Latest news of the domain name industry

Recent Posts

.mail, .home, .corp hopefuls could get exit plan in January

Kevin Murphy, December 27, 2017, Domain Registries

The twenty remaining applicants for the gTLDs .corp, .home and .mail could get the option to bow out with a full refund as early as January.

The ICANN board of directors earlier this month discussed several options for how to treat the in-limbo applications, one of which was a refund.

According to minutes of its December 13 meeting:

Staff outlined some potential options for the Board to consider, which ranged from providing a full refund of the New gTLD Program application fee to the remaining .CORP, .HOME, and .MAIL applicants, to providing priority in subsequent rounds of the New gTLD Program if the applicants were to reapply for the same strings.

Applicants for these strings that already withdrew their applications for a partial refund were also discussed.

The three would-be gTLDs have been frozen for years, after a study showed that they receive vast amounts of error traffic already on a daily basis.

This means there would be likely a large number of name collisions with zones on private networks, should these strings be delegated to the authoritative root.

The ICANN board instructed the staff to draft some resolutions to be voted on at “a subsequent meeting”, suggesting directors are close to reaching a decision.

It seems possible a vote could even happen at a January meeting, given that the board typically meets up almost every month.

Refund “options” for in-limbo gTLD applicants?

Kevin Murphy, November 6, 2017, Domain Policy

ICANN may just be a matter of weeks away from giving applicants for the .mail, .corp and .home gTLDs an exit strategy from their four years in limbo.

Its board of directors on Thursday passed a resolution calling for staff to “provide options for the Board to consider to address the New gTLD Program applications for .CORP, .HOME, and .MAIL by the first available meeting of the Board following the ICANN60 meeting in Abu Dhabi”.

It’s possible this means the board could consider the matter before the end of the year.

Twenty remaining applications for the three strings have been on hold since they were identified as particularly risky in August 2013.

A study showed that all three — .home and .corp in particular — already experience vast amounts of erroneous DNS traffic on a daily basis.

This is due to so-called “name collisions”, which come about when a newly delegated TLD is actually already in use on corporate or public networks.

Many companies use .corp and .mail already behind their firewalls, a practice sometimes historically encouraged by commercial technical documentation, and .home is known to be used by some ISPs in residential and business routers.

Both of these scenarios and others can lead to DNS queries spilling out onto the public internet, which could cause breakage or data leakage.

The solution for all new gTLDs delegated to date has been to wildcard the entire zone with the message “Your DNS needs immediate attention” for a period before registrations are accepted.

This has led to some new gTLDs with far less collision traffic seeing small but notable pockets of outrage when delegated — Google’s .prod (used by some as an internal shorthand for “production”) in 2014.

Studies to date have concentrated on the volume of error traffic to applied-for gTLDs, but last Thursday the ICANN board kicked off a study that will look at what the real-world impact of name collisions in .mail, .corp and .home could be.

It’s tasked the Security and Stability Advisory Committee with carrying out the study in conjunction with related groups such as the IETF.

But this is likely to take quite a long time, so the board also resolved to think up “options” for the 20 affected applications.

Could the applicants be offered a full refund, as opposed to the partial one they currently qualify for? Could there be some kind of deferment option, such as that offered to unsuccessful 2000-round applicants? Either seems possible.

Security experts say ICANN should address collisions before approving more new TLDs

Kevin Murphy, January 2, 2017, Domain Tech

ICANN’s Security and Stability Advisory Committee has told ICANN it needs to do more to address the problem of name collisions before it approves any more new gTLDs.

In its latest advisory (pdf), published just before Christmas, SSAC says ICANN is not doing enough to coordinate with other technical bodies that are asserting authority over “special use” TlDs.

The SAC090 paper appears to be an attempt to get ICANN to further formalize its relationship with the Internet Engineering Task Force as it pertains to reserved TLDs:

The SSAC recommends that the ICANN Board of Directors take appropriate steps to establish definitive and unambiguous criteria for determining whether or not a syntactically valid domain name label could be a top-level domain name in the global DNS.

Pursuant to its finding that lack of adequate coordination among the activities of different groups contributes to domain namespace instability, the SSAC recommends that the ICANN Board of Directors establish effective means of collaboration on these issues with relevant groups outside of ICANN, including the IETF.

The paper speaks to at least two ongoing debates.

First, should ICANN approve .home and .corp?

These two would-be gTLDs were applied for by multiple parties in 2012 but have been on hold since August 2013 following an independent report into name collisions.

Names collisions are generally cases in which ICANN delegates a TLD to the public DNS that is already broadly used on private networks. This clash can result in the leakage of private data.

.home and .corp are by a considerable margin the two strings most likely to be affected by this problem, with .mail also seeing substantial volume.

But in recent months .home and .corp applicants have started to put pressure on ICANN to resolve the issue and release their applications from limbo.

The second incident the SSAC paper speaks to is the reservation in 2015 of .onion

If you’re using a browser on the privacy-enhancing Tor network, .onion domains appear to you to work exactly the same as domains in any other gTLDs, but under the hood they don’t use the public ICANN-overseen DNS.

The IETF gave .onion status as a “Special Use Domain“, in order to prevent future collisions, which caused ICANN to give it the same restricted status as .example, .localhost and .test.

But there was quite a lot of hand-wringing within the IETF before this status was granted, with some worrying that the organization was stepping on ICANN’s authority.

The SSAC paper appears to be designed at least partially to encourage ICANN to figure out how much it should take its lead from the IETF in this respect. It asks:

The IETF is an example of a group outside of ICANN that maintains a list of “special use” names. What should ICANN’s response be to groups outside of ICANN that assert standing for their list of special names?

For members of the new gTLD industry, the SSAC paper may be of particular importance because it raises the possibility of delays to subsequent rounds of the program if ICANN does not spell out more formally how it handles special use TLDs.

“The SSAC recommends that ICANN complete this work before making any decision to add new TLD names to the global DNS,” it says.

Verisign says new gTLDs put millions at risk

Kevin Murphy, May 26, 2016, Domain Tech

Verisign has revived its old name collisions security scare story, publishing this week a weighty research paper claiming millions are at risk of man-in-the-middle attacks.

It’s actually a study into how a well-known type of attack, first documented in the 1990s, might become easier due to the expansion of the DNS at the top level.

According to the paper there might be as many as 238,000 instances per day of query traffic intended for private networks leaking to the public DNS, where attackers could potentially exploit it to all manner of genuinely nasty things.

But Verisign has seen no evidence of the vulnerability being used by bad guys yet and it might not be as scary as it first appears.

You can read the paper here (pdf), but I’ll attempt to summarize.

The problem concerns a virtually ubiquitous protocol called WPAD, for Web Proxy Auto-Discovery.

It’s used by mostly by Windows clients to automatically download a web proxy configuration file that tells their browser how to connect to the web.

Organizations host these files on their local networks. The WPAD protocol tries to find the file using DHCP first, but fails over to DNS.

So, your browser might look for a wpad.dat file on wpad.example.com, depending on what domain your computer belongs to, using DNS.

The vulnerability arises because companies often use previously undelegated TLDs — such as .prod or .global — on their internal networks. Their PCs could belong to domains ending in .corp, even though .corp isn’t real TLD in the DNS root.

When these devices are roaming outside of their local network, they will still attempt to use the DNS to find their WPAD file. And if the TLD their company uses internally has actually been delegated by ICANN, their WPAD requests “leak” to registry or registrant.

A malicious attacker could register a domain name in a TLD that matches the domain the target company uses internally, allowing him to intercept and respond to the WPAD request and setting himself up as the roaming laptop’s web proxy.

That would basically allow the attacker to do pretty much whatever he wanted to the victim’s browsing experience.

Verisign says it saw 20 million WPAD leaks hit its two root servers every single day when it collected its data, and estimates that 6.6 million users are affected.

The paper says that of the 738 new gTLDs it looked at, 65.7% of them saw some degree of WPAD query leakage.

The ones with the most leaks, in order, were .global, .ads, .group, .network, .dev, .office, .prod, .hsbc, .win, .world, .one, .sap and .site.

It’s potentially quite scary, but there are some mitigating factors.

First, the problem is not limited to new gTLDs.

Yesterday I talked to Matt Larson, ICANN’s new vice president of research (who held the same post at Verisign’s until a few years ago).

He said ICANN has seen the same problem with .int, which was delegated in 1988. ICANN runs one of .int’s authoritative name servers.

“We did a really quick look at 24 hours of traffic and saw a million and a half queries for domain names of the form wpad.something.int, and that’s just one name server out of several in a 24-hour period,” he said.

“This is not a new problem, and it’s not a problem that’s specific to new gTLDs,” he said.

According to Verisign’s paper, only 2.3% of the WPAD query leaks hitting its root servers were related to new gTLDs. That’s about 238,000 queries every day.

With such a small percentage, you might wonder why new gTLDs are being highlighted as a problem.

I think it’s because organizations typically won’t own the new gTLD domain name that matches their internal domain, something that would eliminate the risk of an attacker exploiting a leak.

Verisign’s report also has limited visibility into the actual degree of risk organizations are experiencing today.

Its research methodology by necessity was limited to observing leaked WPAD queries hitting its two root servers before the new gTLDs in question were delegated.

The company only collected relevant NXDOMAIN traffic to its two root servers — DNS queries with answers typically get resolved closer to the user in the DNS hierarchy — so it has no visibility to whether the same level of leaks happen post-delegation.

Well aware of the name collisions problem, largely due to Verisign’s 11th-hour epiphany on the subject, ICANN forces all new gTLD registries to wildcard their zones for 90 days after they go live.

All collision names are pointed to 127.0.53.53, a reserved IP address picked in order to catch the attention of network administrators (DNS uses TCP/IP port 53).

Potentially, at-risk organizations could have fixed their collision problems shortly after the colliding gTLD was delegated, reducing the global impact of the vulnerability.

There’s no good data showing how many networks were reconfigured due to name collisions in the new gTLD program, but some anecdotal evidence of admins telling Google to go fuck itself when .prod got delegated.

A December 2015 report from JAS Advisors, which came up with the 127.0.53.53 idea, said the effects of name collisions have been rather limited.

ICANN’s Larson echoed the advice put out by security watchdog US-CERT this week, which among other things urges admins to use proper domain names that they actually control on their internal networks.

It’s official: new gTLDs didn’t kill anyone

Kevin Murphy, December 2, 2015, Domain Tech

The introduction of new gTLDs posed no risk to human life.

That’s the conclusion of JAS Advisors, the consulting company that has been working with ICANN on the issue of DNS name collisions.

It is final report “Mitigating the Risk of DNS Namespace Collisions”, published last night, JAS described the response to the “controlled interruption” mechanism it designed as “annoyed but understanding and generally positive”.

New text added since the July first draft says: “ICANN has received fewer than 30 reports of disruptive collisions since the first delegation in October of 2013. None of these reports have reached the threshold of presenting a danger to human life.”

That’s a reference to Verisign’s June 2013 claim that name collisions could disrupt “life-supporting” systems such as those used by emergency response services.

Names collisions, you will recall, are scenarios in which a newly delegated TLD matches a string that it is already used widely on internal networks.

Such scenarios could (and have) led to problems such as system failure and DNS queries leaking on to the internet.

The applied-for gTLDs .corp and .home have been effectively banned, due to the vast numbers of organizations already using them.

All other gTLDs were obliged, following JAS recommendations, to redirect all non-existent domains to 127.0.53.53, an IP address chosen to put network administrators in mind of port 53, which is used by the DNS protocol.

As we reported a little over a year ago, many administrators responded swearily to some of the first collisions.

JAS says in its final report:

Over the past year, JAS has monitored technical support/discussion fora in search of posts related to controlled interruption and DNS namespace collisions. As expected, controlled interruption caused some instances of limited operational issues as collision circumstances were encountered with new gTLD delegations. While some system administrators expressed frustration at the difficulties, overall it appears that controlled interruption in many cases is having the hoped-for outcome. Additionally, in private communication with a number of firms impacted by controlled interruption, JAS would characterize the overall response as “annoyed but understanding and generally positive” – some even expressed appreciation as issues unknown to them were brought to their attention.

There are a number of other substantial additions to the report, largely focusing on types of use cases JAS believes are responsible for most name collision traffic.

Oftentimes, such as the random 10-character domains Google’s Chrome browser uses for configuration purposes, the collision has no ill effect. In other cases, the local system administrators were forced to remedy their software to avoid the collision.

The report also reveals that the domain name corp.com, which is owned by long-time ICANN volunteer Mikey O’Connor, receives a “staggering” 30 DNS queries every second.

That works out to almost a billion (946,728,000) queries per year, coming when a misconfigured system or inexperienced user attempts to visit a .corp domain name.

ICANN Compliance probing Hunger Games domain

ICANN’s Compliance department is looking into whether Donuts broke the rules by activating a domain name for the forthcoming The Hunger Games movie.

Following up from the story we posted earlier today, ICANN sent DI the following statement:

We are well aware of this issue and are addressing it through our normal compliance resolution process. We attempt to resolve compliance matters through a collaborative informal resolution process, and we do not comment on what happens during the informal resolution phase.

At issue is whether Donuts allowed the movie’s marketers to launch thehungergames.movie before the new gTLD’s mandatory 90-day “controlled interruption” phase was over.

Under a strict reading of the CI rules, there’s something like 10 to 12 days left before Donuts is supposed to be allowed to activate any .movie domain except nic.movie.

Donuts provided the following statement:

This is a significant step forward in the mainstream usage of new domains. One of the core values of the new gTLD program is the promotion of consumer choice and competition, and Donuts welcomes this contribution to the program’s success, and to the promotion of the film. We don’t publicly discuss specific matters related to ICANN compliance.

I imagine what happened here is that Donuts got an opportunity to score an anchor tenant with huge visibility and decided to grasp it with both hands, even though distributor Lion’s Gate Entertainment’s (likely immovable) launch campaign schedule did not exactly chime with its own.

It may be a technical breach of the ICANN rules on name collisions — which many regard as over-cautious and largely unnecessary — but it’s not a security or stability risk.

Of course, some would say it also sets a precedent for other registries to bend the rules if they score big-brand backing in future.

Is The Hunger Games’ new .movie domain illegal?

Donuts may have launched its best new gTLD anchor tenant in violation of ICANN rules.

The company revealed earlier this week that The Hunger Games movies are using thehungergames.movie to promote the fourth and final installment of the wildly successful “trilogy”.

The domain name even features in the trailer for the film, which currently has over 1.7 million YouTube views.

But it has been claimed that Donuts activated the domain in the DNS two weeks before it was allowed to under its ICANN registry contract.

It boils down to “controlled interruption”, the controversial mechanism by which registries mitigate the risk of potentially harmful name collisions in the DNS.

Under ICANN’s rules for CI, for 90 days registries have to implement a wildcard in their zone file that redirects all domains other than nic.[tld] to 127.0.53.53 and your-dns-needs-immediate-attention.[tld].

“The Registry Operator must not activate any other names under the TLD until after the 90-day controlled interruption period has been completed,” the rules say, in bold text.

Donuts’ .movie was delegated on or around March 26, which means when thehungergames.movie was activated there were still about two weeks left on the .movie CI clock.

As far as I can tell from reading ICANN documentation on CI, there are no carve-outs for anchor tenants.

The .movie zone file has five other domains related to The Hunger Games in it — the only names other than nic.movie — but they don’t seem to resolve.

There’s no actual security or stability risk here, of course.

If .movie had used the old method of blocking a predefined list of identified name collisions, thehungergames.movie would not have even been affected — it’s not on .movie’s list of collisions.

However, if ICANN decides rules have been broken and Donuts is forced to deactivate the domain, it would be a painfully embarrassing moment for the new gTLD industry.

It can perhaps be hoped that ICANN’s process of investigating such things takes about two weeks to carry out.

I’ve contacted Donuts for comment and will provide an update if and when I receive any additional information.

New gTLD extortion? Registry asks Facebook for $35,000 to register its brand

Kevin Murphy, January 16, 2015, Domain Registries

More Chinese weirdness, or just plain old trademark owner extortion?

The registry for the new gTLD .top is asking Facebook to cough up $35,000 in order to defensively register one of its trademarks as a .top domain — probably facebook.top — according to a Facebook executive.

The registry’s demand — which some are cautiously likening to “extortion” — is linked to the release of name collision domains in .top, which is due to start happening today.

Nanjing, China-based registry Jiangsu Bangning Science & Technology runs the .top gTLD.

It has been in general availability since November 18 and currently has just shy of 40,000 names in its zone file, making it the 16th-largest new gTLD.

I haven’t checked whether they’re all legitimate buyer registrations, but given the shape the new gTLD industry is in right now I have my doubts.

From today, Jiangsu Bangning is running a month-long “Exclusive Registration Period”, according to ICANN records.

But Facebook domain manager Susan Kawaguchi today complained on an ICANN GNSO Council call that the registry had asked for $4,500 for a Sunrise period registration and now wants an extra RMB 180,000 ($30,000) because the desired domain is on its collisions block-list.

UPDATE: The registry says the price is just RMB 18,000. It blames a typo for the error.

I don’t know for sure what domain Facebook wants — I’ve reached out to Kawaguchi for clarification — but I rather suspect it’s facebook.top, which appeared on the list of 30,205 name collisions that Jiangsu Bangning was obliged by ICANN to block.

Name collisions are domains that were already receiving traffic prior to the launch of the new gTLD program. ICANN forces registries to block them for a minimum of 90 days in order to mitigate potential security risks.

According to the registry’s web site, Sunrise registrations cost RMB 18,000 per name per year. That’s about $3,000 a year for a defensive registration, a ridiculously high sum when compared to most new gTLDs.

There’s no mention on its site that I can find of the additional RMB 180,000 collision release fee, but Kawaguchi forwarded an email to the GNSO Council that strongly suggests that trademark owners with brands on the .top collisions list face the inexplicable extra $30,000.

Sunrise prices, just like regular general availability prices, are not controlled by ICANN in new gTLDs.

There are no rules I’m aware of governing pricing for collision names, nor am I aware of any registry costs that could justify a $30,000 fee to register one. A premium generic string may be worth that much, but asking that amount for a trademark smacks of extortion.

So, assuming this isn’t just a breakdown of communication, is the registry trying to screw Facebook in a targeted fashion, knowing it has deep pockets and a cybersquatting target painted on its back, or is it applying a $30,000 fee to every domain coming off its collisions list this week?

Facebook isn’t the only big tech company with its primary trademark on the list — Microsoft, Google, Twitter and Amazon also appear on it, along with many other famous brands.

Kawaguchi said she’s taken her complaint to ICANN Compliance.

Where to find new gTLD dropping domain lists

Kevin Murphy, November 20, 2014, Domain Registries

With hundreds of thousands of currently blocked new gTLD domain names about to hit the market, many without premium pricing, some domain investors have been wondering where they can get hold of the lists of soon-to-be available names.

Fortunately, ICANN freely publishes several lists that could prove useful.

As we’ve been reporting this week, names that were previously reserved by new gTLD registries due to name collisions have started to become unblocked, as mandatory 90-day “controlled interruption” phases start to expire.

By definition, a name collision domain has received traffic in the past.

A CSV file containing a list of all domain names currently subject to CI can be downloaded from ICANN here.

Be warned, it’s a 68MB file with millions and millions of lines — your spreadsheet software may not be able to open it. It also changes regularly, so it could get bigger as more new gTLDs begin their CI programs.

The file shows the TLD, the second-level string, the date it went into CI and the number of days it has remained in that status. When the last number hits 90, the block is due to be lifted.

A second CSV file contains all the domains that have completed CI. Find it here. It’s currently almost 7MB, but it’s going to get a lot bigger rather quickly as domains move from one list to the other.

That file shows the TLD, the SLD, the date CI started and the day it ended.

Every domain name in that list is no longer subject to a mandatory ICANN block, but that doesn’t necessarily mean that the registry has unblocked it in practice. Some registries are planning to keep hold of the newly available domains and release them in batches at a later date.

Some gTLDs have chosen to wildcard their zones rather than implement a CI response on each individual name collision. In those cases, individual domain names will not show up in the current collisions file. Instead, you’ll see an asterisk.

In those cases, you can find a list of all of each gTLD’s name collisions in separate CSV files accompanying each TLD’s ICANN contract. The contracts can be found here. Click through to the TLD you’re interested in and download the “List of SLDs to Block” file.

Note that there’s a lot of absolute garbage domains in these files. The name collisions program ain’t pretty.

Over 180,000 blocked new gTLD names to drop next week

Kevin Murphy, November 20, 2014, Domain Registries

Several new gTLD registries will release hundreds of thousands of currently blocked domain names — some of them quite nice-looking — next Wednesday.

It’s one of the first big batches of name collisions to be released to market.

The companies behind .xyz, .website, .press, .host, .ink, .wiki, .rest and .bar will release most of their blocked names at 1400 UTC on November 26. These registries all use CentralNic as their back-end.

The gTLD with the biggest “drop” is .host, with over 100,000 names. .wiki, .website and .xyz all have 10,000 to 20,000 releasing names apiece.

According to Radix business head Sandeep Ramchamdani, A smallish number — measured in the hundreds — of the .host, .press and .website names are on the company’s premium domain lists and will carry a higher price.

He gave the following sample of .website domains that will become available at the baseline, non-premium, registry fee:

analyze.website, anti.website, april.website, bookmark.website, challenge.website, classics.website, consumer.website, definitions.website, ginger.website, graffiti.website, inspired.website, jobportal.website, lenders.website, malibu.website, marvelous.website, ola.website, clients.website, commercial.website, comparison.website

Drop-catching services such as Pool.com are taking pre-orders on names set to be released.

Other registries have already released their name collisions domains.

I gather that .archi, .bio, .wien and .quebec have already unblocked their collisions this week.

Donuts tells us it has no current plan for its first drops. Rightside, which runs Donuts’ back-end, is reportedly planning to drop names in a couple dozen gTLDs on the same date in January.

As we reported earlier this week, millions of names are due to be released over the coming months, due to the expiration of the 90-day “controlled interruption” phase that ICANN forced all new gTLD registries to implement.

By definition, name collision names already have seen traffic in the past and may do so again.