Latest news of the domain name industry

Recent Posts

Major registries posting “fabricated” Whois data

One or more of the major gTLD registries are publishing Whois query data that may be “fabricated”, according to some of ICANN’s top security minds.

The Security and Stability Advisory Committee recently wrote to ICANN’s top brass to complain about inconsistent and possibly outright bogus reporting of Whois port 43 query volumes.

SSAC said (pdf):

it appears that the WHOIS query statistics provided to ICANN by registry operators as part of their monthly reporting obligations are generally not reliable. Some operators are using different methods to count queries, some are interpreting the registry contract differently, and some may be reporting numbers that are fabricated or otherwise not reflective of reality. Reliable reporting is essential to the ICANN community, especially to inform policy-making.

SSAC says that the inconsistency of the data makes it very difficult to make informed decisions about the future of Whois access and to determine the impact of GPDR.

While the letter does not name names, I’ve replicated some of SSAC’s research and I think I’m in a position to point fingers.

In my opinion, Google, Verisign, Afilias and Donuts appear to be the causes of the greatest concern for SSAC, but several others exhibit behavior SSAC is not happy about.

I reached out to these four registries on Wednesday and have published their responses, if I received any, below.

SSAC’s concerns relate to the monthly data dumps that gTLD registries new and old are contractually obliged to provide ICANN, which publishes the data three months later.

Some of these stats concern billable transactions such as registrations and renewals. Others are used to measure uptime obligations. Others are largely of academic interest.

One such stat is “Whois port 43 queries”, defined in gTLD contracts as “number of WHOIS (port-43) queries responded during the reporting period”.

According to SSAC, and confirmed by my look at the data, there appears to be a wide divergence in how registries and back-end registry services providers calculate this number.

The most obvious example of bogosity is that some registries are reporting identical numbers for each of their TLDs. SSAC chair Rod Rasmussen told DI:

The largest issue we saw at various registries was the reporting of the exact or near exact same number of queries for many or all of their supported TLDs, regardless of how many registered domain names are in those zones. That result is a statistical improbability so vanishingly small that it seems clear that they were reporting some sort of aggregate number for all their TLDs, either as a whole or divided amongst them.

While Rasmussen would not name the registries concerned, my research shows that the main culprit here appears to be Google.

In its December data dumps, it reported exactly 68,031,882 port 43 queries for each of its 45 gTLDs.

If these numbers are to be believed, .app with its 385,000 domains received precisely the same amount of port 43 interest as .gbiz, which has no registrations.

As SSAC points out, this is simply not plausible.

A Google spokesperson has not yet responded to DI’s request for comment.

Similarly, Afilias appears to have reported identical data for a subset of its dot-brand clients’ gTLDs, 16 of which purportedly had exactly 1,071,939 port 43 lookups in December.

Afilias has many more TLDs that did not report identical data.

An Afilias spokesperson told DI: “Afilias has submitted data to ICANN that addresses the anomaly and the update should be posted shortly.”

SSAC’s second beef is that one particular operator may have reported numbers that “were altered or synthesized”. SSAC said in its letter:

In a given month, the number of reported WHOIS queries for each of the operator’s TLDs is different. While some of the TLDs are much larger than others, the WHOIS query totals for them are close to each other. Further statistical analysis on the number of WHOIS queries per TLD revealed that an abnormal distribution. For one month of data for one of the registries, the WHOIS query counts per TLD differed from the mean by about +/- 1%, nearly linearly. This appeared to be highly unusual, especially with TLDs that have different usage patterns and domain counts. There is a chance that the numbers were altered or synthesized.

I think SSAC could be either referring here to Donuts or Verisign

Looking again at December’s data, all but one of Donuts’ gTLDs reported port 43 queries between 99.3% and 100.7% of the mean average of 458,658,327 queries.

Is it plausible that .gripe, with 1,200 registrations, is getting almost as much Whois traffic as .live, with 343,000? Seems unlikely.

Donuts has yet to provide DI with its comments on the SSAC letter. I’ll update this post and tweet the link if I receive any new information.

All of the gTLDs Verisign manages on behalf of dot-brand clients, and some of its own non-.com gTLDs, exhibit the same pattern as Donuts in terms of all queries falling within +/- 1% of the mean, which is around 431 million per month.

So, as I put to Verisign, .realtor (~40k regs) purportedly has roughly the same number of port 43 queries as .comsec (which hasn’t launched).

Verisign explained this by saying that almost all of the port 43 queries it reports come from its own systems. A spokesperson told DI:

The .realtor and .comsec query responses are almost all responses to our own monitoring tools. After explaining to SSAC how Verisign continuously monitors its systems and services (which may be active in tens or even hundreds of locations at any given time) we are confident that the accuracy of the data Verisign reports is not in question. The reporting requirement calls for all query responses to be counted and does not draw a distinction between responses to monitoring and non-monitoring queries. If ICANN would prefer that all registries distinguish between the two, then it is up to ICANN to discuss that with registry operators.

It appears from the reported numbers that Verisign polls its own Whois servers more than 160 times per second. Donuts’ numbers are even larger.

I would guess, based on the huge volumes of queries being reported by other registries, that this is common (but not universal) practice.

SSAC said that it approves of the practice of monitoring port 43 responses, but it does not think that registries should aggregate their own internal queries with those that come from real Whois consumers when reporting traffic to ICANN.

Either way, it thinks that all registries should calculate their totals in the same way, to make apples-to-apples comparisons possible.

Afilias’ spokesperson said: “Afilias agrees that everyone should report the data the same way.”

As far as ICANN goes, its standard registry contract is open to interpretation. It doesn’t really say why registries are expected to collect and supply this data, merely that they are obliged to do so.

The contracts do not specify whether registries are supposed to report these numbers to show off the load their servers are bearing, or to quantify demand for Whois services.

SSAC thinks it should be the latter.

You may be thinking that the fact that it’s taken a decade or more for anyone to notice that the data is basically useless means that it’s probably not all that important.

But SSAC thinks the poor data quality interferes with research on important policy and practical issues.

It’s rendered SSAC’s attempt to figure out whether GDPR and ICANN’s Temp Spec have had an effect on Whois queries pretty much futile, for example.

The meaningful research in question also includes work leading to the replacement of Whois with RDAP, the Registration Data Access Protocol.

Finally, there’s the looming possibility that ICANN may before long start acting as a clearinghouse for access to unredacted Whois records. If it has no idea how often Whois is actually used, that’s going to make planning its infrastructure very difficult, which in turn could lead to downtime.

Rasmussen told DI: “Our impression is that all involved want to get the numbers right, but there are inconsistent approaches to reporting between registry operators that lead to data that cannot be utilized for meaningful research.”

Brand-blocking service plotted for porn gTLDs

MMX wants to offer a new service for trademark owners worried about cybersquatting in its four porn-themed gTLDs.

The proposed Adult Block Services would be similar to Donuts’ groundbreaking Domain Protected Marks List and the recent Trademark Sentry offering from .CLUB Domains.

The service would enable big brands to block their marks from registration across all four TLDs for less than the price of individual defensive registrations.

Prices have not been disclosed, but a more-expensive “Plus” version would also allow the blocking of variants such as typos. The registry told ICANN:

The Adult Block Services will be offered as a chance for trademark owners to quickly and easily make labels unavailable for registration in our TLDs. For those trademark owners registering domain names as a defensive measure only, the Adult Block Services offer an easy, definitive, and cost-effective method for achieving their goals by offering at-a-stroke protection for TLDs included in the program. The Adult Block Services are similar to the Donuts’ DPML, Uniregistry’s EP and EP Plus and the .Club UNBS and should be immediately understood and accepted by the trademark community.

The Adult Block will allow trademark owners to block unregistered labels in our TLDs that directly match their trademarks. The Adult Block Plus will allow trademark owners to block unregistered, confusingly similar variations of their trademarks in our TLDs.

It seems more akin to DPML, and Uniregistry’s recently launched clone, than to .CLUB’s forthcoming single-TLD offering.

The Registry Service Evaluation Process request was filed by ICM Registry, which was acquired by MMX last year.

It only covers the four porn gTLDs that ICM originally ran, and not any of the other 22 gTLDs managed by MMX (aka Minds + Machines).

This will certainly make the service appear less attractive to the IP community than something like DPML, which covers Donuts stable of 242 TLDs.

While there’s no public data about how successful blocking services have been, anecdotally I’m told they’re quite popular.

What we do have data on is how popular the ICM gTLDs have been in sunrise periods, where trademark owners showed up in higher-than-usual numbers to defensively register their marks.

.porn, .adult and .sex garnered about 2,000 sunrise regs each, more than 20 times the average for a new gTLD, making them three of the top four most-subscribed sunrise periods.

Almost one in five of the currently registered domains in each of these TLDs is likely to be a sunrise defensive.

Now that sunrise is long gone, there may be an appetite in the trademark community for less-expensive blocks.

But there have been calls for the industry to unify and offer blocking services to cover all gTLDs.

The brand-protection registrar Com Laude recently wrote:

What brands really need is for registry operators to come together and offer a universal, truly global block that applies across all the open registries and at a reasonable price that a trademark owner with multiple brands can afford.

Quite how that would happen across over 1,200 gTLDs is a bit of a mystery, unless ICANN forced such a service upon them.

.CLUB to let brands block “trillions” of domains for $2,000

.CLUB Domains has launched a service for trademark owners that will enable them to block an essentially infinite number of potential cybersquats for a $2,000 payment every three years.

But the restrictions in place to avoid false positives mean that some of the world’s most recognizable brands would not be eligible to use it.

The service is called Trademark Sentry. In February, .CLUB asked ICANN for approval to launch it under the name Unlimited Name Blocking Service.

It’s cast by the registry roughly as a kind of clone of Donuts’ five-year-old Domain Protected Marks List, which enables brands to block their marks across Donuts’ entire portfolio of 242 gTLDs for far less than they would pay defensively registering 242 domains individually.

But while Donuts has a massive stable of TLDs, .CLUB is a one-horse town, so what’s going on?

Based on promotional materials .CLUB sent me, it appears that Trademark Sentry is primarily a way to reduce not defensive registration costs but rather UDRP costs.

Instead of blocking a single trademarked string across a broad portfolio of TLDs — for example google.ninja, google.bike, google.guru, google.charity… — the .CLUB service allows brands to block any domain that contains that string in a single TLD.

For example, Google could pay .CLUB $2,000, and for the next three years it would be impossible for anyone to register any .club domain that contained the substring “google”.

Any potential cybersquatter who went to a registrar and tried to register domains such as “mygooglesearch.club” or “googlefootball.club” or “bestgoogle.club” or “xreegtegooglefwrreed.club” would be told by the registrar that the domain was unavailable.

It would be blocked at the registry level, because it contained the blocked string “google”.

Customers will be able to add typos to the blocklist for a 50% discount.

To the best of my knowledge, this is not a service currently offered by any other gTLD registry.

It’s precisely the kind of thing that the IP lobby at ICANN was crying out for — albeit without the obligation to pay for it — prior to the 2012 application round.

.CLUB reckons it’s a money-saver for brand owners who find themselves filing lots of UDRP complaints.

UDRP complaints cost at least $1,500, just for the filing fees with outfits such as WIPO. They can cost many hundreds more in lawyers fees.

Basically, if you expect your brand will be hit by at least one UDRP in .club in the next three years, $2,000 might look like a decent investment.

.club domains have been subject to 279 UDRP complaints over the last five years, according to UDRPSearch.com.

But .CLUB has put in place a number of restrictions that are likely to seriously restrict its potential customer base.

First, the trademark will have to be “fanciful”. The registry says:

To qualify for Unlimited Name Blocking a trademark must be fanciful as defined by the USPTO and meet the .CLUB Registry’s additional requirements and subject to the .CLUB Registry’s discretion. Marks that are not fanciful but when combined with another word become sufficiently unique may be allowed.

“Apple” would not be permitted, but “AppleComputer” might be.

.CLUB told me that any trademark that, if blocked, would prevent non-infringing uses of the string would also not qualify for the service.

If you look at a UDRP-happy brand like Lego, which has already filed several complaints about alleged cybersquats in .club, it would certainly not qualify. Too many words end in “le” and begin with “go” for .CLUB to block every domain containing “lego”.

Similarly, Facebook would likely not qualify because one can imagine non-infringing uses such as facetofacebookmakers.club. Twitter is a dictionary word, as is Coke. Pepsi is a substring of dyspepsia. Amazon is primarily a geographic term. McDonald’s is derived from a common surname, as are Cartier and Heinz.

For at least half of the famous brands that pop into my head, I can think of a reason they will probably not be allowed to use this service.

.CLUB also won’t allow trademarks shorter than five characters.

Still, for those brands that do qualify, and do have an aggressive UDRP-based enforcement policy, the service seems to be priced at a point where an ROI case can be made.

Like Donuts’ DPML domains, anything blocked under Trademark Sentry is not going to show up in zone files, so we’re not going to have any objective data with which to monitor its success.

Donuts acquires its 242nd gTLD

Kevin Murphy, April 29, 2019, Domain Registrars

Donuts, the registry with the largest stable of new gTLDs, has added its 242nd string to its bow.

The company seems to have acquired .contact from, nominally at least, smaller portfolio rival Top Level Spectrum.

The ICANN contract for the gTLD was transferred to one of Donuts’ subsidiaries a couple weeks ago.

According to TLS CEO Jay Westerdal, while TLS was the signatory of the contract the “economic owner” of the TLD was Whitepages.com, an online directory services provider, which paid for the original uncontested .contact application.

Whitepages.com doesn’t appear in the application, the registry agreement, or the IANA records. I was unaware of the connection until today.

Despite being in the root since December 2015, .contact never actually launched. Donuts has not yet filed its launch dates with ICANN either, but it’s usually fairly speedy about pumping out strings.

Oh, the irony! Banned anti-Islam activist shows up on “Turkish” new gTLD domain

Kevin Murphy, April 23, 2019, Domain Policy

Tommy Robinson, who has been banned from most major social media platforms due to his anti-Islam “hate speech”, is now conducting business via a domain name that some believe rightfully belongs to the Muslim-majority nation of Turkey.

The registration could add fuel to the fight between ICANN and its governmental advisers over whether certain domains should be blocked or restricted.

Robinson, the nom de guerre of the man born Stephen Yaxley-Lennon, is the founder and former leader of the far-right English Defence League and known primarily for stirring up anti-Muslim sentiment in the UK for the last decade.

He’s currently, controversially, an adviser to the UK Independence Party. Former UKIP leader Nigel Farage, also a thoroughly unpleasant bloke, considers Robinson so far to the right he quit the party in response to the appointment.

Over the last year, Robinson has been banned from Twitter, Facebook and Instagram, and had his YouTube account placed under serious restrictions. This month, he was also banned from SnapChat, and the EDL he used to lead was among a handful of far-right groups banned from Facebook.

Since his personal Facebook page went dark in February, he’s been promoting his new web site as the primary destination for his supporters.

It features news about his activities — mainly his ongoing fights against social media platforms and an overturned contempt of court conviction in the UK — as well as summaries of basically any sufficiently divisive anti-Islam, anti-immigration, or pro-Brexit stories his writers come across.

The domain he’s using is tr.news, a new gTLD domain in a Donuts-owned registry. It was registered in December via GoDaddy.

Given it’s a two-character domain, it will have been registry-reserved and would have commanded a premium price. Other two-character .news domains are currently available on GoDaddy for between $200 and $10,000 for the first year.

It will come as no surprise at all for you to learn that the domain was transferred out of GoDaddy, which occasionally kicks out customers with distasteful views, to Epik, now de facto home of those with far-right views, a couple of weeks after the web site launched.

The irony of the choice of domain is that many governments would claim that tr.news — indeed any two-character domain, in any gTLD, which matches any country-code — rightfully belongs to Turkey, a nation of about 80 million nominal Muslims.

TR is the ISO 3166-1 two-character code for Turkey, and until a couple of years ago new gTLD registries were banned from selling any of these ccTLD-match two-letter domains, due to complaints from ICANN’s Governmental Advisory Committee.

Many governments, including the UK and US, couldn’t care less who registers their matching domain. Others, such as France, Italy and Israel, want bans on specific domains such as it.pizza and il.army. Other countries have asked for blanket bans on their ccTLD-match being used at all, in any gTLD.

When new gTLDs initially launched in 2012, all ccTLD matches were banned by ICANN contract. In 2014, ICANN introduced a cumbersome government-approval system under which governments had to be consulted before their matches were released for registration.

Since December 2016, the policy (pdf) has been that registries can release any two-letter domains, subject to a provision that they not be used by registrants to falsely imply an affiliation with the country or registry with the matching ccTLD.

Robinson is certainly not making such an implication. I imagine he’d be as surprised as his readers to learn that his new domain has a Turkish connection. It’s likely the only people who noticed are ICANN nerds and the Turkish themselves.

Would the Turkish people look at tr.news and assume, from the domain alone, that it had some connection to Turkey? I think many would, though I have no idea whether they would assume it was endorsed by the government or the ccTLD registry.

Would Turkey — a government whose censorship regime makes Robinson’s social media plight look like unbounded liberalism — be happy to learn the domain matching its country code is being used primarily to deliver divisive content about the coreligionists of the vast majority of its citizens? Probably not.

But under current ICANN policy it does not appear there’s much that can be done about it. If Robinson is not attempting to pass himself of as an affiliate of the Turkish government or ccTLD registry, there’s no avenue for complaint.

However, after taking the cuffs off registries with its December 2016 pronouncement, allowing them to sell two-letter domains with barely any restrictions, ICANN has faced continued complaints from the GAC — complaints that have yet to be resolved.

The GAC has been telling ICANN for the last two years that some of its members believe the decision to release two-character names went against previous GAC advice, and ICANN has been patiently explaining the process it went through to arrive at the current policy, which included taking GAC advice and government comments into account.

In what appears to be a kind of peace offering, ICANN recently told the GAC (pdf) that it is developing an online tool that “will provide awareness of the registration of two-character domains and allow for governments to report concerns”.

The GAC, in its most-recent communique, told ICANN its members would test the tool and report back at the public meeting in Montreal this November.

The tool was not available in December, when tr.news was registered, so it’s not clear whether Turkey will have received a formal notification that its ccTLD-match domain is now registered, live, and being used to whip up mistrust of Muslims.

Update April 30: ICANN informs me that the tool has been available since February, but that it does not push notifications to governments. Rather, governments can search to see if their two-letter codes have been registered in which gTLDs.