Latest news of the domain name industry

Recent Posts

ICANN’s babysitting fund goes live

Kevin Murphy, October 1, 2019, Domain Policy

ICANN has started accepting applications for its childcare grants program.

As previously reported, ICANN plans to offer up to $750 per family to community members who have no choice but to show up to its meetings with their offspring in tow.

The money is designed to cover childcare costs while the parent attends sessions at ICANN’s thrice-yearly public meetings.

ICANN will not be providing any on-site childcare itself, nor will it approve any providers.

The program is in a pilot, covering the next three meetings.

The current application period, for ICANN 67 in Cancun, Mexico next March, runs until November 20. The application form wouldn’t open for me.

Full details can be found here.

PIR’s “new” .org domain is just temporary. Help it pick another new one!

Kevin Murphy, September 18, 2019, Domain Registries

Public Interest Registry unveiled a fancy new set of logos and a swanky new web site yesterday, but CEO Jon Nevett tells us that its new domain name is temporary.

The new site and logos are undeniably superior to those they replace, but what raised eyebrows was the fact that the non-profit company has replaced its old pir.org domain with thenew.org, and deprecated the PIR brand almost entirely on its site.

The old PIR domain now redirects to the new thenew one, but the older domain still ranks higher in search engines.

But Nevett tells us it’s not a permanent move.

“Think of it more as a marketing campaign,” Nevett said. “This is a limited campaign, then we’ll move to another name.”

The campaign is basically about PIR going back to its roots and repositioning itself as the .org guys.

It’s only been six years since PIR last rebranded. In September 2013, the company started calling itself “Your Public Interest Registry” in its logo, deliberately playing down the “.org”.

Then-CEO Brian Cute told us at the time that playing up .org “made a lot of sense when we were a single-product company” but that with the imminent launch of sister TLDs .ngo and .ong, the decision was made to lead with the PIR branding instead.

.ngo and .ong — for “non-governmental organization” in English and other languages — haven’t exactly flown off the shelves. Neither one has ever topped 5,000 domains under management, while .org, while declining for a few years, still sits comfortably at over 10 million domains.

“I wouldn’t say so,” Nevett said, when I asked him whether PIR is now essentially back to being a single-product company. “But .org is the flagship, and we’re going back to leading with .org as the key brand. It’s what we’re known for and to say otherwise would be silly.”

People outside the industry have no idea what PIR is, he said, but they all know what .org is.

Some suspect that the rebranding is a portent of PIR gearing up to raise prices, given its newly granted ability to up its registry fees beyond the 10% annual price increase cap that it has it has been to date contractually bound to.

But Nevett said the rebranding is “not at all related to a price increase”. He told me several times that PIR still has “no plans to raise prices”.

He said the rebranding was first put in motion over a year ago, after Cute’s departure but before Nevett’s hiring, during Jay Daley’s interim interregnum.

Anyway, here are the new logos:

PIR logos

To the untrained eye, like both of mine, the new, primary .org logo may just look like two blue circles and the word “org”, but PIR’s press release tells us it’s communicating so much more:

The open “ORG” lettering on either side of the sphere signals that .ORG is an open domain for anyone; it serves as a powerful and inclusive global connector. The logo uses a deep royal blue, evoking feelings of trust, security, and reliability that reflect .ORG’s long-standing reputation.

Because I don’t want to alienate any of PIR’s utterly lovely public relations agency people (the same PR agency that came up with the new branding), I’m not going to pass any comment whatsoever on this piffle.

I think the new logos and web site are improvements. They’re also long-term investments, while the new domain name is not.

“For three to six months we’ll be leading with the marketing campaign of thenew.org, after that we’ll be using a new name as the lead,” Nevett said.

But it won’t be back to pir.org or thenew.org, he said.

Which begs the question: what domain will PIR switch to?

During the course of our conversation, Nevett made the mistake of asking me what I thought the next domain should be, and I made the mistake of saying that I should open the question up to my readers.

So… what should PIR’s next domain be?

Be nice.

Sixty gTLD registries not monitoring security threats

Kevin Murphy, September 18, 2019, Domain Registries

Roughly 5% of gTLD registry operators have been doing no abuse monitoring, despite contractual requirements to do so, a recent ICANN audit has found.

ICANN checked with 1,207 registries — basically all gTLDs — between November 2018 and June, and found about 60 of them “were not performing any security threat monitoring, despite having domains registered in their gTLDs”.

A further 180 (15%) were not doing security checks, but had no registered domains, usually because they were unused dot-brands. ICANN told these companies that they had to do the checks anyway, to remain in compliance.

In all cases, ICANN said, the registries remediated their oversights during the audit to bring their gTLDs back into compliance.

ICANN does not name the non-compliant registries in the summary of the audit’s results, published yesterday (pdf).

Registries under the 2012 new gTLD base registry agreement all have to agree to this:

Registry Operator will periodically conduct a technical analysis to assess whether domains in the TLD are being used to perpetrate security threats, such as pharming, phishing, malware, and botnets. Registry Operator will maintain statistical reports on the number of security threats identified and the actions taken as a result of the periodic security checks. Registry Operator will maintain these reports for the term of the Agreement unless a shorter period is required by law or approved by ICANN, and will provide them to ICANN upon request.

It’s possible to keep tabs on abuse by monitoring domain blocklists such as SpamHaus, SURBL and PhishTank. Some such lists are freely available, others carry hefty licensing fees.

ICANN itself monitors these lists through its Domain Abuse Activity Reporting project, so it’s able to work out the differences between the levels of abuse registries report and what the empirical data suggests.

Registries typically either use these lists via in-house tools or license products provided by vendors such as Neustar, RegistryOffice, Knipp, CSC, DOTZON, Afnic, AusCERT, Shadowserver, Telefonica, Secure Domain Foundation and Netcraft, ICANN said.

Perhaps unsurprisingly, there’s a bit of disagreement between ICANN and some registries about how the somewhat vague obligations quote above are be interpreted.

ICANN thinks registries should have to provide information about specific domains that were identified as abusive and what remediation actions were taken, but some registries think they only have to provide aggregate statistical data (which would be my read of the language).

The contracts also don’t specify how frequently registries much carry out security reviews.

Of the 80% (965) of registries already in compliance, 80% (772) were doing daily abuse monitoring. Others were doing it weekly, monthly, or even quarterly, ICANN found, all of which appear to be in line with contractual requirements.

ICANN must do more to fight internet security threats [Guest Post]

ICANN and its contracted parties need to do more to tackle security threats, write Dave Piscitello and Lyman Chapin of Interisle Consulting.

The ICANN Registry and Registrar constituencies insist that ICANN’s role with respect to DNS abuse is limited by its Mission “to ensure the stable and secure operation of the internet’s unique identifier systems”, therefore limiting ICANN’s remit to abuse of the identifier systems themselves, and specifically excluding from the remit any harms that arise from the content to which the identifiers point.

In their view, if the harm arises not from the identifier, but from the thing identified, it is outside of ICANN’s remit.

This convenient formulation relieves ICANN and its constituencies of responsibility for the way in which identifiers are used to inflict harm on internet users. However convenient it may be, it is fundamentally wrong.

ICANN’s obligation to operate “for the benefit of the Internet community as a whole” (see Bylaws, “Commitments”) demands that its remit extend broadly to how a domain name (or other Internet identifier) is misused to point to or lure a user or application to content that is harmful, or to host content that is harmful.

Harmful content itself is not ICANN’s concern; the way in which internet identifiers are used to weaponize harmful content most certainly is.

Rather than confront these obligations, however, ICANN is conducting a distracting debate about the kinds of events that should be described as “DNS abuse”. This is tedious and pointless; the persistent overloading of the term “abuse” has rendered it meaningless, ensuring that any attempt to reach consensus on a definition will fail.

ICANN should stop using the term “DNS abuse” and instead use the term “security threat”.

The ICANN Domain Abuse Activity Reporting project and the Governmental Advisory Committee (GAC) use this term, which is also a term of reference for new TLD program obligations (Spec 11) and related reporting activities. It is also widely used in the operational and cybersecurity communities.

Most importantly, the GAC and the DAAR project currently identify and seek to measure an initial set of security threats that are a subset of a larger set of threats that are recognized as criminal acts in jurisdictions in which a majority of domain names are registered.

ICANN should acknowledge the GAC’s reassertion in its Hyderabad Communique that the set of security threats identified in its Beijing correspondence to the ICANN Board were not an exhaustive list but merely examples. The GAC smartly recognized that the threat landscape is constantly evolving.

ICANN should not attempt to artificially narrow the scope of the term “security threat” by crafting its own definition.

It should instead make use of an existing internationally recognized criminal justice treaty. The Council of Europe’s Convention on Cybercrime is a criminal justice treaty that ICANN could use as a reference for identifying security threats that the Treaty recognizes as criminal acts.

The Convention is recognized by countries in which a sufficiently large percentage domain names are registered that it can serve the community and Internet users more effectively and fairly than any definition that ICANN might concoct.

ICANN should also acknowledge that the set of threats that fall within its remit must include all security events (“realized security threats”) in which a domain name is used during the execution of an attack for purposes of deception, for infringement on copyrights, for attacks that threaten democracies, or for operation of criminal infrastructures that are operated for the purpose of launching attacks or facilitating criminal (often felony) acts.

What is that remit?

ICANN policy and contracts must ensure that contracted parties (registrars and registries) collaborate with public and private sector authorities to disrupt or mitigate:

  • illegal interception or computer-related forgery,
  • attacks against computer systems or devices,
  • illegal access, data interference, or system interference,
  • infringement of intellectual property and related rights,
  • violation of laws to ensure fair and free elections or undermine democracies, and
  • child abuse and human trafficking.

We note that the Convention on Cybercrime identifies or provides Guidance Notes for these most prevalently executed attacks or criminal acts:

  • Spam,
  • Fraud. The forms of fraud that use domain names in criminal messaging include, business email compromise, advance fee fraud, phishing or other identity thefts.
  • Botnet operation,
  • DDoS Attacks: in particular, redirection and amplification attacks that exploit the DNS
  • Identity theft and phishing in relation to fraud,
  • Attacks against critical infrastructures,
  • Malware,
  • Terrorism, and,
  • Election interference.

In all these cases, the misuse of internet identifiers to pursue the attack or criminal activity is squarely within ICANN’s remit.

Registries or registrars should be contractually obliged to take actions that are necessary to mitigate these misuses, including suspension of name resolution, termination of domain name registrations, “unfiltered and unmasked” reporting of security threat activity for both registries and registrars, and publication or disclosure of information that is relevant to mitigating misuses or disrupting cyberattacks.

No one is asking ICANN to be the Internet Police.

The “ask” is to create policy and contractual obligations to ensure that registries and registrars collaborate in a timely and uniform manner. Simply put, the “ask” is to oblige all of the parties to play on the same team and to adhere to the same rules.

This is unachievable in the current self-regulating environment, in which a relatively small number of outlier registries and registrars are the persistent loci of extraordinary percentages of domain names associated with cyberattacks or cybercrimes and the current contracts offer no provisions to suspend or terminate their operations.

This is a guest editorial written by Dave Piscitello and Lyman Chapin, of security consultancy Interisle Consulting Group. Interisle has been an occasional ICANN security contractor, and Piscitello until last year was employed as vice president of security and ICT coordination on ICANN staff. The views expressed in this piece do not necessary reflect DI’s own.

Bumper batch of dot-brands off themselves for Friday 13th

Kevin Murphy, September 12, 2019, Domain Registries

It’s Friday 13th tomorrow, and to celebrate the occasion no fewer than 13 dot-brands have opted to take the easy way out and self-terminate.

ICANN has published a bumper list of contracted brand registries that have informed the organization that they no longer wish to run their gTLDs.

Adding themselves to the dot-brand deadpool are: .ladbrokes, .warman, .cartier, .piaget, .chrysler, .dodge, .mopar, .srt, .uconnect, .movistar, .telefonica, .liason and .lancome.

That brings the total of self-terminated new gTLDs to date to 66.

The imminent demise of .cartier and .piaget is perhaps notable, as it means luxury goods maker Richemont has now abandoned ALL of the nine dot-brands it originally applied for.

Richemont, an enthusiastic early adopter of the new gTLD concept, applied for 14 strings in total back in 2012.

The only ones it has left are generics — .watches along with the the Chinese translation .手表 and the Chinese for “jewelry”, .珠宝, none of which have been launched and in all likelihood are being held defensively.

It’s the same story with L’oreal, the cosmetics company. It also applied for 14 gTLDs, mostly brands, but abandoned all but .lancome prior to contracting.

With .lancome on its way out, L’oreal only owns the generics .skin, .hair, .makeup and .beauty, at least one of which is actually being used.

Also of note is the fact the car company Chrysler is dumping five of its six gTLDs — .chrysler, .dodge, .mopar, .srt and .uconnect — leaving only .jeep (unused) still under contract.

Clearly, Chrysler is not as keen on dot-brands as some of its European competitors, which have been among the most prolific users.

Telefonica’s abandonment of .movistar and .telefonica also means it’s out of the gTLD game completely now, although its Brazilian subsidiary still owns (and uses) .vivo.

Betting company Ladbrokes only ever owned .ladbrokes, though it did unsuccessfully apply for .bet also.

Rounding off the list is .warman, a brand of — and I’m really not making this up — industrial slurry pumps. The pumps are made by a company called Weir, which uses global.weir as its primary web site. So that’s nice.

As far as I can tell, none of the gTLDs that are being killed off had ever been used, though each registry will have paid ICANN six-figure fees since they originally contracted.