Latest news of the domain name industry

Recent Posts

ICANN chief tells industry to lawyer up as privacy law looms

Kevin Murphy, November 10, 2017, Domain Services

The domain name industry should not rely on ICANN to protect it from incoming EU privacy law.

That’s the strong message that came out of ICANN 60 in Abu Dhabi last week, with the organization’s CEO repeatedly advising companies to seek their own legal advice on compliance with the General Data Protection Regulation.

The organization also said that it will “defer taking action” against any registrar or registry that does not live up its contractual Whois commitments, within certain limits.

“GDPR is a law. I didn’t come up with it, it didn’t come from ICANN policy, it’s the law,” Marby said during ICANN 60 in Abu Dhabi last week.

“This is the first time we’ve seen any legislation that has a direct impact on our ability to make policies,” he said.

GDPR is the EU law governing how companies treat the private information of individuals. While in force now, from May next year companies in any industry found in breach of GDPR could face millions of euros in fines.

For the domain industry, it is expected to force potentially big changes on the current Whois system. The days of all Whois contact information published freely for all to see may well be numbered.

But nobody — not even ICANN — yet knows precisely how registries and registrars are going to be able to comply with the law whilst still publishing Whois data as required by their ICANN contracts.

The latest official line from ICANN is:

At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.

Marby told ICANNers last week that it might not be definitively known how the law applies until some EU case law has been established in the highest European courts, which could take years.

A GNSO working group and ICANN org have both commissioned legal studies by European law experts. The ICANN one, by Swedish law firm Hamilton, is rather more comprehensive and can be read here (pdf).

Even after this report, Marby said ICANN is still in “discovery” mode.

Marby encouraged the industry to not only submit their questions to ICANN, to be referred on to Hamilton for follow-up studies, but also to share whatever legal advice they have been given and are able to share.

He and others pointed out that Whois is not the only point of friction with GDPR — it’s a privacy law, not a Whois law — so registries and registrars should be studying all of their personal data collection processes for potential conflicts.

Because there is very likely going to be a clash between GDPR compliance and ICANN contract compliance, ICANN has suspended all enforcement actions against Whois violations, within certain parameters.

It said last week that: “ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”

This is not ICANN saying that registries and registrars can abandon Whois altogether, the statement stresses, but they might be able to adjust their data-handling models.

Domain firms will have to show “a reasonable accommodation of existing contractual obligations and the GDPR” and will have to submit their models to ICANN for review by Hamilton.

ICANN also stressed that registries may have to undergo a Registry Services Evaluation Process review before they can deploy their new model.

The organization has already told two Dutch new gTLD registries that they must submit to an RSEP, after .amsterdam and .frl abruptly stopped publishing Whois data for private registrants recently.

General counsel John Jeffrey wrote to the registries’ lawyer (pdf) to state that an RSEP is required regardless of whether the “new registry service” was introduced to comply with local law.

“One of the underlying purposes of this policy is to ensure that a new registry service does not create and security, stability or competition concerns,” he wrote.

Jeffrey said that while Whois privacy was offered at the registry level, registrars were still publishing full contact details for the same registrants.

ICANN said last week that it will publish more detailed guidance advising registries and registrars how to avoid breach notices will be published “shortly”.

2 Comments Tagged: , , , , , , , , , ,

Up to 20 million people could get broken internet in domain security rollover

Kevin Murphy, November 9, 2017, Domain Tech

Twenty million people losing access to parts of the internet is considered an acceptable level of collateral damage for ICANN’s forthcoming DNS root security update.

That’s one of a number of facts and figures to emerge from recent updates from the organization, explaining its decision to delay the so-called “KSK rollover” from October 11 to some time in the first quarter next year.

The rollover will see a new Key Signing Key, used as the trust anchor for all DNSSEC-signed domains, replace the seven-year-old original.

DNSSEC protects internet users and registrants from domain-based man-in-the-middle attacks. It’s considered good practice to roll keys at each level of the DNS hierarchy periodically, to reduce the risk of successful brute-force attacks.

The root KSK update will affect hundreds of millions of people who currently use DNSSEC-compatible resolvers, such as Google DNS.

ICANN delayed the rollover after it, rather fortuitously, spotted that not all of these resolvers are configured to correctly handle the change.

The number of known incompatible servers is quite small — only about 500 of the 11,982 DNSSEC-using recursive servers initially surveyed (pdf). That represents only a very small minority of the world’s internet users, as most are not currently using DNSSEC.

Subsequent ICANN research, presented by principal researcher Roy Arends at ICANN 60 last week, showed that:

  • There are currently about 4.2 million DNS resolvers in the world.
  • Of those, 27,084 are configured to tell the root servers which KSKs they support (currently either the KSK-2011 or KSK-2017).
  • Of those, 1,631 or 6.02% do not support KSK-2017

It was only possible to survey servers that have turned on a recent update to DNS software such as BIND and Unbound, so the true number of misconfigured servers could be much higher.

Matt Larson, ICANN’s VP of research, told DI that ICANN has identified 176 organizations in 41 countries that are currently not prepared to handle the new KSK. These organizations are fairly evenly spread geographically, he said.

Since making the decision to delay the rollover, ICANN has hired a contractor to reach out to these network operators to alert them to potential problems.

ICANN’s CEO Goran Marby has also been writing to telecommunications regulators in all countries to ask for assistance.

After the rollover, people using an incompatible resolver would be unable to access DNSSEC-signed domains. Again, that’s still quite a small minority of domains — there are only about 750,000 in .com by some accounts and apparently none of the top 25 site support it.

ICANN could roll back the change if it detects that a sufficiently large number of people are negatively affected, but that number turns out to be around 20 million.

According to its published rollover plan:

Rollback of any step in the key roll process should be initiated if the measurement program indicated that a minimum of 0.5% of the estimated Internet end-user population has been negatively impacted by the change 72 hours after each change has been deployed into the root zone.

According to InternetWorldStats, there were around 3,885,567,619 internet users in the world this June. It’s very likely more people now.

So a 0.5% threshold works out to about 19 million to 20 million people worldwide.

Larson agreed that in absolute terms, it’s a big number.

“The overall message to take away from that number, I suggest, is that a problem would have to be pretty serious for us to consider rolling back,” Larson, who was not on the team that came up with the threshold, said.

“I think that’s a reasonable position considering that, in the immediate aftermath of the rollover, there are two near-immediate fixes available to any operator experiencing problems: update their systems’ trust anchors with the new key or (less desirable from my perspective but still effective) simply disable DNSSEC validation,” he said.

He added that the 0.5% level is not a hard and fast rule, and that ICANN could be flexible in the moment.

“For example, if when we roll the key, we find out there’s some critical system with a literal life or death impact that is negatively affected by the KSK roll, I think I can pretty confidently state that we wouldn’t require the 0.5% of Internet user threshold to be met before rolling back if it looked like there would be a significant health and safety risk not easily mitigated,” he said.

The chances of such an impact are very slim, but not impossible, he suggested.

It’s not ICANN’s intention to put anyone’s internet access at risk, of course, which is why there’s a delay.

ICANN’s plan calls for any rollover to happen on the eleventh day of a given calendar quarter, so the soonest it could happen would be January 11.

Given the complexity of the outreach task in hand, the relative lack of data, and the holiday periods approaching in many countries, and ICANN’s generally cautious nature, I’d hazard a guess we might be looking at April 11 at the earliest instead.

Comment Tagged: , , , ,

59,000% revenue growth at Donuts leads to Deloitte award

Kevin Murphy, November 9, 2017, Domain Registries

Deloitte has placed new gTLD registry Donuts at the top of its 2017 Technology Fast 500, a league table of the fastest-growing North American technology firms.

Donuts won by growing its revenue by 59,093% over three years.

Given that Donuts didn’t have its first revenue-generating gTLD delegated until the final quarter of 2013, the three-year judging period basically covers almost the entire period of its existence as a trading company.

The runners up were ClassPass (46,556%, founded 2013), which gives fitness junkies a centralized way to book from multiple classes, and Toast (31,250%, founded 2012), which makes point-of-sale software for restaurants.

Companies could submit themselves for consideration on the 500-strong table. They only needed 135% growth over three years to make it to the list.

The rankings are based on revenue, not profit, so it does not necessarily mean that gTLDs are a way to get rich quick.

Still, it’s impressive that something as dated as domain names could top the rankings, given the number of transformational technologies hitting the market every year.

1 Comment Tagged: , ,

CentralNic and .CLUB reveal premium sales

Kevin Murphy, November 8, 2017, Domain Services

CentralNic and .CLUB Domains have both revealed sales of premium domain names over the last several days.

CentralNic said yesterday that it has sold “a number” of premiums for $3.4 million.

The names are believed to be from its own portfolio, rather than registry-reserved names in any of the TLDs it manages. The company did not disclose which names, in which TLDs, it had sold.

The sale smooths out potential lumpiness in CentralNic’s revenue, and the company noted that the sales means that recurring revenue from its registrar and registry business will become an increasing proportion of its revenue as its premium portfolio diminishes.

Last week, .CLUB announced that it sold $380,793 of premium .club domains in the third quarter. That was spread over 452 domains.

The big-ticket domains were porn.club and basketball.club, sold by the registry for $85,000 together.

The Q3 headline number was a sharp decline from the Q2 spike of $2.7 million, which was boosted by auctions in China.

The company published a lot more data on its sales on its blog, here.

Comment Tagged: , , , ,

XYZ relaunches .storage with $2,200 price tag

Kevin Murphy, November 8, 2017, Domain Registries

XYZ.com has reopened .storage to registrations with a new, much higher price tag.

A confusingly named “Trademark Holder Landrush” started yesterday and will run for three weeks.

It’s not a sunrise period — .storage already had its ICANN-mandated sunrise under its previous management — and it appears that it’s not actually restricted to trademark holders.

The .storage web site states that “neither registrars nor XYZ will validate trademarks during this period”. The registry says that all strings, including generic words, are available.

It basically appears to be just a way to squeeze a little extra cash out of larger companies and anyone else desperate for a good name.

There are not many registrars carrying the TLD right now, just five brand protection registrars and 101domain.

101domain prices the names at $699.99 with a $1,500 application fee during the trademark landrush.

XYZ says that the regular suggested retail price for .storage will be $79.99 per month which seems to be a roundabout way of saying $948 per year. There’s no option to register for less than a year.

.storage is designed for companies in the data storage and physical storage industries, so adopting a high-price, low-volume business model is probably a smart move by the registry.

It’s a similar model to that XYZ employs in its car-related gTLDs operated in partnership with Uniregistry.

XYZ does not appear to be relying entirely on defensive registrations to make its coin, however.

It’s offering a “complimentary” web site migration service, usually priced at $10,000, that it says can help early registrants switch to .storage in as little as 72 hours with no loss of search engine juice.

.storage was originally owned by Extra Storage Space, a physical storage company, but XYZ acquired the contract for an undisclosed sum in May.

The trademark landrush will be immediately followed by an Early Access Period, during which there will also be a sliding-scale fee (day one will be a whopping $55,000 at 101domain!), before general available starts a month from now.

Comment Tagged: , , , ,