Latest news of the domain name industry

Recent Posts

New ccTLDs may have to block name collisions

Kevin Murphy, January 26, 2015, Domain Registries

ICANN is thinking about expanding its controversial policy on name collisions from new gTLDs to new ccTLDs.

The country code Names Supporting Organization has been put on notice (pdf) that ICANN’s board of directors plans to pass a resolution on the matter shortly.

The resolution would call on the ccNSO to “undertake a study to understand the implications of name collisions associated with the launch of new ccTLDs” including internationalized domain name ccTLDs, and would “recommend” that ccTLD managers implement the same risk mitigation plan as new gTLDs.

Because ICANN does not contract with ccTLDs, a recommendation and polite pressure is about as far as it can go.

Name collisions are domains in currently undelegated TLDs that nevertheless receive DNS root traffic. In some cases, that may be because the TLDs are in use on internal networks, raising the potential of data leakage or breakages if the TLDs are then delegated.

ICANN contracts require new gTLDs to block such names or wildcard their zones for 90 days after launch.

Some new gTLD registry executives have mockingly pointed to the name collisions issue whenever a new ccTLD has been delegated over the last year or so, asking why, if collisions are so important, the mitigation plan does not apply to ccTLDs.

If the intent was to persuade ICANN that the collisions management framework was unnecessary, the opposite result has been achieved.

3 Comments Tagged: , , , , ,

Pop-ups boost most-popular new gTLD domains, and it’s not just .xyz any more

Kevin Murphy, January 26, 2015, Domain Registries

The .xyz and .country gTLDs are currently dominating the league table of most-popular new gTLDs, but massive pop-up advertising campaigns using junk domains can account for the majority of their leading sites.

Today, Amazon’s Alexa site popularity tool sees 2,425 new gTLD domains in its top one million. Of those, 163 are in the top 50,000 sites.

But almost two thirds of those 163 domains appear to be throwaways that receive traffic not because they’re attracting visitors, but because they’re used to serve pop-up advertising, in some cases via adware.

The trend has been visible for a few months now, restricted almost exclusively to .xyz, but over the last two weeks .country has also started to be used in this way.

That’s interesting because, unlike .xyz, .country is not a low-cost gTLD. Go Daddy currently sells it for $39.95 per year.

(UPDATE: As Andrew points out in the comments, Uniregistry is selling .country names for $1 for the first year, which almost certainly explains the .country bump.)

Almost 100 of the top 163 new gTLD domains comprise two unrelated dictionary words put together to make something nonsensical.

Domains such as iciclecellar.country, laborervolcano.country, classkitten.country, sweepstakesglove.country, rewardmen.country, installationdesk.country have recently joined have joined the likes of vasegiraffe.xyz, cactusstew.xyz, bedcrow.xyz, notebookwrist.xyz, wishgrass.xyz, pencilkite.xyz and basketriver.xyz on this list.

As far as I can tell, they’re all registered via Uniregistry and using its free Whois privacy service to mask the identities of the registrants.

Visiting these domains in your browser will either result in an error — where I suspect the site is checking the referrer before deciding whether to show a page — or will send you on a merry redirect chain that terminates in an affiliate marketing sign-up page.

Some of the domains have been discussed in online forums as serving up pop-up ads, which would account for large amounts of traffic and high popularity.

Some have alleged that they’ve seen adware serve up ads from some of these domains.

Pop-up ads may be annoying, but they’re legal and — unlike spam and malware — not usually a violation of gTLD registries’ terms of service.

Whether benefiting from adware would leave a registrant in violation of a registrar or registry’s ToS is also a fuzzy area.

But for the new gTLD industry, which is currently in a mindshare-building mode, this kind of use does not make for great optics. If internet users see new gTLDs most often in an unwanted context, it could impair their trust in the new gTLD environment.

4 Comments Tagged: , , , , , ,

Jeff Neuman quits Neustar for Valideus

Kevin Murphy, January 23, 2015, Domain Registries

Neustar’s top domain name guy is moving to UK new gTLD consultancy Valideus.

Jeff Neuman, who’s been with Neustar for over 15 years, will become Valideus’ senior vice president for North America, starting this coming Monday, according to Valideus managing director Nick Wood.

I don’t know who’s replacing him at Neustar, where he’s been in charge of the company’s domain name business for the last couple of years, overseeing the company’s business as a registry back-end provider and registry for New York’s .nyc new gTLD.

Neuman was previously Neustar’s longstanding VP of policy, a role which also saw him heavily involved in ICANN’s GNSO Council and Neustar’s application for and launch of .biz, back in 2000.

He’s been quite a pivotal and sometimes outspoken figure over the years.

Valideus is the new gTLD service provider sister company to Com Laude, the brand-focused registrar. It provides application consulting and ongoing registry/registrar management for dot-brand gTLD applicants and registries, Amazon among them.

I gather that Neuman will remain based in the US, as his new job title implies.

11 Comments Tagged: , , , ,

.gay is gay enough after all? ICANN overturns community panel decision

Kevin Murphy, January 22, 2015, Domain Registries

One of the applicants for .gay has won a significant battle in the fight for the controversial new gTLD.

In a shock move, a committee of ICANN’s board of directors has overturned the rejection of dotgay LLC’s Community Priority Evaluation, ordering that the case should be re-examined by a new panel of experts.

As you may recall, dotgay’s CPE was kicked out in October after the Economist Intelligence Unit panel decided that the company’s defined community was too broad to be described by “gay” as it included a lot of people who aren’t gay, such as straight people.

The decision — which I thought was probably correct — caused an uproar from dotgay’s myriad supporters, which include dozens of international equal rights and gay community organizations.

dotgay filed a Request for Reconsideration, ICANN’s cheapest but least reliable form of appeal, and today found out it actually won.

ICANN’s Board Governance Committee, which handles the RfR process, this week ruled (pdf):

The BGC concludes that, upon investigation of Requester’s claims, the CPE Panel inadvertently failed to verify 54 letters of support for the Application and that this failure contradicts an established procedure. The BGC further concludes that the CPE Panel’s failure to comply with this established CPE procedure warrants reconsideration. Accordingly, the BGC determines that the CPE Panel Report shall be set aside, and that the EIU shall identify two different evaluators to perform a new CPE for the Application

The successful RfR appears to be based on a technicality, and may have no lasting impact on the .gay contention set.

Under the EIU’s process rules: “With few exceptions, verification emails are sent to every entity that has sent a letter(s) of support or opposition to validate their identity and authority”.

It seems that the EIU was sent a bundle of 54 letters of support for dotgay, but did not email the senders to verify they were legit. The BCG wrote:

Over the course of investigating the claims made in Request 14-44, ICANN learned that the CPE Panel inadvertently did not verify 54 of the letters of support it reviewed. All 54 letters were sent by the Requester in one correspondence bundle, and they are publicly posted on ICANN’s correspondence page.36 The 54 letters were deemed to be relevant by the EIU, but the EIU inadvertently failed to verify them.

If an applicant wins a CPE it means all the other applicants are automatically excluded, and the door is now open for the EIU to rethink its earlier decision.

So do competing applicants Rightside, Minds + Machines and Top Level Design now have genuine cause for concern? Not necessarily.

CPE applicants need to score at least 14 out of 16 available points in order to win, and dotgay only scored 10 points in its original evaluation.

Crucially, the EIU panel said that because the “community” as defined by dotgay included transgender, intersex, asexual and straight “allies” of equal rights, it was too broad to score any of the available four points on the “Nexus” criteria.

The BCG could find no fault with the EIU’s determination on Nexus, so even if dotgay’s letters of support are verified according to procedure, it would not necessarily lead to dotgay picking up any more Nexus points.

The BCG wrote on Nexus: “Requester’s substantive disagreement with the CPE Panel’s conclusion does not support reconsideration”.

However, given that the EIU is going to do the entire CPE all over again with new panelists, it seems entirely possible that dotgay could win this time.

4 Comments Tagged: , , , , , , ,

Domain hijacking bug found in Go Daddy

Kevin Murphy, January 22, 2015, Domain Registrars

Go Daddy has rushed out a fix to a security bug in its web site that could have allowed attackers to steal valuable domain names.

Security engineer Dylan Saccomanni found several “cross site request forgery” holes January 17, which he said could be used to “edit nameservers, change auto-renew settings and edit the zone file entirely”.

He reported it to Go Daddy (evidently with some difficulty) and blogged it up, with attack code samples, January 18. Go Daddy reportedly patched its site the following day.

A CSRF vulnerability is where a web site fails to adequately validate data submitted via HTTP POST. Basically, in this case Go Daddy apparently wasn’t checking whether commands to edit name servers, for example, were being submitted via the correct web site.

Mitigating the risk substantially, attackers would have to trick the would-be victim domain owner into filling out a web form on a different site, while they were simultaneously logged into their Go Daddy accounts, in order to exploit the vulnerability, however.

In my experience, Go Daddy times out logged-in sessions after a period, reducing the potential attack window.

Being phishing-aware would also reduce your chance of being a victim.

I’m not aware of any reports of domains being lost to this attack.

Comment Tagged: , ,