Latest news of the domain name industry

Recent Posts

Junk drop cuts .xyz in half, .top claims volume crown

The .xyz gTLD has seen its zone file halve in size, as millions of free and cheap domains were not renewed.

The former volume leader among new gTLDs started this month with a tad over 5.2 million domains in its zone.

But its July 17 zone contained 2.5 million, much less than half as many, DI analysis shows.

The precipitous decline means that Chinese-run gTLD .top, increasingly notorious as a go-to TLD for spammers, is now literally at the top of the league table, when you measure new gTLDs by zone file volume, with 2.6 million names.

The primary reason for .xyz losing so many names is of course the expiration of most of the domains that were sold for just $0.01 — or given away for free — in the first few days of June 2016, and the aggressive promotional pricing on offer for the remainder of that month.

On May 30, 2016, there were just under 2.8 million names in the .xyz zone. By July 1, 2016, that number had topped 6.2 million, an increase of 3.4 million over a single month.

That was .xyz’s peak. The zone has been in gradual decline ever since.

Domains generally take 45 days to drop, so it’s entirely possible XYZ.com will see further losses over the next month or so.

There’s nothing unusual about seeing a so-called “junk drop” a year after a TLD launches or runs a free-domains promotion. It’s been well-understood for over a decade and has been anticipated for .xyz for over a year.

But compounding its problems, the .xyz registry appears to still be banned in China, where a substantial portion of its former customer base is located.

The company disclosed over two months ago that it had a “temporary” problem that had seen its license to sell domains via Chinese registrars suspended.

The ban was related to XYZ falling out with its original “real name verification” provider, ZDNS, which was tasked with verifying the identities of Chinese registrants per local government regulations.

I’ve never been able to confirm with either party the cause of this split, but everyone else involved in the Chinese market I’ve asked has told me it related to a dispute over money.

Regardless, two months later the major Chinese registrars I checked today still appear to not be carrying .xyz names.

XYZ has meanwhile signed up with alternative Chinese RNV provider Tele-info, and just three days ago submitted the necessary paperwork (pdf) with ICANN to have the move approved as a registry service under its contract.

In that request, XYZ said the new RNV service “will allow XYZ to reenter certain domain name markets”, suggesting that it has not yet regained Chinese government approval to operate there.

3 Comments Tagged: , , , , , , , , ,

Over 750 domains hijacked in attack on Gandi

Gandi saw 751 domains belonging to its customers hijacked and redirected to malware delivery sites, the French registrar reported earlier this month.

The attack saw the perpetrators obtain Gandi’s password for a gateway provider, which it did not name, that acts as an intermediary to 34 ccTLD registries including .ch, .se and .es.

The registrar suspects that the password was obtained by the attacker exploiting the fact that the gateway provider does not enforce HTTPS on its login pages.

During the incident, the name servers for up up to 751 domains were altered such that they directed visitors to sites designed to compromise unpatched computers.

The redirects started at 0804 UTC July 7, and while Gandi’s geeks had reversed the changes by 1615 it was several more hours before the changes propagated throughout the DNS for all affected domains.

About the theft of its password, Gandi wrote:

These credentials were likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal (the web platform in question allows access via http).

It’s not clear why a phishing attack, which would seem the more obvious way to obtain a password, was ruled out.

Gandi posted a detailed timeline here, while Swiss registry Switch also posted an incident report from its perspective here. An effected customer, which just happened to be a security researcher, posted his account here.

Gandi says it manages over 2.1 million domains across 730 TLDs.

Comment Tagged: , , ,

ICANN chair paid $114,000 last year

Kevin Murphy, July 13, 2017, Domain Policy

ICANN chair Steve Crocker was paid $114,203.24 in the organization’s last tax year.

The number was released today (pdf) in response to a request by domain blogger John Poole of DomainMondo.com.

Poole had requested the figures because Crocker is paid via his company, Shinkuro, rather than directly, so his compensation does not show up on ICANN’s published tax returns.

It was already known that ICANN’s chair is eligible for $75,000 a year in salary, but today’s letter, from CFO Xavier Calvez, states that he also received $39,203.24 for office rent (about $3,250 per month) in the year ended June 30 2016.

This does not include his travel reimbursements and such, which came to well over $100,000 in the same fiscal year according to ICANN disclosures.

If Crocker were on ICANN staff, he would be the 18th most costly employee, even if you do include the extra reimbursements.

Other ICANN directors receive $45,000 per year.

Calvez said ICANN will update its disclosure process to make it clearer how much Crocker is paid via Shinkuro.

2 Comments Tagged:

Could the next new gTLD round last 25 years? Or 70 years?

Kevin Murphy, July 13, 2017, Domain Policy

Will the next new gTLD round see 25,000 applications? If so, how long will it take for them all to go live?

The 25,000 figure is one that I’ve heard touted a few times, most recently during public sessions at ICANN’s meeting in Johannesburg last month.

The problem is that, judging by ICANN’s previous performance, such a huge number of applications would take anywhere from 25 to 70 years to process.

It’s unclear to me where the 25,000 application estimate comes from originally, but it does not strike me as laughably implausible.

There were just shy of 1,930 applications for 1,408 unique strings in the most recent round.

There could have been so many more.

ICANN’s outreach campaign is generally considered to have been a bit lackluster, particularly in developing markets, so many potential applicants were not aware of the opportunity.

In addition, some major portfolio applicants chose to rein in their ambitions.

Larry Page, then-CEO of Google, is known to have wanted to apply for many, many more than the 101 Google wound up applying for, but was talked down by staff.

There’s talk of pent-up demand for dot-brands among those companies that missed the 2012 window, but it’s impossible to know the scale of that demand with any precision.

Despite the fact that a handful of dot-brands with ICANN registry agreements and delegations have since cancelled their contracts, there’s no reason they could not reapply for defensive purposes again in subsequent rounds.

There are also thousands of towns and cities with populations comparable to cities that applied in 2012 that could apply next time around.

And there’s a possibility that the cost of applying — set at $185,000 on a highly redundant “cost recovery” basis — may come down in the next round.

Lots of other factors will play a role in how many applications we see, but in general it doesn’t seem impossible that there could be as many as 25,000.

Assuming for a moment that there are 25,000, how long will that take to process?

In the 2012 round, ICANN said it would delegate TLDs at a rate of no more than 1,000 per year. So that’s at least 25 years for a 25,000-app round.

That rate was set somewhat arbitrarily during discussions about root zone scaling before anyone knew how many gTLDs would be applied for and estimates were around the 500 mark.

Essentially, the 1,000-per-year number was floated as a sort of straw man (or “straw person” as some ICANNers have it nowadays) so the technical folk had a basis to figure out whether the root system could withstand such an influx.

Of course, this limit will have to be revised significantly if ICANN has any hope of processing 25,000 applications in under a generation.

Discussions at the time indicated that the rate of change, not the size of the root zone, was what represented the stability threat.

In reality, the rate of delegation has been significantly slower than 1,000 per year.

It took until May 2016 for the 1,000th new gTLD to go live, 945 days after the first batch were delegated in late October 2013.

That means that during the relative “rush-hour” of new gTLD delegations, there was still only a little over one per day on average.

And that’s counting from the date of the first delegation, which was actually 18 months after the application window was closed.

If that pattern held in subsequent rounds, we would be looking at about 70 years for a batch of 25,000 to make their way through the system.

You could apply for a vanity gTLD matching your family name and leave the delegation as a gift to your great-grandchildren, long after your death.

Clearly, with 25,000 applications some significant process efficiencies — including, I fancy, much more automation — would be in order.

Currently, IANA’s process for making changes to root zone records (including delegations) is somewhat complex and has multiple manual steps. And that’s before Verisign makes the actual change to the master root zone file.

But the act of delegation is only the final stage of processing a gTLD application.

First, applications that typically run into tens of thousands of words have to undergo Initial Evaluation by several teams of knowledgeable consultants.

From Reveal Day in 2012 to the final IE being published in 2014 took a little over two years, or an average of 2.5 applications per day.

Again, we’re looking at over a quarter of a century just to conduct IE on 25,000 applications.

Then there’s contracting — ICANN’s lawyers would have to sign off on about a dozen Registry Agreements per day if it wanted to process 25,000 delegations in just five years.

Not to mention there’s also pre-delegation testing, contention resolution, auctions, change requests, objections…

There’s a limited window to file objections and there were many complaints, largely from governments, that this period was far too short to read through just 1,930 applications.

A 25,000-string round could take forever, and ICANN’s policies and processes would have to be significantly revised to handle them in a reasonable timeframe.

Then again, potential applicants might view the 2012 round as a bust and the next round could be hugely under-subscribed.

There’s no way of knowing for sure, unfortunately.

6 Comments Tagged: ,

auDA explains secretive new regime in bid to save chair

auDA has explained why it has refused to put controversial new policies to a vote, as it recommended that members vote to save the job of chairman Stuart Benjamin.

In a letter to members published this week, the .au ccTLD administrator said it was not legally obliged to allow members to vote on its directors’ decisions to stop publishing their meeting minutes and to gag members from bad-mouthing auDA in the press.

As we reported earlier in the week, a group of domainers and others had signed a petition calling for four resolutions to be put to a vote of auDA’s members (largely domainers and registrars), but auDA only accepted one of them.

That resolution was to fire Benjamin. Members will vote July 31.

The new letter (pdf) seeks to explain why the other three resolutions were rejected.

The campaigners, organized by domainer/blogger Ned O’Meara at Grumpy.com.au, had demanded that auDA reverse its new policy of not publishing the minutes of its board meetings.

In response, auDA stated that it is under no legal obligation under Aussie corporation law or its own constitution to publish minutes and therefore under no obligation to put this policy to a member vote.

It did, however, agree to reinstate previously published and deleted minutes of meetings up to February 2017.

The Grumpy gang also wanted auDA to put is new member code of conduct, apparently unilaterally imposed by its board this May, to a member vote.

The code of conduct contains some innocuous policies about having a zero tolerance for members who abuse and harass auDA staff, but it also prevents members from saying bad things about the organization in public.

Members must agree:

In any forum, including in the media, where acting as an auDA member or identifiable as an auDA member, I will conduct myself in a manner that will not bring the organisation, Directors or staff, into disrepute.

This basically would prevent any member from criticizing auDA when talking to a journalist, under pain of having their membership suspended or revoked. Clearly uncool.

In auDA’s new letter, CEO Cameron Boardman explains that the ability of the board to suspend memberships has been removed from the policy, in response to feedback. Memberships can still be revoked by the board, however.

This U-turn appears to be a legal technicality designed to ensure that the policy does not change the organization’s constitution — which allows the board to revoke but not suspend memberships — and therefore does not need to be put to a member vote.

Finally, the Grumpy coalition had asked for auDa’s decision to create its own in-house registry — and to stop outsourcing its back-end to Neustar — to be put to a vote.

Boardman’s letter says that this decision was “a matter of management exclusively vested in the directors” and therefore legally not something it has to put out for member approval.

O’Meara and company were given the chance to recant on their fourth resolution — that Benjamin be fired — and apparently had indicated initially that they wished to do so.

However, they were so appalled by Boardman’s letter than they decided to go ahead with it anyway.

auDA’s recommendation that Benjamin keeps his job can be read in full here.

Comment Tagged: , , ,