Latest news of the domain name industry

Recent Posts

Most registrars did NOT “fail” abuse audit, ICANN says

Kevin Murphy, October 15, 2021, Domain Registrars

Most registrars did not “fail” a recent abuse audit, despite what I wrote in my original coverage, according to ICANN.

“Referring to a certain blog, none of the registrars failed the audit,” ICANN senior audit manager Yan Agranonik said during a session of ICANN 72’s Prep Week last night.

He’s talking about ME! He’s talking about ME!

“Failure would mean that there’s an irreparable finding of deficiency that can not be corrected timely or it just goes against the registrar’s business model,” Agranonik said.

An accompanying presentation reads:

None of the registrars “failed” the audit. “Failure” means that the auditee did not acknowledge/remediate identified violations of the RAA or their business practices are not compatible with RAA.

At the risk of prolonging a tedious semantic debate, what I reported in August, when the results of the audit were announced, was: “The large majority of accredited registrars failed an abuse-related audit at the first pass, according to ICANN.”

A bunch of registrar employees, and now apparently ICANN’s own head auditor, disagreed with my characterization.

ICANN had issued a press release stating that of 126 audited registrars, it had identified 111 “that were not fully compliant with the RAA’s requirements related to the receiving and handling of DNS abuse reports.”

To me, if ICANN checks whether you’re doing a thing you should be doing and you’re not doing the thing, that’s a fail.

But to ICANN, if ICANN checks whether you’re doing a thing you should be doing and you’re not doing the thing, and it tells you you’re not doing the thing you should be doing, so you start doing the thing, that’s not a fail.

I think reasonable people could disagree on the definitions here.

But I did write that the registrars “failed… according to ICANN”, and that appears to be inaccurate, so I’m happy to correct the record today.

10 Years Ago… new gTLDs, ICANN pay, DNS abuse and ethics

Kevin Murphy, October 11, 2021, Domain Policy

The more things change, the more they stay the same.

I’ve been in a reflective mood recently, and it’s a slow news day, so I thought now might be a good time to launch a new, irregular feature — a trawl back through the DI archives to see what we were all talking about a decade ago this month.

In many respects, the conversations haven’t changed all that much in the last 10 years. Some are being repeated almost verbatim today. Others seem almost laughably naive with hindsight.

New TLDs

We were just a few months away from the opening of the first big new gTLD application window, but in October 2011 many of the rules of the program were, remarkably, still up in the air.

ICANN still hadn’t decided how much an application would cost. It had yet to decide how it would subsidize poorer applicants.

No Trademark Clearinghouse supplier had yet been found, and there was still some confusion about how the application process would work, and how it would be communicated to potential applicants.

The industry was awash with speculation, as it had been for the whole year, about who might apply for a gTLD. In October, there were stories about potential applications from New South Wales, Orange, Corsica, and BITS.

Afilias was offering $5,000 for new gTLD ideas.

But perhaps the strangest idea was a pitch from CentralNic to the super-rich. For $500,000, it would apply for your family name as a new gTLD. This came to nothing in the 2012 round, but CentralNic’s site is still live.

While new gTLDs were still in the future, October 2011 saw the ongoing sunrise period for the previous round’s .xxx, auctions following the recent launch of .co, and the creation of two new ccTLDs.

Abuse

October 2011 was marked by the registrar community reluctantly agreeing to enter talks with ICANN to renegotiate their standard Registrar Accreditation Agreement, which would ultimately lead to the current 2013 RAA.

The move came as the Governmental Advisory Committee was on the warpath on behalf of its law enforcement allies, demanding more action from the industry on DNS abuse and threatening legislation if it didn’t happen.

Imagine that.

Meanwhile, Verisign asked ICANN for more powers to take down abusive domains, which faced immediate pushback from registrars and others, before the request was retracted mere days later.

The Revolving Door

There was a lot of talk during and around ICANN 42 about conflicts of interest, particular with regards the emergence of a so-called “revolving door” between ICANN’s top brass and the domain industry.

It had been just a few months since chair Peter Dengate Thrush had, on the eve of his retirement from the board, pushed through final approval of the new gTLD program and promptly took a top job at portfolio applicant Minds + Machines.

It looked rotten, and ICANN CEO Rod Beckstrom, who had himself announced he was quitting just months earlier, had made its his personal mission to reduce at least the perception of conflicts of interest at the Org.

He ruled out being replaced by a fellow director, threw money at consultants, and said the next CEO should be an industry outsider.

It was probably all pointless.

As it turned out, the guy who replaced Beckstrom, Fadi Chehade, put in a few years in the corner office before prematurely quitting for private equity, where he now runs the company that owns Donuts, itself run by Chehade’s ICANN number two, Akram Atallah.

The amount of revolving door action at less-senior levels has been so frequent since 2011 that I don’t even keep track of it any more.

ICANN Pay

ICANN gave its top execs big pay raises. Along with death and taxes, this is a universal constant.

Most registrars fail ICANN abuse audit

Kevin Murphy, August 26, 2021, Domain Registrars

The large majority of accredited registrars failed an abuse-related audit at the first pass, according to ICANN.

(UPDATE October 14, 2021: ICANN disagrees with this characterization.)

The audit of 126 registrars, representing over 90% of all registered gTLD domains, founds that 111 were “not fully compliant with the [Registrar Accreditation Agreement’s] requirements related to the receiving and handling of DNS abuse reports”.

Only 15 companies passed with flying colors, ICANN said.

A further 92 have already put in place changes to address the identified concerns, with 19 more still struggling to come into compliance.

The particular parts of the RAA being audited require registrars to publish an abuse email address that it monitored 24/7 and to take action on well-founded cases of abuse within 24 hours of notification.

The results of the audit, carried out by ICANN Compliance and KPMG, can be found here (pdf).

Registrars to get more domain takedown powers

Kevin Murphy, August 4, 2021, Domain Registrars

ICANN will soon grant its accredited registrars the ability to unilaterally take down domains involved in ongoing security incidents, according to chair Maarten Botterman.

Responding to the news that registries have come up with a voluntary framework for tackling botnets that auto-generate domain registrations for use in command and control activities, Botterman said ICANN will extend a process currently restricted to registries into the registrar community.

That policy is the Expedited Registry Security Request Process, which allows registries to quickly obtain a retroactive waiver of its contractual obligations — such as the obligation to pay ICANN fees — if it has to urgently respond to a major incident.

The process was invoked four times last year, covering six gTLDs and roughly 1,600 domains. ICANN granted all four requests, though it seems to have on average missed its target of responding within three business days.

“As part of ICANN’s efforts to support the mitigation of DNS security threats, ICANN org will soon enable registrars to also request such waivers,” Botterman recently told the Registries Stakeholder Group.

He was responding to the news that several registries have signed up to a voluntary “Framework on Domain Generating Algorithms (DGAs) Associated with Malware and Botnets”.

That framework would allow registries to preemptively register or block domains likely to be auto-generated by botnet code, thereby cutting the head off the snake before it can wreak more havoc.

.com and NameSilo fingered as “most-abused” after numbers rocket

SpamHaus has revealed the most-abused TLDs and registrars in its second-quarter report on botnets.

The data shows huge growth in abuse at Verisign’s .com and the fast-growing NameSilo, which overtook Namecheap to top the registrar list for the first time.

Botnet command-and-control domains using .com grew by 166%, from 1,549 to 4,113, during the quarter, SpamHaus said.

At number two, .xyz saw 739 C&C domains, up 114%.

In the registrar league table, NameSilo topped the list for the first time, unseating Namecheap for the first time in years.

NameSilo had 1,797 C&C domains on its books, an “enormous” 594% increase. Namecheap’s number was 955 domains, up 52%.

Botnets are one type of “DNS abuse” that even registrars agree should be acted on at the registrar level.

The most-abused lists and lots of other botnet-related data can be found here.

Will you use SSAD for Whois queries?

Kevin Murphy, July 9, 2021, Domain Policy

ICANN is pinging the community for feedback on proposed Whois reforms that would change how people request access to private registrant data.

The fundamental question is: given everything you know about the proposed System for Standardized Access and Disclosure (SSAD), how likely are you to actually use it?

The SSAD idea was dreamed up by a community working group as the key component of ICANN’s response to privacy laws such as GDPR, and was then approved by the Generic Names Supporting Organization.

But it’s been criticized for not going far enough to grant Whois access to the likes of trademark lawyers, law enforcement and security researchers. Some have called it a glorified ticketing system that will cost far more than the value it provides.

Before the policy is approved by ICANN’s board, it’s going through a new procedure called the ODP, for Operational Design Phase, in which ICANN staff, in coordination with the community, attempt to figure out whether SSAD would be cost-effective, or even implementable.

The questionnaire released today will be an input to the ODP. ICANN says it “will play a critical role in assessing the feasibility and associated risks, costs, and resources required in the potential deployment of SSAD.”

There’s only eight questions, and they mostly relate to the volume of private data requests submitted currently, how often SSAD is expected to be used, and what the barriers to use would be.

ICANN said it’s asking similar questions of registries and registrars directly.

There’s a clear incentive here for the IP and security factions within ICANN to low-ball the amount of usage they reckon SSAD will get, whether that’s their true belief or not, if they want ICANN to strangle the system in its crib.

It’s perhaps noteworthy that the potential user groups the questionnaire identifies do not include domain investors nor the media, both of which have perfectly non-nefarious reasons for wanting greater access to Whois data. This is likely because these communities were not represented on the SSAD working group.

You can find the questionnaire over here. You have until July 22.

153 registrars fingered for ICANN security probe

Kevin Murphy, January 18, 2021, Domain Registrars

Registrars will be asked to account for abusive domain names found on their services, under a new ICANN security audit.

ICANN says it will soon send requests for information to 153 registrars, asking them to provide documentation showing how they dealt with domains used for distribution of malware or spam.

Registrars will get audited if more than five domains under their sponsorship showed up on a number of block-lists ICANN uses (SpamHaus and the like) during November 2020.

ICANN is spinning the number of affected registrars as a very small percentage of the accredited base, but it really isn’t.

It said that “only” 153 out of 2,380 accredited registrars are affected, apparently willfully ignoring the fact that well over 1,700 of these registrars are shell accreditations used for drop-catching and belonging to just two companies: Web.com and NameBright.

Domains never stick around at drop-catch shells for long, and abusive registrants typically aren’t buying expensive names on the aftermarket, they’re prowling the budget registrars for sub-dollar bargains and bulk-reg tools.

Up to a couple hundred or other accredited registrars have no or negligible domains under management. Several more are corporate registrars with no retail front-end.

So we’re really looking at “only” 153 out of 500 to 600 active retail registrars that saw the required level of abuse, a much higher percentage than would be ideal.

The audit is part of ICANN’s regular Contractual Compliance Audit Program, which seeks to determine whether any registrars or registries are in breach of their contractual obligations.

Under the 2013 Registrar Accreditation Agreement, registrars are obliged to document their responses to abuse reports, keep the data for two years, and hand it over to ICANN on demand.

ICANN hopes to finish the audit by the third quarter this year.

Israeli registrar denies “arms dealer” claims

Israeli registrar GalComm has denied being involved in a widespread malware distribution scheme after being fingered by a security outfit.

Last month Awake Security accused the registrar, officially Communigal Communication Ltd, of being “at best complicit in malicious activity”.

The firm published a report entitled “The Internet’s New Arms Dealers: Malicious Domain Registrars” which linked GalComm to a network of malicious Chrome browser extensions the firm said can steal sensitive data from users who have them installed.

It identified 111 such plug-ins, which it said have been downloaded 33 million times, using over 15,000 domains registered via GalComm.

GalComm has around 48,000 domains registered in gTLDs at the last count, so that’s a sizable percentage of the registrar’s business.

Awake came to the conclusion that GalComm was well-aware of what its customers were up to.

Now, the registrar has sent a cease-and-desist notice to Awake, CC’d to ICANN (pdf), in which it denies all knowledge and responsibility for the malware.

GalComm’s line, to summarize, is that it’s just a registrar, and that it has no obligation to monitor how its customers use their domains.

It adds that the domains in question amount to 10% of its DUM. Still a pretty big chunk.

The company wants Awake to retract its report by today, which it has not yet done, or it will call in the lawyers.

Verisign pays ICANN $20 million and gets to raise .com prices again

Kevin Murphy, January 3, 2020, Domain Registries

Verisign is to get the right to raise the price of .com domains by 7% per year, under a new contract with ICANN.
The deal, announced this hour, will also see Verisign pay ICANN $20 million over five years, starting in 2021, “to support ICANN’s initiatives to preserve and enhance the security, stability and resiliency of the DNS”.
According to ICANN, the pricing changes mean that the maximum price of a .com domain could go as high as $10.26 by October 2026.
Verisign getting the right to once more increase its fees — which is likely to be worth close to a billion dollars to the company’s top line over the life of the contract — was not unexpected.
Pricing has been stuck at $7.85 for years, due to a price freeze imposed by the Obama-era US National Telecommunications and Information Administration, but this policy was reversed by the Trump administration in late 2018.
The amendment to the .com registry agreement announced today essentially takes on the terms of the Trump appeasement, so Verisign gets to up .com prices by 7% in the last four years of the six-year duration of the contract.
ICANN said:

ICANN org is not a price regulator and will defer to the expertise of relevant competition authorities. As such, ICANN has long-deferred to the [US Department of Commerce] and the United States Department of Justice (DOJ) for the regulation of pricing for .COM registry services.

But ICANN will also financially benefit from the deal over and above what it receives from Verisign under the current .com contract.
First, the two parties have said they will sign a binding letter of intent (pdf) committing Verisign to give ICANN $4 million a year, starting one year from now, to help fund ICANN’s activities:

conducting, facilitating or supporting activities that preserve and enhance the security, stability and resiliency of the DNS, which may include, without limitation, active measures to promote and/or facilitate DNSSEC deployment, Security Threat mitigation, name collision mitigation, root server system governance and research into the operation of the DNS

That’s basically describing one of ICANN’s core missions, which is already funded to a great extent by .com fees, so quite why it’s being spun out into a separate agreement is a little bit of a mystery to me at this early stage.
Don’t be surprised if you hear the words “bung” or “quid pro quo” being slung around in the coming hours and days by ICANN critics.
The second financial benefit to ICANN comes from additional payments Verisign will have to make when it sells its ConsoliDate service.
This is the service that allows .com registrants, via their registrars, to synchronize the renewal dates of all of the domains in their portfolio, so they only have to worry about renewals on a single day of the year. It’s basically a partial-year renewal.
Under the amended .com contract, ICANN will get a piece of that action too. Verisign has agreed to pay ICANN a pro-rated fee, based on the $0.25 per-domain annual renewal fee, for the number of days any given registration is extended using ConsoliDate.
I’m afraid to say I don’t know how much money this could add to ICANN’s coffers, but another amendment to the contract means that Verisign will start to report ConsoliDate usage in its published monthly transaction reports, so we should get a pretty good idea of the $$$$ value in the second half of the year.
The amended contract — still in draft form (pdf) and open for public comment — also brings on a slew of new obligations for Verisign that bring .com more into line with other gTLDs.
There’s no Uniform Rapid Suspension policy, so domain investors and cybersquatters can breath a sigh of relief there.
But Verisign has also agreed to a new Registry-Registrar Agreement that contains substantial new provisions aimed at combating abuse, fraud and intellectual property infringement — including trademark infringement.
It has also agreed to a series of Public Interest Commitments, along the same lines as all the 2012-round new gTLDs, covering the same kinds of dodgy activities. The texts of the RRA addition and PICs are virtually identical, requiring:

a provision prohibiting the Registered Name Holder from distributing malware, abusively operating botnets, phishing, pharming, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law and providing (consistent with applicable law and any related procedures) consequences for such activities, including suspension of the registration of the Registered Name;

There are also many changes related to how Verisign handles data escrow, Whois/RDAP and zone file access. It looks rather like users of ICANN’s Centralized Zone Data Service, including yours truly, will soon have access to the humongous .com zone file on a daily basis. Yum.
The proposed amendments to the .com contract are now open for public comment here. You have until February 14. Off you go.

DI Leaders Roundtable #3 — What did you think of ICANN 66?

Kevin Murphy, November 25, 2019, Leaders Roundtable

It’s time for the third in the series of DI Leaders Roundtables, in which I pose a single question to a selection of the industry’s thought leaders.
With ICANN 66 taking place a couple of weeks ago in Montreal, Canada, a multitude of topics came under public discussion, among them: DNS abuse, the .amazon gTLD application, access to Whois data and geographic names protections.
So, this time around, I asked:

What was your biggest takeaway from ICANN 66?

And this, in no particular order, is what they said:
Frank Schilling, CEO, Uniregistry
Mugshot

What a great industry… So many stable players with fresh ideas. Innovators who cross pollinate and stay with the industry in spite of the fact that there is no new gold and obvious money-making opportunity at the moment. Many stable operators trying new things and growing the industry from the inside out.

Michele Neylon, CEO, Blacknight

MugshotThere weren’t any big surprises at ICANN 66. As I expected there were a couple of topics that many people were focussed on and they ignored pretty much everything else.
The biggest single topic was “abuse”. It’s not a “new” topic, but it’s definitely one that has come to the fore in recent months.
Several of us signed on to a “framework to address abuse” in the run up to the ICANN meeting and that, in many respects, may have helped to shift the focus a little bit. It’s pretty clear that not all actors within the eco system are acting in good faith or taking responsibility for their actions (and inactions). It’s also pretty clear that a lot of us are tired of having to pay the cost for other people’s lack of willingness to deal with the issues.
Calls for adding more obligations to our contracts are not welcome and I don’t think they’ll help deal with the real outliers anyway.
There’s nothing wrong in theory with offering cheap domain names but if you consciously choose to adopt that business model you also need to make sure that you are proactive in dealing with fraud and abuse.

Ben Crawford, CEO, CentralNic

MugshotThat M&A has become the dominant business activity in the domain industry.

Milton Mueller, Professor, Georgia Tech

MugshotMy takeaways are shaped by my participation on the EPDP, which is trying to build a “standardized system of access and disclosure” for redacted Whois data. The acronym is SSAD, but it is known among EPDP aficionados as the “So-SAD.” This is because nearly all stakeholders think they want it to exist, but the process of constructing it through an ICANN PDP is painful and certain to make everyone unhappy with what they ultimately get.
The big issue here concerns the question of where liability under the GDPR will sit when private data is released through a So-SAD. Registrars and registries would like to fob off the responsibility to ICANN; ICANN tells the world that it wants responsibility to be centralized somehow in a So-SAD but ducks, dodges and double-talks if you ask it whether ICANN org is willing to take that responsibility.
ICANN’s CEO, who fancies himself a European politician of sorts, has driven the EPDP team batty with a parallel process in which he ignores the fact that the EPDP team has all stakeholders represented, lawyers from contracted parties and data users, and privacy experts on it, as well as formal legal advice from Bird and Bird. Instead he feels compelled to launch a parallel process in which ICANN org goes about trying to make proposals and then ask European authorities about them. He has asked a bunch of techies unaware of the policy issues to design a So-SAD for us and is now badgering various European agencies for “advice” and “guidance” on whether such a system could centralize legal responsibility for disclosure decisions. The parallel process, known as the Strawberry team, was featured in the public meeting on Whois reform as if it was of equal status as the formally constituted EPDP.
But a great ICANN 66 takeaway moment occurred during that moment. The European Commission’s Pearce O’Donoghue told the assembled multitudes that a SoSAD “WOULD NOT…REMOVE THE LIABILITY OF THE DATA CONTROLLER, WHICH IS THE REGISTRAR OR THE REGISTRY. SO WE WOULD HAVE A QUESTION AS TO WHETHER IT IS ACTUALLY WORTH THAT ADDED COMPLEXITY.” So, bang, the request for European advice blew up right in Goran Marby’s face. Not only did he get a critical piece of advice on the most important issue facing the SoSAD and the EPDP, but he got it without going through the elaborate parallel process. No doubt there is now furious behind the scenes lobbying going on to reverse, change or step back from O’Donoghue’s comment. Marby has been quoted (and directly seen, by this writer) as claiming that with the submission of the Strawberry team’s formal request for “guidance” from the European Data Protection Board being submitted, he is now “done” with this. Let’s hope that’s true. My takeaway: ICANN org and all of its fruity concoctions needs to get out of the way and let the PDP work.
The final EPDP-related takeaway is that the biggest decision facing the EPDP as it makes policy for the So-SAD is who makes the disclosure decision: registrars who hold the data, or ICANN? Everyone agrees with centralizing the process of requesting data and hooking up to a system to receive it. But who makes the decision is still contested, with some stakeholders wanting it to be ICANN and others wanting it to reside with the contracted parties. It seems obvious to me that it has to be the registrar, and we should just accept that and get on with designing the So-SAD based on that premise.

Jothan Frakes, Executive Director, Domain Name Association
Mugshot

A few: WHOIS (or Lookup) remains challenging territory, registries and registrars > are not inactive about addressing abuse while avoiding becoming content police, and poutine is delicious.

Christa Taylor, CMO, MMX

MugshotFrom my perspective, the biggest takeaway is the level of industrious efforts, transformation and passion throughout the industry. Every meeting and dinner consisted of a broad range of organizations and people with diverse perspectives on industry topics resulting in thought-provoking debates or conceptual brainteasers. Compared to a year ago, the conversations have materially changed — impacted from industry consolidations, system updates and developments along with organizational transitions to streamline business in one method or another. While there is still plenty of work ahead of us, both within the industry and ICANN, it’s satisfying to reflect and realize that progress is being achieved, cooperation benefits all and no matter how long the tunnel might be, there is light.