Latest news of the domain name industry

Recent Posts

Double-charging claims as registries ramp up new gTLD refund demands

Kevin Murphy, October 10, 2017, Domain Registries

Registry operators have stepped up demands for ICANN to dip into its $100 million new gTLD cash pile to temporarily lower their “burdensome” accreditation fees.

A new missive from the Registries Stakeholder Group to ICANN this week also introduces a remarkable claim that ICANN may have “double charged” new gTLD applications to the tune of potentially about $6 million.

The RySG wants ICANN to reduce the quarterly fixed fees new gTLD registries must pay by 75% from the current $6,250, for a year, at a cost to ICANN of $16.87 million.

ICANN still has roughly $96 million in leftover money from the $185,000 per-TLD application fees paid in 2012, roughly a third of which had been earmarked for unexpected expenses.

When Global Domains Division president Akram Atallah refused this request in August, he listed some of the previously unexpected items ICANN has had to pay for related to the program, one of which was “implementation of the Trademark Clearinghouse”.

But in last week’s letter (pdf), the RySG points out that each registry was already billed an additional $5,000 fee specifically to set up the TMCH.

Your letter states that registry operators knew about the fee structure from the start and implies that changes of circumstance should be irrelevant. The TMCH charge, however, was not detailed in the applicant guidebook. ICANN added it on its own after all applications were accepted and without community input. Therefore, ICANN is very much in a position to refund registry operators for this overcharge, and we request that ICANN do so. Essentially, you would be refunding the amounts we paid with our own application fees, which should have been used to set up the TMCH in the first place.

These additional fees could have easily topped $6 million, given that there are over 1,200 live new gTLDs.

Was this a case of double-charging, as the RySG says?

My gut feeling is that Atallah probably just forgot about the extra TMCH fee and misspoke in his August letter. The alternative would be a significant accounting balls-up that would need rectifying.

RySG has asked ICANN for a “detailed accounting” of its new gTLD program expenses to date. If produced, that could clear up any confusion.

Group chair Paul Diaz, who signed the letter, has also asked for a meeting with Atallah at the Abu Dhabi public meeting later this month, to discuss the issue.

The letter also accuses ICANN of costing applicants lost revenue by introducing policies such as the ban on two-letter domains, increased trademark protections, and other government-requested restrictions that were introduced after application fees had already been paid.

The tone of the letter is polite, but seems to mask an underlying resentment among registries that ICANN has not been giving them a fair chance to grow their businesses.

UPDATE: This story was updated October 12 to correct the estimate of the total amount of TMCH setup fees collected.

Election season at ICANN

Kevin Murphy, October 4, 2017, Domain Policy

Two significant votes are coming up soon in the ICANN community, with the GNSO Council looking for a new chair and the ccNSO ready to select a new appointee for the ICANN board of directors.

The ccNSO election will see an actual contest for what is believed to be the first time, with at least two candidates fighting it out.

The GNSO vote is rather less exciting, with only one candidate running unopposed.

It seems Heather Forrest, an intellectual property lawyer, occasional new gTLD consultant, and professor at the University of Tasmania, will replace GoDaddy VP of policy James Bladel as Council chair a month from now.

Forrest, currently a vice-chair, was nominated by the Non-Contracted Parties House.

The Contracted Parties House (registries and registrars), evidently fine with Forrest taking over, decided not to field a candidate, so the November 1 vote will be a formality.

In the ccNSO world, the country-codes are electing somebody to take over from Mike Silber on the ICANN board, a rather more powerful position, when his term ends a year from now.

Nominations don’t close until a week from now, but so far there are two candidates: Nigel Roberts and Pierre Ouedraogo.

Roberts, nominated for the job by Puerto Rico, runs a collection of ccTLDs for the British Channel Islands.

Ouedraogo is from Burkina Faso but does not work for its ccTLD. He is a director of the Francophone Institute for Information and New Technologies. He was nominated by Kenya.

Both men are long-time participants in ICANN and the ccNSO.

Roberts, who currently sits on the ccNSO Council, tells me he believes it’s the first time there’s been a contested election for a ccNSO-appointed ICANN board seat since the current system of elections started in 2003.

Silber has been in the job for eight years and is term-limited so cannot stand again. The other ccNSO appointee, Chris Disspain, will occupy the other seat for another two years.

In harsh tones, ccNSO rejects NomCom appointee

Kevin Murphy, October 2, 2017, Domain Registries

ICANN’s Country Code Names Supporting Organization has rejected the appointment to its Council of a Canadian registry director.

Saying NomCom ignored long-standing guidance to avoid appointing registry employees, the ccNSO Council has said the recent naming of Marita Moll to the role is “unacceptable”.

Moll will have to choose between sitting on the Council and being a director of .ca registry CIRA, the Council said in a letter to NomCom and the ICANN board.

Three of the Council’s 18 voting members are selected by NomCom. The rest are elected from ccTLD registries, three from each of ICANN’s five geographic regions.

To maintain balance, and promote independent views, the Council told NomCom most recently back in 2012 that it should refrain from appointing people connected to ccTLD registries.

The new Council letter (pdf) reads:

Council’s view (none dissenting) is that your Committee’s proposed selection directly contravenes this requirement, notwithstanding the clear and explicit assurance we received in 2012 from the then Chair of Nominating Committee that the Committee would be “avoiding any member already belonging to the ccTLD management participating in the ccNSO”.

The situation is exacerbated by the fact that CIRA already has representation on the Council in the form of CEO Byron Holland.

The letter concludes that the conflict is “irreconcilable” and the appointment “unacceptable”.

As the ccNSO does not appear to have refusal powers on NomCom appointees, it will presumably be up to Moll to decline the appointment.

New gTLDs still a crappy choice for email — study

Kevin Murphy, September 28, 2017, Domain Tech

New gTLDs may not be the best choice of domain for a primary email address, judging by new research.

Over 20% of the most-popular web sites do not fully understand email addresses containing long TLDs, and Arabic email addresses are supported by fewer than one in 10 sites, a study by the Universal Acceptance Steering Group has found.

Twitter, IBM and the Financial Times are among those sites highlighted as having only partial support for today’s wide variety of possible email addresses.

Only 7% of the sites tested were able to support all types of email address.

The study, carried out by Donuts and ICANN staff, looked at 749 websites (in the top 1,000 or so as ranked by Alexa) that have forms for filling in email addresses.

On each site, seven different email addresses were input, to see whether the site would accept them as valid.

The emails used different combinations of ASCII and Unicode before the dot and mixes of internationalized domain name and ASCII at the second and top levels.

These were the results (click to enlarge or download the PDF of the report here):

IDN emails

The problem with these numbers, it seems to me, is the lack of a control. There’s no real baseline to judge the numbers against.

There’s no mention in the paper about testing addresses that use .com or decades-old ccTLDs, which would have highlighted web sites that with broken scripts that reject all emails.

But if we assume, as the paper appears to, that all the tested web sites were 100% compliant for .com domains, the scores for new gTLDs are not great.

There are currently over 800 TLDs over four characters in length, but according to the UASG research 22% of web sites will not recognize them.

There are 150 IDN TLDs, but a maximum of 30% of sites will accept them in email addresses.

When it comes to right-to-left scripts, such as Arabic, the vast majority of sites are totally hopeless.

UASG dug into the code of the tested sites when it could and found that most of them use client-side code — JavaScript processing a regular expression — to verify addresses.

A regular expression is complex bit of code that can look something like this: /^.+@(?:[^.]+\.)+(?:[^.]{2,})$

It’s not every coder’s cup of tea, but it can get the job done with minimal client-side resource overheads. Most coders, the UASG concludes, copy regex they found on a forum and maybe tweak it a bit.

This should not be shocking news to anyone. I’ve known about it since 2009 or earlier when I first started ripping code from StackOverflow.

However, the UASG seems to be have been working on the assumption that more sites are using off-the-shelf software libraries, which would have allowed the problem to be fixed in a more centralized fashion.

It concludes in its paper that much greater “awareness raising” needs to happen before universal acceptance comes closer to reality.

ICANN just came thiiis close to breaking the internet

Kevin Murphy, September 28, 2017, Domain Tech

ICANN has decided to postpone an unprecedented change at the DNS root after discovering it could break internet for potentially millions of users.

The so-called KSK Rollover was due to go ahead on October 11, but it’s now been pushed back to — tentatively — some time in the first quarter 2018.

The delay was decided after ICANN realized that there were still plenty of ISPs and network operators that weren’t ready for the change.

Had ICANN gone ahead anyway with the change anyway, it could have seen subscribers of affected ISPs lose access to millions of DNSSEC-supporting domain names.

So the postponement is a good thing.

A KSK or Key Signing Key is a public-private cryptographic key pair used to sign other keys called Zone Signing Keys. The root KSK signs the root ZSK and is in effect the apex of the DNSSEC hierarchy.

The same KSK has been in operation at the root since 2010, when the root was first signed, but it’s considered good practice to change it every so often to mitigate the risk of brute-force attacks against the public key.

While it’s important enough to get dramatized in US spy shows, in practice it only affects ISPs and domain names that voluntarily support DNSSEC.

ICANN estimates that 750 million people use DNSSEC, which is designed to prevent problems such as man-in-the-middle attacks against domain names.

That’s a hell of a lot of people, but it’s still a minority of the world’s internet-using population. It’s not been revealed how many of those would have been affected by a premature rollover.

When DNSSEC fails, people whose DNS resolvers have DNSSEC turned on (Comcast and Google are two of the largest such providers) can’t access domain names that have DNSSEC turned on (such as domainincite.com).

Preventing the internet breaking is pretty much ICANN’s only job, so it first flagged up its intention to roll the root KSK back in July last year.

In July this year, the new public KSK was uploaded as part of a transition phase that is seeing the 2010 keys and 2017 keys online simultaneously.

Last year, CTO David Conrad told us the long lead time and cautious approach was necessary to get the word out that ISPs needed to test their resolvers to make sure they would work with the new keys.

In June, ICANN CEO Goran Marby spammed the telecommunications regulators in every country in the world with a letter (pdf) asking them to coordinate their home ISPs to be ready for the change.

The organization’s comms teams has also been doing a pretty good job getting word of the rollover into the tech press over the last few months.

But, with a flashback to the new gTLD program, that outreach doesn’t seem to have reached out as far as it needed to.

ICANN said last night that a “significant number” of ISPs are still not ready for the rollover.

It seems ICANN only became aware of this problem due to a new feature of DNS that reports back to the root which keys it is configured to use.

Without being able to collate that data, it’s possible it could have been assumed that the situation was hunky-dory and the rollover might have gone ahead.

ICANN still isn’t sure why so many resolvers are not yet ready for the 2017 KSK. It said in a statement:

There may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

It’s not clear why the broken resolver software has not been named — one would assume that getting the word out would be a priority unless issues of responsible disclosure were in play.

ICANN said it is “reaching out to its community, including its Security and Stability Advisory Committee, the Regional Internet Registries, Network Operator Groups and others to help explore and resolve the issues.”

The organization is hopeful that it will be able to go ahead with the rollover in Q1 2018, but noted that would be dependent on “more fully understanding the new information and mitigating as many potential failures as possible.”

While it’s excellent news that ICANN is on top of the situation, the delay is unlikely to do anything to help the perception that DNSSEC is mainly just an administrative ball-ache and far more trouble than it’s worth.