Latest news of the domain name industry

Recent Posts

Verisign increases focus on .com after flogging public DNS to Neustar

Kevin Murphy, November 3, 2020, Domain Registries

Neustar has taken another nibble at former archrival Verisign, buying the company’s public DNS resolution service.

The companies announced yesterday that Neustar has acquired Verisign Public DNS, and will incorporate it into its existing UltraDNS Public service.

The deal means that several IP addresses used to provide the services will transition to Neustar, so end users don’t need to make any changes.

Recursive DNS services are often used by people or organizations that, for whatever reason, don’t trust their ISP to treat their browsing records confidentially.

Big players in the market include Google, Cloudflare, and Cisco’s OpenDNS.

Signing up for such services is usually free — users simply reconfigure their devices to point their DNS resolution to a provider’s IPs.

Providers get greater insight into network activity that they can use to boost their paid-for enterprise security services, and they sometimes monetize NXDOMAIN (non-existing domain) landing pages.

No monetary value was put on the deal.

“Verisign is committed to focusing on its core mission of providing critical internet infrastructure, including Root Zone management, operation of 2 of the 13 global internet root servers, operation of .gov and .edu, and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce,” Verisign senior VP Eb Keshavarz, said in a press release.

That quote buries the lede, of course — operating .com and .net is the only activity listed that makes Verisign any money, and now it’s pretty much the only thing Verisign does.

Neustar acquired Verisign’s security services business, including its fee-paying recursive DNS customers, two years ago.

Neustar is of course no longer competing with Verisign in the registry services market, having sold that business to GoDaddy earlier this year. It’s now GoDaddy Registry.

Warning (or threat?) prices must go up or .org will suffer DAYS of downtime

Kevin Murphy, December 18, 2019, Domain Registries

Public Interest Registry’s new commercial owner will have to raise domain prices significantly, or .org web sites will suffer over three days of downtime every year, one of its subcontractors has warned.

The claim came in a surprising, confusing letter (pdf) to ICANN’s top brass from Packet Clearing House, a major provider of DNS Anycast services.

PCH claims that Ethos Capital, which is in the process of buying PIR from the Internet Society for $1.135 billion, can only make a profit on the deal if it significantly ups the price of .org domains while simultaneously cutting infrastructure spending.

But its numbers don’t make a whole heck of a lot of sense to me, unless you interpret them as a threat to throw .org under a bus.

PCH is a non-profit company in the business, partly, of selling DNS Anycast services. This is the technology that allows domain names to be resolved by a server as close to the end user as possible, cutting down on internet travel time and load-balancing resolution across the world.

For 15 years, it has been providing such services to Afilias, which is the back-end registry services provider for .org and hundreds of other TLDs. Some of the money PIR makes selling .org domains therefore flows from PIR to Afilias to PCH.

While PCH is hardly a household name, even in the domain name industry (in almost 10 years, I’ve mentioned its name once), the letter, sent last week and published by ICANN last night, attempts to open the kimono a little to reveal how much it costs to reliably resolve a major gTLD.

According to PCH, “annual operational cost necessary to ensure the reliable and performant availability of .ORG” has grown from $11 million in 2004 to $30 million today.

Does that mean Afilias pays PCH $30 million a year to help resolve .org? No.

PCH says that in 2019, $1.3 million will come “indirectly from .ORG registration revenue”, with the remaining $29 million “met through tax-deductible contributions from PCH’s many donors”.

As a non-profit, PCH accepts donations from more than 30 listed sponsors, including Afilias and ICANN, as well as household names such as Amazon, Google and Netflix.

According to PCH’s letter, if .org is transferred into for-profit control, this $29 million will dry up. The letter states:

Under IRS tax law, tax-deductible donations to non-profits cannot accrue to the benefit of a for-profit. Therefore if .ORG is transferred to a for-profit entity, we cannot ask our donors to continue to subsidize its operation, 96% of .ORG’s current operational funding will disappear, and the reliability of its operation will sink from that of .COM and .NET to the least-common-denominator of commodity domains, which generally suffer several days of outage per year.

It estimates .org’s potential downtime at 3.12 days per year. It’s not saying that would happen in one big 72-hour chunk, but it still averages out at about 12 minutes per day

This amount of interruption would put PIR firmly on ICANN’s naughty step when it comes to the registry’s contractual uptime commitments — it has to provide 100% DNS service availability every month, under pain of losing its contract.

But why would those PCH contributions dry up?

Is PCH seriously saying that its donors are chucking in $29 million a year specifically to subsidize .org resolution services? Why on Earth would they do that, when .org brings in revenue of over $90 million per year and PIR only pays Afilias $18 million for registry services?

PCH provides Anycast for 243 gTLDs and 120 ccTLDs. The vast majority of these are managed by for-profit entities. There simply are not 243 non-profit gTLDs out there. Not even close.

In fact, most of the gTLDs PCH serves appear to be for-profit Afilias clients, including many dot-brands.

Goodness knows how PCH segments its income and expenditure, but it seems very likely that PCH’s donors are already financially helping to provide resolution services for commercial registries.

Could we interpret this letter as a threat to deliberately degrade .org’s performance, should the Ethos transaction go through? I’m not sure, but I think it’s a plausible read.

Regardless, we have to take PCH’s claims about the loss of sponsorship money at face value if we want to follow the rest of its calculations.

If the .ORG domain is sold for USD 1.135B, wholesale price and number of domains remain unchanged over the remaining nine years of the delegation (USD 900M gross), and operational reliability is maintained (at a cost of USD 270M), the buyer would take a net loss of USD 470M, or -6.33% CAGR. Private equity does not purposefully enter into loss-making deals. We may therefore conclude that the above scenario is not the intended outcome of the proposed sale.

That calculation seems to assume that PIR/Ethos/Afilias picks up the slack caused by the loss of the purported $29 million subsidy, rather than continuing to pay $1.3 million per year.

But PCH goes on to calculate that Ethos could make a profit on the acquisition only if it raises prices at over 10% a year AND refuses to chip in the missing $29 million.

If the .ORG domain is sold for USD 1.135B, prices are increased by 10% annually (USD 1.357B gross), and operational spending is slashed by 99%, (USD 2.7M), the buyer would make a net gain of USD 220M, or 1.99% CAGR, while increasing down-time to more than three days per year.

1.99% CAGR is not a return for which private equity would typically take this magnitude of risk. The unavoidable conclusion is that any private equity buyer who spends $1.135B to buy the .ORG domain must not only increase prices by more than 10% annually, but also cut operational costs to the minimum levels we see available at the low end of the market, with disastrous consequences for .ORG registrants and the public who depend upon them.

Again, all of these calculations appear to rely upon the notion that $29 million of voluntary donations from Amazon, Netflix, IBM, et al disappear when the acquisition is finalized.

It’s difficult to say how much PCH spends on its DNS infrastructure across the board, or how it accounts for its donations. The company does not make any financial information available on its web site.

Wikipedia reports, in an edit apparently made by PCH executive director Bill Woodcock, that the company had revenue of $251 million last year.

I assume the vast majority of that comes from and supports its primary business, which is building and maintaining internet exchange points around the world.

The only 990 tax return I could find for a “Packet Clearing House” in the San Francisco bay area shows an entity with barely $2 million of revenue in 2018.

To return to the letter, PCH concludes:

Three days per year of interrupted communications for millions of not-for-profit organizations would unacceptably damage the stability and functionality of the Internet, and more broadly of society globally.

We believe that stability and functionality should be central to any consideration by ICANN of change of control or contract modifications in relation to the .ORG TLD. As we demonstrate, the proposed transaction, or any financially-similar one, guarantees a disastrous effect on stability. Please do not approve it.

It’s a pretty shocking request, coming from an organization with a 15-year relationship with .org.

Perhaps PCH is concerned that PIR, under new management, will dump Afilias as back-end provider, leading to a loss of business for itself? Maybe, but that only appears to be a piddling $1.3 million out of a $251 million budget.

A more pressing question is arguably whether ICANN, which is currently probing ISOC and Ethos for additional information about the acquisition, finds PCH’s arguments persuasive.

ICANN has so far proved unresponsive to community concerns about pricing, but technical stability is its absolute raison d’etre. If there’s any risk at all that .org will start regularly missing its uptime targets, ICANN is duty bound to take those concerns seriously.

ICANN must do more to fight internet security threats [Guest Post]

ICANN and its contracted parties need to do more to tackle security threats, write Dave Piscitello and Lyman Chapin of Interisle Consulting.

The ICANN Registry and Registrar constituencies insist that ICANN’s role with respect to DNS abuse is limited by its Mission “to ensure the stable and secure operation of the internet’s unique identifier systems”, therefore limiting ICANN’s remit to abuse of the identifier systems themselves, and specifically excluding from the remit any harms that arise from the content to which the identifiers point.

In their view, if the harm arises not from the identifier, but from the thing identified, it is outside of ICANN’s remit.

This convenient formulation relieves ICANN and its constituencies of responsibility for the way in which identifiers are used to inflict harm on internet users. However convenient it may be, it is fundamentally wrong.

ICANN’s obligation to operate “for the benefit of the Internet community as a whole” (see Bylaws, “Commitments”) demands that its remit extend broadly to how a domain name (or other Internet identifier) is misused to point to or lure a user or application to content that is harmful, or to host content that is harmful.

Harmful content itself is not ICANN’s concern; the way in which internet identifiers are used to weaponize harmful content most certainly is.

Rather than confront these obligations, however, ICANN is conducting a distracting debate about the kinds of events that should be described as “DNS abuse”. This is tedious and pointless; the persistent overloading of the term “abuse” has rendered it meaningless, ensuring that any attempt to reach consensus on a definition will fail.

ICANN should stop using the term “DNS abuse” and instead use the term “security threat”.

The ICANN Domain Abuse Activity Reporting project and the Governmental Advisory Committee (GAC) use this term, which is also a term of reference for new TLD program obligations (Spec 11) and related reporting activities. It is also widely used in the operational and cybersecurity communities.

Most importantly, the GAC and the DAAR project currently identify and seek to measure an initial set of security threats that are a subset of a larger set of threats that are recognized as criminal acts in jurisdictions in which a majority of domain names are registered.

ICANN should acknowledge the GAC’s reassertion in its Hyderabad Communique that the set of security threats identified in its Beijing correspondence to the ICANN Board were not an exhaustive list but merely examples. The GAC smartly recognized that the threat landscape is constantly evolving.

ICANN should not attempt to artificially narrow the scope of the term “security threat” by crafting its own definition.

It should instead make use of an existing internationally recognized criminal justice treaty. The Council of Europe’s Convention on Cybercrime is a criminal justice treaty that ICANN could use as a reference for identifying security threats that the Treaty recognizes as criminal acts.

The Convention is recognized by countries in which a sufficiently large percentage domain names are registered that it can serve the community and Internet users more effectively and fairly than any definition that ICANN might concoct.

ICANN should also acknowledge that the set of threats that fall within its remit must include all security events (“realized security threats”) in which a domain name is used during the execution of an attack for purposes of deception, for infringement on copyrights, for attacks that threaten democracies, or for operation of criminal infrastructures that are operated for the purpose of launching attacks or facilitating criminal (often felony) acts.

What is that remit?

ICANN policy and contracts must ensure that contracted parties (registrars and registries) collaborate with public and private sector authorities to disrupt or mitigate:

  • illegal interception or computer-related forgery,
  • attacks against computer systems or devices,
  • illegal access, data interference, or system interference,
  • infringement of intellectual property and related rights,
  • violation of laws to ensure fair and free elections or undermine democracies, and
  • child abuse and human trafficking.

We note that the Convention on Cybercrime identifies or provides Guidance Notes for these most prevalently executed attacks or criminal acts:

  • Spam,
  • Fraud. The forms of fraud that use domain names in criminal messaging include, business email compromise, advance fee fraud, phishing or other identity thefts.
  • Botnet operation,
  • DDoS Attacks: in particular, redirection and amplification attacks that exploit the DNS
  • Identity theft and phishing in relation to fraud,
  • Attacks against critical infrastructures,
  • Malware,
  • Terrorism, and,
  • Election interference.

In all these cases, the misuse of internet identifiers to pursue the attack or criminal activity is squarely within ICANN’s remit.

Registries or registrars should be contractually obliged to take actions that are necessary to mitigate these misuses, including suspension of name resolution, termination of domain name registrations, “unfiltered and unmasked” reporting of security threat activity for both registries and registrars, and publication or disclosure of information that is relevant to mitigating misuses or disrupting cyberattacks.

No one is asking ICANN to be the Internet Police.

The “ask” is to create policy and contractual obligations to ensure that registries and registrars collaborate in a timely and uniform manner. Simply put, the “ask” is to oblige all of the parties to play on the same team and to adhere to the same rules.

This is unachievable in the current self-regulating environment, in which a relatively small number of outlier registries and registrars are the persistent loci of extraordinary percentages of domain names associated with cyberattacks or cybercrimes and the current contracts offer no provisions to suspend or terminate their operations.

This is a guest editorial written by Dave Piscitello and Lyman Chapin, of security consultancy Interisle Consulting Group. Interisle has been an occasional ICANN security contractor, and Piscitello until last year was employed as vice president of security and ICT coordination on ICANN staff. The views expressed in this piece do not necessary reflect DI’s own.

Google adds censorship workaround to Android devices

Kevin Murphy, October 5, 2018, Domain Tech

Google is using experimental DNS to help people in censorious regimes access blocked web sites.

Alphabet sister company Jigsaw this week released an Android app called Intra, which enables users to tunnel their DNS queries over HTTPS to compatible servers, avoiding common types of on-the-wire manipulation.

The company reportedly says it has been testing the app with Venezuelan dissidents recently.

The feature will also be built in to the next version of Android — known as Android 9 or Android Pie — where it will be called Private DNS.

The app is designed for people who for one reason or another are unable to update their device’s OS.

Intra and Private DNS use “DNS over HTTPS”, an emerging protocol Google and others have been working on for a while.

As it’s non-standard, end users will have to configure their devices or Intra apps to use a DoH-compatible DNS server. The public DNS services operated by Google (8.8.8.8) and Cloudflare (1.1.1.1) are both currently compatible.

The release comes even as Google faces controversy for allegedly kowtowing to the Chinese government’s demands for censored search and news results.

You may notice that the new app is being marketed via a .org web site, rather than Google’s own .app gTLD, but intra.app takes visitors directly to the Intra page on the Google Play store.

KSK vote was NOT unanimous

Kevin Murphy, September 18, 2018, Domain Policy

ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.

Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.

I understand there was also a single abstention to Sunday’s vote.

Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.

The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.

She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.

Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).

These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.

Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.

The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.

The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.

Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.

ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.

ICANN to host DNS event in Madrid

Kevin Murphy, February 6, 2017, Domain Tech

ICANN is to hold a “DNS Symposium” in Madrid this May.

The event will “explore ICANN’s current initiatives and projects relating to DNS research, operations, threats and countermeasures and technology evolution”, according to ICANN.

It’s a one-day event, focused specifically on DNS, rather than the domain name registration business.

The Symposium immediately follows the GDD Summit, the annual ICANN industry-focused intersessional event designed for registrars, registries and the like.

The Summit runs from May 9 to 11 and the Symposium is on May 13.

Both events will be held at the Hotel NH Collection Madrid Eurobuilding in Madrid and will be webcast.

ICANN is currently looking for corporate sponsors for the Symposium.

TLD to be removed from the DNS next week

The DNS has been growing by, on average 1.1 top-level domains per day for the last 18 months or so, but that trajectory is set to change briefly next week when a TLD is removed.

The ccTLD .an, which represented the former Netherlands Antilles territories, is expected to be retired on July 31, according to published correspondence between ICANN and the Dutch government.

Three territories making up the former Dutch colony — Sint Maarten, Curaçao, and Bonaire, Sint Eustatius and Saba — gained autonomy in 2010, qualifying them for their own ccTLDs.

They were granted .sx, .cw and .bq respectively. While the first two are live, .bq has not yet been delegated, though the Dutch government says it is close to a deal with a registry.

The Dutch had asked ICANN/IANA for a second extension to the removal deadline, to October 31, but this request was either turned down or retracted after talks at the ICANN Buenos Aires meeting.

Only about 20 registrants are still using .an, according to ICANN.

The large majority of .an names still showing up in Google redirect to other sites in .nl, .com, .sx or .cw.

.an is the second ccTLD to face removal this year after .tp, which represented Portuguese Timor, the nation now known as East Timor or Timor Leste (.tl).

Turkey blocks Google DNS in Twitter crackdown

Kevin Murphy, March 23, 2014, Domain Policy

The Turkish government has reportedly blocked access to Google’s public DNS service from with its borders, as part of its recently instituted censorship of Twitter.

According to local reports, the IP addresses 8.8.8.8 and 8.8.4.4 — Google’s public DNS servers — were banned after they became widely used to circumnavigate blocks on Twitter’s domain names.

Turkish prime minister Recep Tayyip Erdogan last week vowed to “wipe out” Twitter, after the company refused to take down tweets criticizing his government over corruption allegations ahead of an election next week.

Twitter is encouraging Turkish users to use SMS to send tweets instead. Many Turks are also turning to VPNs to evade this bizarre piece of Draconian censorship.

ARI expands its DNS business

Kevin Murphy, October 22, 2012, Domain Services

ARI Registry Services officially announced its aggressive targeting of the DNS services market at an event in Toronto last week.

The company says it is the named DNS provider in over 450 new gTLD applications, giving it a substantial foot in the door should they be approved by ICANN.

That’s almost three times as many applications as ARI is involved with as registry provider.

“To our competitors, we are coming for you,” a tired and emotional ARI CEO Adrian Kinderis said during the launch event at a club in Toronto last Tuesday, which DI attended.

“Bring it on,” equally tired and emotional executives from larger competitors were heard to mutter in the audience.

ARI seems to be targeting just TLD operators to begin with, while competitors such as Verisign, Neustar and Afilias also offer managed DNS to enterprises.

ARI already runs the DNS for Australia’s .au.

ZoneEdit offline for five days

Kevin Murphy, April 25, 2012, Domain Registrars

The Dotster-owned DNS service provider ZoneEdit this morning returned from an unexplained five-day outage that has left many users extremely miffed.

The interruption affected only ZoneEdit’s management interface, not its DNS resolution, so it only affected customers who needed to make changes to their zones.

Users first started reporting they couldn’t access their accounts on Friday.

I’ve reported the story for The Register here.

  • Page 1 of 2
  • 1
  • 2
  • >