The Internet Architecture Board believes dotless domain names would be “inherently harmful to Internet security.”
The IAB, the oversight committee which is to internet technical standards what ICANN is to domain names, weighed into the debate with an article apparently published yesterday.
In it, the committee states that over time dotless domains have evolved to be used only on local networks, rather than the internet, and that to start delegating them at the top level of the DNS would be dangerous:
most users entering single-label names want them to be resolved in a local context, and they do not expect a single name to refer to a TLD. The behavior is specified within a succession of standards track documents developed over several decades, and is now implemented by hundreds of millions of Internet hosts.
By attempting to change expected behavior, dotless domains introduce potential security vulnerabilities. These include causing traffic intended for local services to be directed onto the global Internet (and vice-versa), which can enable a number of attacks, including theft of credentials and cookies, cross-site scripting attacks, etc. As a result, the deployment of dotless domains has the potential to cause significant harm to the security of the Internet
The article also says (if I understand correctly) that it’s okay for browsers to interpret words entered into address bars without dots as local resources and/or search terms rather than domain names.
It’s pretty unequivocal that dotless domains would be Bad.
The article was written because there’s currently a lot of talk about new gTLD applicants — such as Google, Donuts and Uniregistry — asking ICANN to allow them to run their TLDs without dots.
There’s a ban in the Applicant Guidebook on the “apex A records” that would be required to make dotless TLDs work, but it’s been suggested that applicants could apply to have the ban lifted on a case by case basis.
More recently, ICANN’s Security and Stability Advisory Committee has stated almost as unequivocally as the IAB that dotless domains should not be allowed.
But for some reason ICANN recently commissioned a security company to look into the issue.
This seems to have made some people, such as the At Large Advisory Committee, worried that ICANN is looking for some wiggle room to give its new gTLD paymasters what they want.
Alternatively, ICANN may just be looking for a second opinion to wave in the faces of new gTLD registries when it tells them to take a hike. It was quite vague about its motives.
It’s not just a technical issue, of course. Dotless TLDs would shake up the web search market in a big way, and not necessarily for the better.
Donuts CEO Paul Stahura today published an article on CircleID that makes the case that it is the browser makers, specifically Microsoft, that are implementing DNS all wrong, and that they’re objecting to dotless domains for competitive reasons. The IAB apparently disagrees, but it’s an interesting counterpoint nevertheless.
DomainsBot has started promoting its domain name suggestion services to new gTLD registries.
Announced today, its new TLD Recommendation Engine for Registries is designed to make TLD suggestions more relevant when people are hunting for a new domain name.
It’s a sister service to the TLD Recommendation Engine for Registrars that, as we reported last week, DomainsBot hopes to have in place on many of the major registrars’ storefronts when new gTLDs launch.
After last week’s news, Domain Name Wire did a test of its demo and found it lacking in certain areas, such as failing to offer a .accountant domain to a query containing “CPA”.
DomainsBot CEO Emiliano Pasqualetti told DI that the service being announced today will help TLD registries avoid this kind of problem.
In consultation with DomainsBot, they’ll be able to more accurately define the meaning of their TLD string, improving the relevancy of DomainsBot’s results and potentially not missing out on sales.
Under the hood, it’s based on a database of all the existing second-level domains in existence today. DomainsBot wants to connect each second-level string to relevant results in new gTLDs.
“My goal is to pre-classify every existing second-level domain before new gTLDs go live,” Pasqualetti said.
The service is not free, of course. The cheapest tier has an introductory price of $1,000 per month, which Pasqualetti said will go up in future.
It’s “pay for relevancy” rather than “pay for display”, he said. “I’m not saying if you pay me I will display .cpa every time.”
MinardosGroup, which has applied for .build, .construction and .expert, has already signed on to use the service, according to a DomainsBot press release.
Newish gTLDs .tel and .xxx are among the most secure top-level domains, while .cn and .pw are the most risky.
That’s according to new gTLD services provider Architelos, which today published a report analyzing the prevalence of abuse in each TLD.
Assigning an “abuse per million domains” score to each TLD, the company found .tel the safest with 0 and .cn the riskiest, with a score of 30,406.
Recently relaunched .pw, which has had serious problems with spammers, came in just behind .cn, with a score of 30,151.
Generally, the results seem to confirm that the more tightly controlled the registration process and the more expensive the domain, the less likely it is to see abuse.
Norway’s .no and ICM Registry’s .xxx scored 17 and 27, for example.
Surprisingly, the free ccTLD for Tokelau, .tk, which is now the second-largest TLD in the world, had only 224 abusive domains per million under management, according to the report..
Today’s report ranked TLDs with over 100,000 names under management. Over 90% of the abusive domains used to calculate the scores were related to spam, rather than anything more nefarious.
The data was compiled from Architelos’ NameSentry service, which aggregates abusive URLs from numerous third-party sources and tallies up the number of times each TLD appears.
The methodology is very similar to the one DI PRO uses in TLD Health Check, but Architelos uses more data sources. NameSentry is also designed to automate the remediation workflow for registries.
Key-Systems said yesterday that it plans to make .hiv domain names available at “below net cost price”, in solidarity with would-be new gTLD registry dotHIV.
The registrar said it will also offer free .hiv names at launch to organizations involving in fighting the virus via its Moniker and domaindiscount24.com retail registrars.
dotHIV, also a German company, plans to donate all of its profits to HIV/AIDs charities.
Its application is uncontested and has already passed Initial Evaluation, but is the target of Governmental Advisory Committee advice, which has put its bid on hold.
Despite this uncertainty, Key-Systems said it expects the Sunrise phase for .hiv to start in December.
.CO Internet is expanding its registrar channel with a new Request For Proposals.
The company wants would-be registrars to respond with the commitments they’re willing to make to market and promote .co domains, particularly in markets where .co is not currently popular.
Only ICANN-accredited registrars need apply.
Amusingly, registrars also need to be specifically accredited to sell .biz domains. Presumably this is due to .CO’s relationship with back-end provider Neustar, which also runs .biz.
The company has about 30 registrars right now, but many of those operate very large reseller networks, so there’s no shortage of places to buy a .co if you want one.
.CO deliberately kept its registrar numbers low — only 10 at launch — in order to cut down on abuse and to keep a tighter leash on gaming during the 2010 landrush process.
The RFP can be found here.