Latest news of the domain name industry

Recent Posts

Form an orderly queue: New Zealand wants a new back-end

Kevin Murphy, October 23, 2019, Domain Registries

New Zealand is looking to outsource its .nz ccTLD registry back-end for the first time, and has invited interested parties to get in touch.

Registry manager InternetNZ today published a request for expressions of interest in what it’s calling its “registry replacement project”.

It won’t be as straightforward as most registry migrations, as .nz is currently running essentially two different back-ends.

Today, about 65% of its registrations are based on an outdated custom Shared Registration System protocol, with the remainder on the industry standard Extensible Provisioning Protocol.

The proportion of registrars running SRS versus EPP is roughly the same, with about 65% on SRS, according to the REOI.

But the registry wants to get rid of SRS altogether, forcing all SRS-only registrars to adopt the EPP, and the new back-end provider will have to support this transition.

While registrars always have a bit of implementation work to do when a TLD changes back-ends, it’s not usually as complicated as adopting a completely different protocol with which they may not be unfamiliar.

So the risk of issues arising during the eventual handover — which will probably take a bit longer than usual — is probably a bit higher than usual.

But .nz is an attractive TLD. At the start of the month, it had 711,945 domains under management, a pretty good penetration on a per-capita basis when compared to the biggest ccTLDs.

It’s in the top 50 of the 1,338 TLDs for which I have data.

The deadline for responses to the REOI is November 29, a little over a month from now, InternetNZ said.

The registry is taking briefings at ICANN 66 in Montreal from November 2, and the following week in New Zealand.

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.

In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.

That abuse comprises malware, phishing, botnets, pharming and spam.

The companies agree that these are activities which registrars and registries “must” act upon.

But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.

The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.

It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.

Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.

Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.

They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.

However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.

The DAAR report for September shows that spam constituted 73% of all tracked abuse.

The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.

Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.

The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.

The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.

Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.

They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.

But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.

During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.

“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.

Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.

The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.

While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.

But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.

While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.

Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.

Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.

The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.

Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.

PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.

Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.

Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.

The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.

Crunch time, again, for Whois access policy

Kevin Murphy, October 14, 2019, Domain Policy

Talks seeking to craft a new policy for allowing access to private Whois data have hit another nodal point, with the community now pressuring the ICANN board of directors for action.

The Whois working group has more or less decided that a centralized model for data access, with ICANN perhaps acting as a clearinghouse, is the best way forward, but it needs to know whether ICANN is prepared to take on this role and all the potential liabilities that come with it.

Acronym time! The group is known as the Whois EPDP WG (for Expedited Policy Development Process Working Group) and it’s come up with a rough Whois access framework it’s decided to call the Standardized System for Access and Disclosure (SSAD).

Its goal is to figure out a way to minimize the harms that Europe’s General Data Protection Regulation allegedly caused to law enforcement, IP owners, security researchers and others by hiding basically all gTLD registration data by default.

The SSAD, which is intended to be as automated as possible, is the working group’s proposed way of handling this.

The “hamburger model” the EPDP has come up with sees registries/registrars and data requestors as the top and bottom of the sandwich (or vice versa) with some yet-to-be-decided organizational patty filling acting as an interface between the two.

The patty would handle access control for the data requests and be responsible for credentialing requestors. It could either be ICANN acting alone, or ICANN coordinating several different interface bodies (the likes of WIPO have been suggested).

Should the burger be made only of mashed-up cow eyelids, or should it incorporate the eyelids of other species too? That’s now the question that ICANN’s board is essentially being posed.

Since this “phase two” work kicked off, it’s taken about five months, 24 two-hour teleconferences, and a three-day face-to-face meeting to get to this still pretty raw, uncooked state.

The problem the working group is facing now is that everyone wants ICANN to play a hands-on role in running a centralized SSAD system, but it has little idea just how much ICANN is prepared to get involved.

The cost of running such a system aside, legislation such as GDPR allows for pretty hefty fines in cases of privacy breaches, so there’s potentially a big liability ask of notoriously risk-averse ICANN.

So the WG has written to ICANN’s board of directors in an attempt to get a firm answer one way or the other.

If the board decided ICANN should steer clear, the WG may have to go back more or less to square one and focus on adapting the current Whois model, which is distributed among registrars and registries, for the post-GDPR world.

How much risk and responsibility ICANN is willing to absorb could also dictate which specific SSAD models the WG pursues in future.

There’s also a view that, with no clarity from ICANN, the chance of the WG reaching consensus is unlikely.

This will be a hot topic at ICANN 66 in Montreal next month.

Expect the Governmental Advisory Committee, which had asked for “considerable and demonstrable progress, if not completion” of the access model by Montreal, to be disappointed.

ICANN’s babysitting fund goes live

Kevin Murphy, October 1, 2019, Domain Policy

ICANN has started accepting applications for its childcare grants program.

As previously reported, ICANN plans to offer up to $750 per family to community members who have no choice but to show up to its meetings with their offspring in tow.

The money is designed to cover childcare costs while the parent attends sessions at ICANN’s thrice-yearly public meetings.

ICANN will not be providing any on-site childcare itself, nor will it approve any providers.

The program is in a pilot, covering the next three meetings.

The current application period, for ICANN 67 in Cancun, Mexico next March, runs until November 20. The application form wouldn’t open for me.

Full details can be found here.

ICANN names new directors, replaces Facebook exec

Kevin Murphy, August 20, 2019, Domain Policy

ICANN’s Nominating Committee has picked two new directors to join the board of directors this November.

They are: Mandla Msimang, a South African technology policy consultant, and Ihab Osman, a serial director who ran Sudan’s ccTLD two decades ago but whose main current gig appears to be managing a Saudi Arabian dairy company.

Dutch domain industry figure Maarten Botterman, who had a stint heading Public Interest Registry, has been reappointed for his second three-year term.

But Tunisian Khaled Koubaa, head of public policy for North Africa at Facebook, who joined the board with Botterman in 2016 and also previously worked for PIR, is not being asked to return.

Msimang and Osman replace Koubaa and Cherine Chalaby, the current Egyptian-born chair, who after nine years on the board is term-limited.

Basically, it’s two Africans out, two Africans in.

In a statement, NomCom chair Damon Ashcraft noted that the committee had received 56 applications from Africa, more than any other region. Only two applications were received from North Americans.

This is perhaps unsurprising. NomCom had been duty-bound to pick at least one African, in order to maintain ICANN’s bylaws-mandated geographic balance, but there were no spots available for North Americans.

Replacing one male director with one female may also go some way to appease critics — including the ICANN board itself — who have claimed that the board needs to be more gender balanced.

The switch means that, after November, the eight NomCom appointees on the board will be evenly split in terms of gender. However, only seven out of the total 20 directors will be women.

The other directors are selected by ICANN’s various supporting organizations and advisory committees.

NomCom received applications from 42 women and 85 men this year.

ICANN has not yet published the official bios for the two new directors, but here’s what the internets has to say about about them.

Mandla Msimang. Msimang’s career appears to show her playing both hunter and gamekeeper in the South African telecommunications market, first working for the national regulator, and later for leading mobile phone operator Cell C. In 2007 she founded Pygma Consulting, a boutique IT consultancy, which she still runs.

Ihab Osman. Osman’s day job appears to be general manager of NADEC New Businesses, a unit of Nadec, a foods company partly owned by the Saudi government. He’s also president of the US-Sudan Business Council, which seeks to promote trade between the two countries. He has a long career in telecommunications, and from 1997 until 2002 was in charge of Sudan’s .sd ccTLD.

Both new directors will take their seats at the end of ICANN’s annual general meeting in Montreal this November.

There’s no word yet on who’s taking over as chair.

  • Page 1 of 2
  • 1
  • 2
  • >