Latest news of the domain name industry

Recent Posts

Data beats Merdinger to head universal acceptance group

Kevin Murphy, March 12, 2019, Domain Policy

Email entrepreneur and internationalized domain name expert Ajay Data has been named as the new chair of the group that is struggling to promote the universal acceptance of top-level domains across the internet.

Data, who replaces Afilias COO Ram Mohan after a four-year term, beat GoDaddy’s VP of domains Rich Merdinger in a secret ballot of the Universal Acceptance Steering Group this week.

The number of votes each candidate received were not disclosed.

India-based Data is founder and CEO of Xgenplus, a developer of enterprise email servers with a focus on support for non-Latin scripts and internationalized domain names.

He’s been intimately involved in all things IDN for many years.

The UASG is an independent group, which receives funding from ICANN, dedicated to reaching out to software and web site developers to ensure their systems can support domain names in all scripts, including IDNs, as well as raise awareness of new gTLDs.

Verisign gets approval to sell O.com for $7.85

ICANN is to grant Verisign the right to sell a single-character .com domain name for the first time in over 25 years.

The organization’s board of directors is due to vote next Thursday to approve a complex proposal that would see Verisign auction off o.com, with almost all of the proceeds going to good causes.

“Approval of Amendment to Implement the Registry Service Request from Verisign to Authorize the Release for Registration of the Single-Character, Second-Level Domain, O.COM” is on the consent agenda for the board’s meeting at the conclusion of ICANN 64, which begins Saturday in Kobe, Japan.

Consent agenda placement means that there will likely be no further discussion — and no public discussion — before the board votes to approve the deal.

Verisign plans to auction the domain to the highest bidder, and then charge premium renewal fees that would essentially double the purchase price over a period of 25 years.

But the registry, already under scrutiny over its money-printing .com machine, would be banned from profiting from the sale.

Instead, Verisign would only receive its base registry fee — currently $7.85 per year — with the rest being held by an independent third party that would distribute the funds to worthy non-profit causes.

ICANN had referred the Verisign proposal, first put forward in December 2016, to the US government, and the Department of Justice gave it the nod in December 2017.

There was also a public comment period last May.

The request almost certainly came about due to Overstock.com’s incessant lobbying. The retailer has been obsessed with obtaining o.com for well over a decade, but was hamstrung by the legacy policy, enshrined in the .com registry agreement, that forbids the sale of single-character domains.

Whoever else wants to buy o.com, they’ll be bidding against Overstock, which has a trademark.

It’s quite possible nobody else will bid.

When Overstock briefly rebranded as O.co several years ago — it paid $350,000 for that domain — it said it saw 61% of its traffic going to o.com instead.

All single-character .com names that had not already been registered were reserved by IANA for technical reasons in 1993, well before ICANN took over DNS policy.

Today, only q.com, z.com and x.com are registered. Billionaire Elon Musk, who used x.com to launch PayPal, reacquired that domain for an undisclosed sum in 2017. GMO Internet bought z.com for $6.8 million in 2014.

With the sale of o.com now a near certainty, it is perhaps only a matter of time before more single-character .com names are also released.

No gTLD approved after 2012 has a restriction on single-character domains.

As a matter of disclosure: several years ago I briefly provided some consulting/writing services to a third party in support of the Verisign and Overstock positions on the release of single-character domain names, but I have no current financial interest in the matter.

Trademark posse fails to block Whois privacy policy

Kevin Murphy, March 5, 2019, Domain Policy

The ICANN community’s move to enshrine Whois privacy into formal consensus policy is moving forward, despite votes to block it by intellectual property interests.

During a special meeting yesterday, the GNSO Council voted to approve a set of recommendations that would (probably) bring ICANN’s Whois policy into compliance with the General Data Protection Regulation.

But four councilors — Paul McGrady and Flip Petillion of the Intellectual Property Constituency and Marie Pattullo and Scott McCormick of the Business Constituency — voted against the compromise deal.

Their downvotes were not enough to block it from passing, however. It has now been opened for a month of public comments before being handed to the ICANN board of directors for final approval, whereupon it will become ICANN’s newest consensus policy and binding on all contracted parties.

McGrady, an lawyer with Winston Strawn, claimed that the Expedited Policy Development Process working group that came up with the recommendations failed to reach the level of consensus that it had claimed.

“The consensus call was broken,” he said, adding that the EPDP’s final report “reflects consensus where there really wasn’t any.”

The GNSO was due to vote 10 days ago, but deferred the vote at the request of the IPC and BC. McGrady said that both groups had tried to muster up support in their communities for a “yes” vote in the meantime, but “just couldn’t get there”.

Speaking for the BC from a prepared statement, Pattullo (who works for European brand protection group AIM) told the Council:

The report is a step backwards for BC members’ interests compared to the Temp Spec, especially as the legitimate purposes for collecting and processing data are insufficiently precise, and do not include consumer protection, cybercrime, DNS abuse and IP protection.

The Temp Spec is the Temporary Specification currently governing how registries and registrars collect and publish Whois data. It was created as an emergency measure by the ICANN board and is due to expire in May, where it will very probably be replaced by something based on the EPDP recommendations.

In response to the IPC/BC votes, Michele Neylon of the Registrars Constituency and Ayden Férdeline of the Non-Commercial Stakeholders Group read statements claiming that trademark interests had been given substantial concessions during the EPDP talks.

Neylon in particular had some harsh words for the holdout constituencies, accusing them of “bad faith” and pointing out that the EPDP spent thousands of hours discussing its recommendations.

“Our members would want any number of obligations this report contains to be removed, but despite the objections we voiced our support for the final product as a sign of compromise and support for the entire multistakeholder model,” he said.

“Given the objections of certain parts of the community it’s unclear how we can ask this group to carry on with the next phase of its work at the same pace,” he said. “Given the unwillingness of others to participate and negotiate in good faith, how can we ask our reps to spend hours compromising on this work when it’s clear others will simply wait until the last minute and withdraw their consent for hard-fought compromise.”

The EPDP had a hard deadline due to the imminent expiration of the Temp Spec, but that’s not true of its “phase two” work, which will explore possible ways trademark enforcers could get access to redacted private Whois data.

Unfortunately for the IP lobby, there’s a very good chance that this work is going to proceed at a much slower pace than phase one, which wrapped up in basically six months.

During yesterday’s Council call, both Neylon and NCSG rep Tatiana Tropina said that the dedication required of volunteers in phase one — four to five hours of teleconferences a week and intensive mailing list discussions — will not be sustainable over phase two.

They simply won’t be able to round up enough people with enough time to spare, they said.

Coincidentally, neither the registrars nor the non-coms have any strong desire to see a unified access solution developed any time soon, so a more leisurely pace suits them politically too.

It will be up to the EPDP working group, and whoever turns out to be its new chair, to figure out the timetable for the phase two work.

Internet to lose its .co.ck? Cook Islands mulls name change

The government of the Cook Islands is reportedly thinking about changing its name, putting a question mark over the long-term longevity of its .ck top-level domain.

The AFP is reporting that an exploratory committee has been set up to pick a new name for the country, which is currently named after British explorer James Cook.

The new name would be in the local language, Cook Islands Maori, but would also reflect the country’s Polynesian heritage and “strong Christian belief”, AFP reports.

The Cook Islands is in the Pacific Ocean, about 3,000km from New Zealand. It gained independence in 1965 but retains strong ties to NZ. It has about 12,000 citizens.

Telecom Cook Islands has been running its ccTLD, .ck, since 1995. Registrations, which are a few hundred bucks a year, are only possible at the third level, under .co.ck, .org.ck and so on.

It appears from reporting that any formal name change is still a long way off, but it seems possible that a change of name could well lead to a change of ISO 3166-1 string and therefore a change of ccTLD.

As I explained in my post about the possible loss of .io last week, any such change would take years to roll through the ICANN system. Nobody would lose their domains overnight.

But perhaps the most famous .ck domain appears to have already gone dormant.

Fictional mid-noughties hipster Nathan Barley, antihero of the Charlie Brooker sitcom of the same name, owned trashbat.co.ck, as the opening shot of the show established.

Trashbat

Sadly, that domain, which unlike clownpenis.fart actually existed and was used to promote the short-lived series, appears to stop resolving three or four years ago.

Phishing still on the decline, despite Whois privacy

Kevin Murphy, March 5, 2019, Domain Policy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.

There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.

That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.

The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.

But the data may be slightly misleading.

APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.

The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.

The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.

But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.

Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.

After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.

Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.

Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.

According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.

That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.

The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.

ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.

This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.

Registrars given six months to deploy Whois killer

Kevin Murphy, March 1, 2019, Domain Policy

ICANN has started the clock ticking on the mandatory industry-wide deployment of RDAP.

gTLD registries and registrars have until August 26 this year to roll out RDAP services, which will one day replace the age-old Whois spec, ICANN said this week.

Registration Data Access Protocol fulfills the same function as Whois, but it’s got better support for internationalization and, importantly given imminent work on Whois privacy, tiered access to data.

ICANN’s RDAP profile was created in conjunction with contracted parties and public comments. The registries and registrars knew it was coming and told ICANN this week that they’re happy for the 180-day implementation deadline to come into effect.

The profile basically specs out what registrars and registries have to show in their responses to Whois (or RDAP, if you’re being pedantic) queries.

It’s based on the current Temporary Specification for Whois, and will presumably have to be updated around May this year, when it is expected that the Temp Spec will be replaced by the spec created by the Whois EPDP.

ICANN pushes IANA under Conrad

Kevin Murphy, February 27, 2019, Domain Policy

ICANN chief technology officer David Conrad is now “overseeing” the IANA part of the organization, ICANN has announced.

It doesn’t appear to be a promotion or change of job titles as much as a reporting structure adjustment made in the wake of a change of management at the Global Domains Division.

Kim Davies is still vice president of IANA, and president of Public Technical Identifiers, as IANA is often referred to nowadays.

Previously, Davies reported to the president of GDD, now he’s reporting to Conrad.

After Akram Atallah left GDD to run Donuts, Conrad and Atallah’s eventual permanent replacement, Cyrus Namazi, split his duties on an interim basis.

It appears that the announcement of Conrad’s new duties merely formalizes that arrangement.

It makes a lot more sense to have the largely technical IANA functions under the jurisdiction of the CTO, rather than the gTLD-centric Global Domains Division, if you ask me.

UN ruling may put .io domains at risk

Kevin Murphy, February 25, 2019, Domain Policy

The future of .io domains may have been cast into doubt, following a ruling from the UN’s highest court.

The International Court of Justice this afternoon ruled (pdf) by a 13-1 majority that “the United Kingdom is under an obligation to bring to an end its administration of the Chagos Archipelago as rapidly as possible”.

The Chagos Archipelago is a cluster of islands that the UK calls the British Indian Ocean Territory.

It was originally part of Mauritius, but was retained by the UK shortly before Mauritius gained independence in 1968, so a strategic US military base could be built on Diego Garcia, one of the islands.

The native Chagossians were all forcibly relocated to Mauritius and the Seychelles over the next several years. Today, most everyone who lives there are British or American military.

But the ICJ ruled today, after decades of Mauritian outrage, that “the process of decolonization of Mauritius was not lawfully completed when that country acceded to independence in 1968, following the separation of the Chagos Archipelago”.

So BIOT, if the UK government follows the ruling, may cease to exist in the not-too-distant future.

BIOT’s ccTLD is .io, which has become popular with tech startups over the last few years and has over 270,000 domains.

It’s run by London-based Internet Computer Bureau Ltd, which Afilias bought for $70 million almost two years ago.

Could it soon become a ccTLD without a territory, leaving it open to retirement and removal from the DNS root?

It’s not impossible, but I’ll freely admit that I’m getting into heavy, early speculation here.

There are a lot of moving parts to consider, and at time of writing the UK government has not even stated how it will respond to the non-binding ICJ ruling.

Should the UK abide by the ruling and wind down BIOT, its IO reservation on the ISO 3166-1 alpha-2 list could then be removed by the International Standards Organisation.

That would mean .io no longer fits the ICANN criteria for being a ccTLD, leaving it subject to forced retirement.

Retired TLDs are removed from the DNS root, meaning all the second-level domains under them stop working, obviously.

It’s not entirely clear how this would happen. ICANN’s Country Code Names Supporting Organization has not finished work on its policy for the retirement of ccTLDs.

TLDs are certainly not retired overnight, without the chance of an orderly winding-down.

Judging by the current state of ccNSO discussions, it appears that ccTLDs could in future be retired with or without the consent of their registry, with a five-to-10-year clock starting from the string’s removal from the ISO 3166-1 list.

Under existing ICANN procedures, I’m aware of at least two ccTLDs that have been retired in recent years.

Timor-Leste was given .tl a few years after it rebranded from Portuguese Timor, and .tp was removed from the DNS a decade later. It took five years for .an to be retired after the Netherlands Antilles’ split into several distinct territories in 2010.

But there are also weird hangers-on, such as the Soviet Union’s .su, which has an “exceptional reservation” on the ISO list and is still active (and inexplicably popular) as a ccTLD.

As I say, I’m in heavy speculative territory when it comes to .io, but it strikes me that not many registrants will consider when buying their names that the territory their TLD represents may one day simple poof out of existence at the stroke of a pen.

Afilias declined to comment for this article.

Updated: More .amazon delay as governments cancel talks

Kevin Murphy, February 25, 2019, Domain Policy

The future of Amazon’s bid for .amazon has been cast into more doubt after South American governments cancelled talks with ICANN.

The new secretary general of the Amazon Cooperation Treaty Organization, Alexandra Moreira, wrote to ICANN CEO Göran Marby February 13 to call off a meeting that had been planned to take place in Brasilia, February 19.

She blamed unspecified “unavoidable circumstances” for the cancellation, but insisted it was unrelated to the .amazon issue.

“It is necessary to clarify that the above mentioned circumstances have no connection whatsoever with neither the substance nor the agenda of the postponed meeting,” she wrote.

I believe the cancellation is related to the ongoing political instability in ACTO member Venezuela, which has recently spilled onto its borders with fellow members Brazil and Colombia.

Moreira reiterated that ACTO remains committed to talks to get the .amazon impasse resolved.

The cancellation of the February 19 meeting causes timing issues for ICANN’s board of directors, which has promised to vote on the .amazon applications at its meetings in Kobe, Japan, at ICANN 64, which kicks off in less than two weeks.

Brazilian Governmental Advisory Committee representative Achilles Zaluar has meanwhile reached out to Marby to request a delay of this decision until ICANN 65, which takes place in June.

Eight-nation ACTO is unhappy with Amazon’s encroachment onto what it sees as its geographic name rights, even though the Amazon region is typically known as Amazonia locally.

Amazon has offered to protect culturally sensitive terms at the second level and to support future efforts to secure a .amazonia TLD.

But its latest offers have still not been formally presented to and discussed with ACTO.

This post was updated an hour after publication to provide additional context to the cancellation.

Expect more Whois accuracy emails under new ICANN policy

Kevin Murphy, February 25, 2019, Domain Policy

Registrars will be obliged to send out even more Whois accuracy emails, under a set of recommendations being considered in ICANN.

Assuming recent recommendations out of the Whois policy working group are accepted, every registrant of a gTLD domain with something listed in the “Organization” field will receive a one-off mail from their registrar asking them to confirm its accuracy.

It’s Recommendation 12 of the EPDP Team Final Report, which was published last week (pdf) by ICANN’s first Expedited Policy Development Process working group.

In general, the Organization field would be redacted in the public Whois under the proposed policy, but registrants will be proactively asked if they want to opt in to having it published.

While registrars can pick their own methods to conduct this outreach, email seem like the most likely medium in the vast majority of cases.

These mails would be sent out the registrants of the over 192 million gTLD domains (if they have something in their Org field) at some point between May 2019, when ICANN is likely to formally adopt the policy, and February 29, 2020, which is EPDP group’s recommended implementation deadline.

In theory, the Org field is perhaps the main indicator of whether a domain is registered to a natural person (and therefore subject to the General Data Protection Regulation) or a legal person (and therefore not).

But it’s not uncommon for registrants or registrars to simply populate the field with the name of the natural-person registrant, even when there’s no actual organization involved.

That’s a GDPR problem, as it means personally identifiable information could leak into the public Whois.

Under the EPDP’s recommendation, registrars would be obliged to reach out to their customers to confirm whether the contents of their Org field are correct, and to ask whether they want that information to be made public.

Opting in would mean the registrar would begin to publish Org data in the public Whois. Ignoring the email or actively refusing publication would mean your registrar would redact or delete this field.

After this mass outreach has finished, registrars would stop redacting the Org field, unless the registrant has not consented to its publication.

For new registrations, registrars would have to show you a prominent warning that the Org data will be published and get your consent for it to do so.

The recommendation is among 29 that were arrived at following over six months of intensive discussions in the EPDP group.

Others we’ve previously reported on include the total elimination of the Admin Contact, making the Technical Contact both smaller and completely optional, and the mandatory introduction of an anonymous means for Whois users to contact registrants.

The recommendations have been submitted to the GNSO Council, which will vote on them March 4.

The EPDP report will then be opened for 30 days of public comment, before being sent to the ICANN board of directors for a full, final vote.

The policy will replace the current Temporary Specification governing Whois, which the board rushed through on an emergency basis last May in order to make the DNS ecosystem as GDPR-compliant as possible when the EU law came into effect.

The EPDP group is expected to shortly enter “phase two” of its work, which will look at whether there should be a unified access mechanism for security and intellectual property interests to snoop on otherwise private Whois data.