Latest news of the domain name industry

Recent Posts

Major registries posting “fabricated” Whois data

One or more of the major gTLD registries are publishing Whois query data that may be “fabricated”, according to some of ICANN’s top security minds.

The Security and Stability Advisory Committee recently wrote to ICANN’s top brass to complain about inconsistent and possibly outright bogus reporting of Whois port 43 query volumes.

SSAC said (pdf):

it appears that the WHOIS query statistics provided to ICANN by registry operators as part of their monthly reporting obligations are generally not reliable. Some operators are using different methods to count queries, some are interpreting the registry contract differently, and some may be reporting numbers that are fabricated or otherwise not reflective of reality. Reliable reporting is essential to the ICANN community, especially to inform policy-making.

SSAC says that the inconsistency of the data makes it very difficult to make informed decisions about the future of Whois access and to determine the impact of GPDR.

While the letter does not name names, I’ve replicated some of SSAC’s research and I think I’m in a position to point fingers.

In my opinion, Google, Verisign, Afilias and Donuts appear to be the causes of the greatest concern for SSAC, but several others exhibit behavior SSAC is not happy about.

I reached out to these four registries on Wednesday and have published their responses, if I received any, below.

SSAC’s concerns relate to the monthly data dumps that gTLD registries new and old are contractually obliged to provide ICANN, which publishes the data three months later.

Some of these stats concern billable transactions such as registrations and renewals. Others are used to measure uptime obligations. Others are largely of academic interest.

One such stat is “Whois port 43 queries”, defined in gTLD contracts as “number of WHOIS (port-43) queries responded during the reporting period”.

According to SSAC, and confirmed by my look at the data, there appears to be a wide divergence in how registries and back-end registry services providers calculate this number.

The most obvious example of bogosity is that some registries are reporting identical numbers for each of their TLDs. SSAC chair Rod Rasmussen told DI:

The largest issue we saw at various registries was the reporting of the exact or near exact same number of queries for many or all of their supported TLDs, regardless of how many registered domain names are in those zones. That result is a statistical improbability so vanishingly small that it seems clear that they were reporting some sort of aggregate number for all their TLDs, either as a whole or divided amongst them.

While Rasmussen would not name the registries concerned, my research shows that the main culprit here appears to be Google.

In its December data dumps, it reported exactly 68,031,882 port 43 queries for each of its 45 gTLDs.

If these numbers are to be believed, .app with its 385,000 domains received precisely the same amount of port 43 interest as .gbiz, which has no registrations.

As SSAC points out, this is simply not plausible.

A Google spokesperson has not yet responded to DI’s request for comment.

Similarly, Afilias appears to have reported identical data for a subset of its dot-brand clients’ gTLDs, 16 of which purportedly had exactly 1,071,939 port 43 lookups in December.

Afilias has many more TLDs that did not report identical data.

An Afilias spokesperson told DI: “Afilias has submitted data to ICANN that addresses the anomaly and the update should be posted shortly.”

SSAC’s second beef is that one particular operator may have reported numbers that “were altered or synthesized”. SSAC said in its letter:

In a given month, the number of reported WHOIS queries for each of the operator’s TLDs is different. While some of the TLDs are much larger than others, the WHOIS query totals for them are close to each other. Further statistical analysis on the number of WHOIS queries per TLD revealed that an abnormal distribution. For one month of data for one of the registries, the WHOIS query counts per TLD differed from the mean by about +/- 1%, nearly linearly. This appeared to be highly unusual, especially with TLDs that have different usage patterns and domain counts. There is a chance that the numbers were altered or synthesized.

I think SSAC could be either referring here to Donuts or Verisign

Looking again at December’s data, all but one of Donuts’ gTLDs reported port 43 queries between 99.3% and 100.7% of the mean average of 458,658,327 queries.

Is it plausible that .gripe, with 1,200 registrations, is getting almost as much Whois traffic as .live, with 343,000? Seems unlikely.

Donuts has yet to provide DI with its comments on the SSAC letter. I’ll update this post and tweet the link if I receive any new information.

All of the gTLDs Verisign manages on behalf of dot-brand clients, and some of its own non-.com gTLDs, exhibit the same pattern as Donuts in terms of all queries falling within +/- 1% of the mean, which is around 431 million per month.

So, as I put to Verisign, .realtor (~40k regs) purportedly has roughly the same number of port 43 queries as .comsec (which hasn’t launched).

Verisign explained this by saying that almost all of the port 43 queries it reports come from its own systems. A spokesperson told DI:

The .realtor and .comsec query responses are almost all responses to our own monitoring tools. After explaining to SSAC how Verisign continuously monitors its systems and services (which may be active in tens or even hundreds of locations at any given time) we are confident that the accuracy of the data Verisign reports is not in question. The reporting requirement calls for all query responses to be counted and does not draw a distinction between responses to monitoring and non-monitoring queries. If ICANN would prefer that all registries distinguish between the two, then it is up to ICANN to discuss that with registry operators.

It appears from the reported numbers that Verisign polls its own Whois servers more than 160 times per second. Donuts’ numbers are even larger.

I would guess, based on the huge volumes of queries being reported by other registries, that this is common (but not universal) practice.

SSAC said that it approves of the practice of monitoring port 43 responses, but it does not think that registries should aggregate their own internal queries with those that come from real Whois consumers when reporting traffic to ICANN.

Either way, it thinks that all registries should calculate their totals in the same way, to make apples-to-apples comparisons possible.

Afilias’ spokesperson said: “Afilias agrees that everyone should report the data the same way.”

As far as ICANN goes, its standard registry contract is open to interpretation. It doesn’t really say why registries are expected to collect and supply this data, merely that they are obliged to do so.

The contracts do not specify whether registries are supposed to report these numbers to show off the load their servers are bearing, or to quantify demand for Whois services.

SSAC thinks it should be the latter.

You may be thinking that the fact that it’s taken a decade or more for anyone to notice that the data is basically useless means that it’s probably not all that important.

But SSAC thinks the poor data quality interferes with research on important policy and practical issues.

It’s rendered SSAC’s attempt to figure out whether GDPR and ICANN’s Temp Spec have had an effect on Whois queries pretty much futile, for example.

The meaningful research in question also includes work leading to the replacement of Whois with RDAP, the Registration Data Access Protocol.

Finally, there’s the looming possibility that ICANN may before long start acting as a clearinghouse for access to unredacted Whois records. If it has no idea how often Whois is actually used, that’s going to make planning its infrastructure very difficult, which in turn could lead to downtime.

Rasmussen told DI: “Our impression is that all involved want to get the numbers right, but there are inconsistent approaches to reporting between registry operators that lead to data that cannot be utilized for meaningful research.”

ICANN redacts the secrets of Verisign’s .web deal

Afilias thinks it has found the smoking gun in its fight to wrestle .web out of the hands of rival Verisign, but for now the details are still a closely guarded secret.

The company recently filed an amended complaint in its Independent Review Process case against ICANN, after it managed to get a hold of the deal that Verisign struck with Nu Dot Co, the company that spent $135 million of Verisign’s money to win .web at auction in 2016.

The Domain Acquisition Agreement, which apparently set out the terms under which NDC would bid for .web on Verisign’s behalf, was revealed during disclosure in December.

But in publishing the amended complaint (pdf) (which seems to have happened in the last week or two), ICANN has whited out all references to the contents of this document.

Afilias claims that the DAA proves that NDC broke the rules of the new gTLD program by refusing to disclose to ICANN that it had essentially become a Verisign proxy:

It claims that ICANN should therefore have disqualified NDC from the .web auction.

Based on the terms of the DAA, it is evident that NDC violated the New gTLD Program Rules. ICANN, however, has refused to disqualify NDC from the .WEB contention set, or to disqualify NDC’s bids in the .WEB Auction.

Afilias came second in the 2016 auction, bidding $135 million. NDC/Verisign won with a $142 million bid, committing it to pay the amount Afilias was willing to pay.

While Verisign has said that it plans to market .web, Afilias believes that Verisign’s primary motivation at the auction was to essentially kill off what could have been .com’s biggest competitor. It says in its amended complaint:

ICANN has eviscerated one of the central pillars of the New gTLD Program and one of ICANN’s founding principles: to introduce and promote competition in the Internet namespace in order to break VeriSign’s monopoly

Whether the DAA reveals anything we do not already know is an open question, but Afilias reckons ICANN’s prior failure to disclose its contents represents a failure of its commitment to transparency.

Reading between the lines, it seems Afilias is claiming that ICANN got hold of the DAA some time before it was given to Afilias in discovery last December, but that ICANN “had refused to provide the DAA (or even confirm its existence)”.

By redacting its contents now, ICANN is helplessly playing into the narrative that it’s trying to cover something up.

But ICANN is probably not to blame for the redactions. It was ICANN holding the axe, yes, but it was Verisign that demanded the cuts.

ICANN said in its basis for redactions document (pdf) that it “has an affirmative obligation to redact the information designated as confidential by the third party(ies) unless and until said third party authorizes the public disclosure of such information.”

Afilias has also managed to put George Sadowsky, who for the best part of the last decade until his October departure was one of ICANN’s most independent-minded directors, on the payroll.

In his testimony (pdf), he apparently reveals some details of the ICANN boards private discussions about the .web case.

Guess what? That’s all redacted too, unilaterally this time, by ICANN.

Future of .io domains has become party-political issue in the UK

The future of the Chagos Islands and therefore the longevity of .io domain names may well depend on which party holds the reins of power in the UK.

The current Conservative government under Theresa May has this month rejected an international court ruling calling for the British Indian Ocean Territory — currently the official name of the archipelago — to be wound down and the lands returned to the exiled Chagossians.

But the leader of the official opposition, Jeremy Corbyn, has reportedly slammed the government’s position and said Labour is “committed to respecting the advisory opinion in full, so as to ensure that Chagossians are able to return to their homes”.

In February, the International Court of Justice ruled that the UK had kept control of the islands unlawfully when Mauritius, which had the prior claim, gained its independence in 1968.

The couple thousand natives were kicked out of the country a few years later to make way for a US naval base, and have been living in Mauritius and the Seychelles with no ability to return ever since.

Were the UK to follow the ICJ ruling, it would quite possibly mean the end of BIOT as the name of the islands and therefore the demise of its two-letter country code, IO, and therefore the eventual retirement of the popular .io domain name.

.io, which is believed to have around 270,000 domains, is run by London-based Internet Computer Bureau Ltd, which Afilias bought for $70 million two years ago.

It’s popular with tech startups as a kind of domain hack for “input/output”.

Now that the UK government has officially come out against the ICJ ruling, and Labour has supported it, it appears the future of the Chagossians and .io registrants alike will depend rather on who is occupying 10 Downing Street in future.

Mohan takes the reins at Afilias

Ram Mohan appears to have taken over the C-suite at Afilias.

The long-time chief technology officer was also yesterday named to the newly created role of chief operating officer, with the suggestion that he’s also taken over much of the work of CEO Hal Lubsen.

Afilias said Mohan will continue to report to Lubsen, but that “most all of Mr. Lubsen’s previous direct reports will now report to Mr. Mohan”.

Lubsen, who has been listed on the Afilias web site as “72 years old” for at least four years, will “continue to be responsible for and oversee finance, mergers and acquisitions and most legal matters.”

Mohan has been with the company as CTO since the very outset, when it was awarded .info back in 2001. He wrapped up a 10-year term on ICANN’s board of directors last October.

He’s going to carry on with the CTO’s job “initially”, Afilias said, but it sounds like a replacement will be sought.

Nevett headhunts top execs from three rivals

Public Interest Registry has filled out its executive team by poaching senior staff from rivals Afilias, Donuts and Neustar.

Judy Song-Marshall of Neustar has joined as chief of staff, Joe Abley of Afilias is the new chief technology officer and Anand Vora has joined from Donuts as VP of business affairs.

They’re the first senior level appointments to be announced since Donuts co-founder Jon Nevett was appointed CEO three months ago.

PIR, the non-profit which runs .org and related gTLDs, has also let it be known that it’s looking for a chief financial officer. The job ad can be found here.