bottom-up ICANN is supposed to work.

But at least nobody’s going to have to learn a whole new set of rules when the next application round opens.

The 2012 AGB bans two-letter gTLDs, for example, to avoid confusion with ccTLDs. It also places strong restrictions on the UN-recognized names of countries, territories, capital cities and regions.

It also gave the Governmental Advisory Committee sweeping powers to object to any gTLD it didn’t like the look of.

What it didn’t do was restrict geographic names such as “Amazon”, which is an undeniably famous geographic feature but which does not appear on any of the International Standards Organization lists that the AGB defers to.

Amazon the retailer has been fighting for its .amazon gTLDs for seven years, and it appears that the new GNSO recommendations will do nothing to provide clarity for edge-case applicants such as this in future rounds.

The group that came up with report — known as Work Track 5 of the New gTLD Subsequent Procedures PDP Working Group — evidently had members that want to reduce geographic-string protections and those who wanted to increase them.

Members ultimately reached “consensus” — indicating that most but not all members agreed with the outcome — to stick with the status quo.

Nevertheless, the Montreal session this afternoon concluded with a great deal of back-slapping and expressions that Work Track 5 had allowed all voices, even those whose requests were ultimately declined, to be heard equally and fairly.

The final report has been submitted to the full WG for adoption, after which it will go to the full GNSO for approval, before heading to public comment and the ICANN board of directors as part of the PDP’s full final report.

1 Comment Tagged: , , , , ,

Emoji domains get a 😟 after broad study

Kevin Murphy, October 28, 2019, Domain Tech

Domain names containing emojis are a security risk and not recommended, according to a pretty comprehensive review by an ICANN study group.

The Country-Code Names Supporting Organization has delivered the results of its 12-person, 18-month Emoji Study Group, which was tasked with looking into the problems emoji domains can cause, review current policy, and talk to ccTLD registries that currently permit emoji domains.

The ESG didn’t have a lot of power, and its recommendations are basically an exercise in can-kicking, but it’s easily the most comprehensive overview of the issues surrounding emoji domains that I’ve ever come across.

It’s 30 pages long, and you can read it here (pdf).

Emojis are currently banned in gTLDs, where ICANN has to approve new Unicode tables before they can be used by registries at the second level, under its internationalized domain name policy, IDNA 2008.

But ccTLDs, which are not contracted with ICANN, have a lot more flexibility. There are 15 ccTLDs — almost all representing small islands or low-penetration African nations — that currently permit emoji domains, the ESG found.

That’s about 6% of Latin-script ccTLDs out there today. These TLDs are .az, .cf, .fm, .je, .ga, .ge, .gg, .gq, .ml, .st, .to, .tk, .uz, .vu, and .ws.

Five of them, including .tk, are run by notorious freebie registry Freenom, but perhaps the best-known is .ws, where major brands such as Budweiser and Coca-Cola have run marketing campaigns in the past.

The main problem with emojis is the potential for confusing similarity, and the ESG report does a pretty good job of enumerating the ways confusability can arise. Take its comparison of multiple applications’ version of the exact same “grinning face” emoji, for example:

Emoji comparison

If you saw a domain containing one of those in marketing on one platform, would you be able to confidently navigate to the site on another? I doubt I would.

There’s also variations in how registrars handle emojis on their storefronts, the report found. On some you can search with an emoji, on others you’ll need to type out the xn-- prefixed Punycode translation longhand.

In terms of recommendations, the ESG basically just asked ICANN to keep an eye on the situation, to come to a better definition of what an emoji actually is, and to reach out for information to the ccTLDs accepting emojis, which apparently haven’t been keen on opening up so far.

Despite the lack of closure, it’s a pretty good read if you’re interested in this kind of thing.

Comment Tagged: , , , , , , , , , , , , , , , , , , , , , , ,

Industry veteran Jay Daley tapped to lead IETF

Kevin Murphy, October 28, 2019, Domain Policy

The Internet Engineering Task Force has named domain industry veteran Jay Daley as its new executive director.

In a blog post last week, the IETF said that Daley beat 133 other “highly qualified applicants” for the job.

He’s the first person to hold the executive director title since the IETF formalized itself into an LLC entity owned by the Internet Society a year ago.

Daley’s most-recent activity in the domain industry was as interim CEO of Public Interest Registry between Brian Cute and Jon Nevett, a position he held for about six months last year.

He continues to sit on PIR’s board of directors

PIR is of course another ISOC subsidiary and its biggest funding source, due to the tens of millions of dollars of .org registry fees it donates every year.

Daley was previously CEO of .nz ccTLD registry NZRS and head of technology at .uk registry Nominet.

Comment Tagged: , , ,

Verisign likely to get its billion-dollar .com pricing windfall

Kevin Murphy, October 28, 2019, Domain Registries

Verisign and ICANN appear to be on the verge of signing a new .com registry contract that could prove extremely lucrative for the legacy gTLD company.

Speaking to analysts following the announcement of Verisign’s third-quarter results late last week, CEO Jim Bidzos said talks with ICANN, which have their first anniversary this week, are “nearly complete”.

The new contract will take on the terms of the Cooperative Agreement between Verisign and the US Department of Commerce, which was amended a year ago to scrap an Obama-era price freeze.

Under the future contract, Verisign is expected to be able to raise its .com fee from its current $7.85 by 7% in four of the six years of the deal. As I wrote at the time, this could be worth close to a billion dollars.

This, for a company that already enjoys profit margins so generous that I regularly receive phone calls from perplexed analysts asking me to help explain how they get away with it.

Bidzos said on Thursday night:

let me remind you that under the 2016 amendment to our .com registry agreement with ICANN, which extended the term of the agreement, we and ICANN also agree to negotiate in good faith to do two things; first, we agree to reflect changes to the Cooperative Agreement in the com agreement, including pricing terms. Second, we agree to amend the com agreement to include terms to preserve and enhance the security and stability of the com registry or the internet.

We believe these discussions with ICANN are nearly complete. While it will be inappropriate at this time to provide more details, I can say that we were satisfied with the results so far. As noted, this is an ICANN process and we expect that before long ICANN will be publishing for public comment the documents we have been discussing.

The Cooperative Agreement also allows Verisign to launch a registrar business, just as long as that registrar does not sell .com domains.

Potentially, Verisign could get the right to launch a customer-facing registrar focused on selling .net, .org and newer gTLDs and ccTLDs.

Given we already pretty much know what the new pricing regime is going to be, the big mystery right now is why it’s taken ICANN and Verisign so long to renegotiate the contract.

One analyst asked Bidzos on Thursday whether ICANN has talked its way into getting a bigger slice of the registry fee, currently set at $0.25 per annual domain transaction.

That’s in-line with what almost all the other gTLD registries pay, and I can’t see ICANN demanding more without attracting a tonne of criticism. Verisign is already by some margin its biggest funding source.

Could ICANN have demanded that Verisign adopt the Uniform Rapid Suspension anti-cybersquatting policy, which would be guaranteed to enrage domain investors?

Whatever else is to be added to the contract, it appears to be related to that amorphous term “security and stability”, which could mean basically anything.

When ICANN and Verisign agreed to talk about new terms “to preserve and enhance the security and stability of the Internet or the TLD”, what on Earth where they talking about?

It looks like we won’t have to wait too much longer to find out.

5 Comments Tagged: , , , , , ,

ICANN enters talks to kill off Whois for good

Kevin Murphy, October 23, 2019, Domain Tech

Whois’ days are numbered.

ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.

It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.

In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.

The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.

When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.

The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.

The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.

Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.

We could be looking at the death of Whois within a year.

5 Comments Tagged: , , , ,

Form an orderly queue: New Zealand wants a new back-end

Kevin Murphy, October 23, 2019, Domain Registries

New Zealand is looking to possibly outsource its .nz ccTLD registry back-end for the first time, and has invited interested parties to get in touch.

Registry manager InternetNZ today published a request for expressions of interest in what it’s calling its “registry replacement project”.

It won’t be as straightforward as most registry migrations, as .nz is currently running essentially two different back-ends.

Today, about 65% of its registrations are based on an outdated custom Shared Registration System protocol, with the remainder on the industry standard Extensible Provisioning Protocol.

The proportion of registrars running SRS versus EPP is roughly the same, with about 65% on SRS, according to the REOI.

But the registry wants to get rid of SRS altogether, forcing all SRS-only registrars to adopt the EPP, and the new back-end provider will have to support this transition.

While registrars always have a bit of implementation work to do when a TLD changes back-ends, it’s not usually as complicated as adopting a completely different protocol with which they may not be unfamiliar.

So the risk of issues arising during the eventual handover — which will probably take a bit longer than usual — is probably a bit higher than usual.

But .nz is an attractive TLD. At the start of the month, it had 711,945 domains under management, a pretty good penetration on a per-capita basis when compared to the biggest ccTLDs.

It’s in the top 50 of the 1,338 TLDs for which I have data.

The deadline for responses to the REOI is November 29, a little over a month from now, InternetNZ said.

The registry is taking briefings at ICANN 66 in Montreal from November 2, and the following week in New Zealand.

UPDATE: This article originally stated that InternetNZ has decided to outsource its back end. In fact, outsourcing is just one of a number of options.

Comment Tagged: , , , , , , , ,

Brexit hell: .eu suspension plan put on hold

Kevin Murphy, October 23, 2019, Domain Registries

EURid’s policy to boot out Brits next week has been put on hold due to the current impasse in Brexit talks.

UK citizens had been told they would lose their .eu domains November 1, the first day the country was scheduled to no longer be a member of the European Union.

But the October 31 exit date appears increasingly unlikely, with the divorce plan agreed to by the EU and UK Prime Minister Boris Johnson still in UK parliamentary limbo.

So EURid posted today:

Following the recent developments in the UK withdrawal scenario, the entire plan outlined below is on hold. We will keep you informed as soon as we receive further instructions from the European Commission.

Under the suspended plan, EURid would have emailed all of its UK and Gibraltar-based registrants tomorrow to inform them that their domains were in jeopardy.

It would have closed down new registrations to Brits on November 1 and given existing registrants a two-month grace period to come into compliance — by transferring their names to addresses in eligible nations — before suspending the names.

A year later, the names would be deleted and returned to the available pool.

EURid said it will provide further guidance when it gets word from the European Commission.

Comment Tagged: , , ,

DI Leaders Roundtable #1 — How many new gTLDs will be applied for next time around?

Kevin Murphy, October 21, 2019, Leaders Roundtable

How many new gTLDs will be applied for in the next application round?

This is the first question I put to the DI Leaders Roundtable, which you may recall I announced a couple weeks back.

As a reminder, the panel is comprised of leading thinkers in the domain name industry or ICANN community, covering as broad a cross-section of expertise as I could muster.

The question I posed each panelist this time was:

There were 1,930 applications for new gTLDs in 2012. Given everything we’ve learned over the last seven years, how many applications do you think there will be in the next round?

There seemed to be a rough consensus that it’s a little early to put any concrete predictions out there, and that perhaps I should have eased the panel in with something a little less challenging, but some very interesting — and divergent — opinions were nevertheless expressed.

Some of the participants asked me to note that they were speaking in a personal capacity rather than with them wearing a specific one of their various professional/volunteer hats. To save time, readers should just assume that every opinion being expressed below is personal to the expert concerned.

In no particular order…

Jeff Neuman, Senior VP, Com Laude

MugshotWithout wanting to sound like I’m trying to avoid answering the question or hedge my bets, we have to consider this question in the context of the current landscape. The number of applications in the next round will be dependent on the outcomes of the current Subsequent Procedures PDP Working Group, alongside macroeconomic business factors. So therefore I’ll put a range on the possible answer — at the low end (if the application fee remains as is and world economies are facing significant troubles) around 1,000; at the top end (with application fee reduced to a level that operates as far less of a barrier, a fair economic wind behind us and some targeted promotion of the opportunities) there could be up to 10,000.

One thing that is clear is that many of the applications will come from brands that would like to actively use their domains. Those who were forward-thinking and have taken bold steps in the first round are the ones who are benefiting most from the new gTLD program. That’s not to say that there have not also been issues with brands. In 2012 many brands were pressured to apply for TLDs by third parties who advised them to apply for purely defensive reasons. Others gave up after the many fits and starts of the program as well as the overly lengthy period it took ICANN to evaluate the TLDs, approve Specification 13, respond to name collision, and the change of rules to temporarily disallow “closed generic” TLDs. Not surprisingly, we have seen a number of these brands drop out of the program.

However, many of the ones that have stuck it out are doing well. Some have even made transitions from their “.com” or their ccTLDs to their brand TLDs. Others have used their TLDs for marketing campaigns, corporate social responsibility programs, internal corporate intranets, job sites, geolocation tools, social media programs, events and customer service. And this is just the beginning.

What we need to ensure for the future is that application fees represent the true costs of the program and that the process is predictable, reliable and flexible enough to allow brands and others to innovate. Over-regulation due to the fear of unlikely edge cases or paranoia due to how potential applicants for purely generic open TLDs cannot be allowed to happen. All TLDs should not be painted with the same regulatory brush and the community needs to understand that we should be encouraging different business models for TLDs that do not necessarily include the unfettered ability for the public to register domain names in all TLDs. Ultimately, we need to do what is best for end users on the Internet.

Incentives should be provided for TLDs like .bank and .pharmacy to validate their registrants and ensure the safety of their end users by curbing abusive behavior. This could come in the form of reduced fees to ICANN or even ensuring that other similarly sensitive strings have similar verification requirements before allowing them to be delegated.

Finally, in order for the program to succeed, we need to stimulate growth of registries and registrars in the developing world. Support for these organizations should not only be in the form of monetary contributions, but also training programs, consulting services, legal support, and even operational support (eg., the free or low-cost use of third party DNS servers globally, security monitoring and other critical services).

Rick Schwartz, domain investor

MugshotWho cares?? Nobody in the real world. Totally meaningless except to the 1,930 applicants and a totally corrupt and out of control ICANN that needs oversight! SHAMEFUL!

Christa Taylor, CMO, MMX

Mugshot“Will you walk into my parlour and tell me how many applications there will be for the next round, said a Spider to a Fly”

Oh, poor fly, good luck getting out of this one. There have been some exceptionally large volumes thrown around — 10k, 20k, but this fly would prefer to utilize data gathered from statistical surveys. Unfortunately, my workload didn’t allow me to conduct a survey this week so instead, I’ll utilize a less scientific approach and seek the same leniency ICANN received in their volume prediction used in the 2012 round.

A multitude of variables may impact the volume of applications including: notice period, application fees, auctions and delegation rates with each factor being additive to the prior factor.

  • Base volume: 2,000 applications is utilized as the initial value. While the type of applications may change, the overall volume is a logical starting point especially when considering the last round was in 2012.
  • Notice period: A longer notice period on when the application period will begin will allow for more applicants to apply. Assuming a notice period of four months with a 10% increase in application volume for each additional four-month period. i.e. if there is a six month notice until application window opens, volume will increase by 100 (2,000 x 10% x (6-4/4)). Our total volume of applications is now 2,100.
  • Application fee: The new gTLD program is expected to operate on a ‘revenue neutral’ basis. As such, the application fee should decrease from the 2012 fee of $185k. Since the volume of applications is inversely related to the fee, increasing the volume by say, 15% for every $10k less than $150k. For example, if the actual application fee is $125k, the volume of applications will increase by approximately ~800 (15% x 2,100 x ($150k – $125k/$10k) for a total of 2,900 applications.
  • Auctions: One of the most significant items that could drive the volume of applications if auctions and other related resolution mechanisms. The windfalls from ‘losing’ in auctions are well-known and while other options have been discussed – Vickrey auctions, draws, etc. some applications will be submitted for financial gains. Additionally, the potential to gain from ‘losing’ in contention sets combined with reduced application fees and delegation rates (detailed below) will again impact the volume of applications. As such, the number of applications will increase similar to application fees but would suggest that for every $5k less than $150k application fee, the volume of applications will increase by 10%. If the application fee is $125k, the volume will increase by 1,250 (10% x 2,888 x ($150k-$125k/$5k) for a combined volume of 4,150 applications.
  • Delegation rate: The final factor in this unscientific, simplistic volume projection is the delegation rate. In 2010, a rate of 1,000 per year was provided to minimize security and stability risks. If the delegation rate remains relatively the same, the processing of applications could take years and thereby, encourage potential applicants to apply knowing it will take years before their application is delegated. Additionally, a reduced application fee minimizes an applicant’s risk if they decide to withdraw at a later date. Applying another broad brushstroke of 5% per year for the length of time it will take for all applications to be delegated, excluding objections. If it is expected to take three years to process the subsequent round of applications, add in another ~750 applications (5% x 3 years X 4,150) for a total volume of 4,900, rounding to 5,000 applications.

“And take a lesson from this tale of the Spider and the Fly” — gather real data to project application volumes and escape these impossible questions.

Ref: Howitt, Mary. The Spider and the Fly. (1829)

Michele Neylon, CEO, Blacknight

MugshotIt’s not one that’s easy to answer — I think we all got it terribly wrong the last time round.

I suspect, though I could be completely wrong, that there will be at least 1,000 applications if there is a new round. Of course, that number is not based on anything other than just a gut instinct. I don’t think there will be as many distributed retail TLDs in a next round. Apart from a couple of outliers the bulk of new TLDs haven’t been as big of a success as their backers expected.

I can imagine that some cities would pitch for a TLD in the next round but it’d be more of a play in terms of tourism rather than commercial gain.

Some would have us believe that a “lot” of brands want to apply for a TLD in a next round, but I do wonder how much of that demand is “real” and comes from brands and how much of it is being pushed by those who stand to gain from applications. Of course, there could be a lot of brands out there that feel a desire to get their own TLD, but it’s also very clear that many of the brands that got one the last time round haven’t done a lot with them (with a few notable exceptions)

It’s a very good question to ask, but until there’s more clarity about the rules and the costs we’re all going to be guessing.

Jon Nevett, CEO, Public Interest Registry

MugshotCheck back with me in 2022 when we may know the application fee; how contention resolution would work (i.e. will there be speculative applications); and the role of the GAC in reviewing applications.

Dave Piscitello, Partner, Interisle Consulting Group

MugshotWhile I can’t speculate how many, I truly hope that we have fewer “generics” that only serve to create a larger set of TLDs that will be offered in bulk at fees as low as 1 yen to organized spam gangs or botnet operators. ICANN hasn’t provided a scientifically valid economic study that demonstrates a need for more of these; in fact, ICANN’s own DAAR data shows that nearly half of the abused or criminally-used domain names have migrated to the piddling 10-12% share of the total gTLD delegated (and resolving) domain names that the new TLDs represent.

Having said this, I do believe that there are some success stories that point would-be applicants to modestly profitable ventures. City TLDs for the most part have remained free of abuse or criminal misuse. A portfolio of these might be interesting. I think that brands still don’t really know how to use their TLD or migrate to these in a way that alters the threat landscape.

Ben Crawford, CEO, CentralNic

MugshotOur focus today at CentralNic is supporting the growth of existing ccTLD and gTLD registries. However there is no company more prepared for the next round than us, and based on our discussions with potential applicants, we expect more applications in this nTLD round that the last.

Generic TLD applicants obviously gravitate towards CentralNic Registry Solutions as the natural home of TLDs seeking meaningful growth. We are not only the market leaders with more registrars actively selling our nTLD domains than any other backend, but we have as many domains under management as the number 2, 3 and 4 players combined.

Brand owners are also very keen to sign up with BrandShelter as a low cost and flexible one-stop shop that can handle application, backend, registrar and domain management services under a single contract with a money back guarantee. They particularly like that we have the best value support for dot-brands that do want to actively use their TLDs (like .DVAG, .ALLFINANZ and .MINI) while we don’t employ pushy sales people to hassle our clients happy with a defensive strategy to “activate” their TLDs.

Milton Mueller, Professor, Georgia Tech

MugshotIs a negative number an acceptable answer? Will some of the past 1,930 be allowed to bring their TLDs back to the store for a refund? What exactly is ICANN’s return policy, is it as good as TJ Maxx’s? More seriously, I would expect quite a few less applications this time around. I’d be surprised if it exceeded 500. We don’t see any smashing successes from the first round.

24 Comments Tagged: , ,

Now you don’t have to live in the EU to register a .eu domain, but there’s a catch

Kevin Murphy, October 21, 2019, Domain Registries

Residents of countries outside the European Union are now able to register .eu domain names.

A new rule that kicked in at the weekend broadened eligibility from only residents of the EU and European Economic Area. Now, residency is irrelevant.

The catch is that you have to still have to be an EU citizen to qualify.

EURid, the .eu registry, said the change opens up the ccTLD to “millions of Europeans living around the world”.

In practice, it could open up the space to basically anyone.

While residency can fairly easily be checked by looking at the mailing address in a Whois record, demonstrating citizenship is a different kettle of fish.

There’s no indication that EURid is asking registrars to collect passport numbers at the point of sale, so it appears to be a post-registration enforcement regime.

.eu is also still open to non-EU citizens who live in the EU or EEA.

.eu had 3.6 million names under management at the last count, having declined by about 200,000 since the Brexit vote three years ago.

Let’s see if the new, liberalized regime has any impact.

1 Comment Tagged: , ,

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.

In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.

That abuse comprises malware, phishing, botnets, pharming and spam.

The companies agree that these are activities which registrars and registries “must” act upon.

But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.

The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.

It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.

Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.

Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.

They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.

However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.

The DAAR report for September shows that spam constituted 73% of all tracked abuse.

The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.

Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.

The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.

The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.

Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.

They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.

But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.

During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.

“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.

Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.

The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.

While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.

But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.

While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.

Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.

Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.

The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.

Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.

PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.

Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.

Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.

The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

11 Comments Tagged: , , , , , , , , , , , , , , ,