Latest news of the domain name industry

Recent Posts

More than 1,000 new gTLDs a year? Sure!

Kevin Murphy, September 5, 2019, Domain Tech

There’s no particular reason ICANN shouldn’t be able to add more than 1,000 new gTLDs to the DNS every year, according to security experts.

The Security and Stability Advisory Committee has informed ICANN (pdf) that the cap, which was in place for the 2012 application round, “has no relevance for the security of the root zone”.

Back then, ICANN had picked the 1,000-a-year upper limit for delegations more or less out of thin air, as a straw man for SSAC, the root server operators, and those who were opposed to new gTLDs in general to shake their sticks at. It was concluded that 1,000 should present no issues.

As it turned out, it took two and a half years for ICANN to add the first 1,000 new gTLDs, largely due to the manual elements of the application process.

SSAC is now reiterating its previous advice that monitoring the rate of change at the root is more important than how many TLDs are added, and that there needs to be a way to slam the brakes on delegations if things go titsup.

The committee is also far more concerned that some of the 2012 new gTLDs are being quite badly abused by spammers and the like, and that ICANN is not doing enough to address this problem.

.gay gets rooted

Kevin Murphy, August 12, 2019, Domain Registries

The new gTLD .gay, which was often used as an example of a controversial TLD that could be blocked from the DNS, has finally made it to the DNS.

While no .gay domains are currently resolving, the TLD itself was added to the root zone over the weekend.

Its registry is Top Level Design, which currently also runs .design, .ink and .wiki.

The company won the string in February, after an auction with three other applicants.

While Top Level Design had planned to launch .gay this October on National Coming Out Day in the US, but had to postpone the release so as not to rush things.

It’s now eyeing a second-quarter 2020 launch, possibly timed to coincide with a major Pride event.

The registry is currently hiring marketing staff to assist in the launch.

It’s the first new TLD to hit the internet since February, when South Sudan acquired .ss.

But it’s been over a year since the last 2012-round new gTLD appeared, when .inc was delegated in July 2018.

There are currently 1,528 TLDs in the root. That’s actually down a bit compared to a year ago, due to the removal of several delegated dot-brands.

.gay was, prior to 2012, often used as an example of a string that could have been blocked by governments or others on “morality and public order” grounds.

But that never transpired. The protracted time it’s taken to get .gay into the root has been more a result of seemingly endless procedural reviews of ICANN decision-making.

Root servers whacked after crypto change

Kevin Murphy, March 27, 2019, Domain Tech

The DNS root servers came under accidental attack from name servers across the internet following ICANN’s recent changes to their cryptographic master keys, according to Verisign.

The company, which runs the A and J root servers, said it saw requests for DNSSEC data at the root increase from 15 million a day in October to 1.15 billion a day a week ago.

The cause was the October 11 root Key Signing Key rollover, the first change ICANN had made to the “trust anchor” of DNSSEC since it came online at the root in 2010.

The KSK rollover saw ICANN change the cryptographic keys that rest at the very top of the DNSSEC hierarchy.

The move was controversial. ICANN delayed it for a year after learning about possible disruption at internet endpoints. Its Security and Stability Advisory Committee and even its own board were not unanimous that the roll should go ahead.

But the warnings were largely about the impact on internet users, rather than on the root servers themselves, and the impact was minimal.

Verisign is now saying that requests to its roots for DNSSEC key data increased from 15 million per day to 75 million per day, a five-fold increase, almost overnight.

It was not until January, when the old KSK was marked as “revoked”, did the seriously mahooosive traffic growth begin, however. Verisign’s distinguished engineer Duane Wessels wrote:

Everyone involved expected this to be a non-event. However, we instead saw an even bigger increase in DNSKEY queries coming from a population of root server clients. As of March 21, 2019, Verisign’s root name servers receive about 1.15 billion DNSKEY queries per day, which is 75 times higher than pre-rollover levels and nearly 7 percent of our total steady state query traffic.

Worryingly, the traffic only seemed to be increasing, until March 22, when the revoked key was removed from the root entirely.

Wessels wrote that while the root operators are still investigating, “it would seem that the presence of the revoked key in the zone triggered some unexpected behavior in a population of validating resolvers.”

The root operators hope to have answers in the coming weeks, he wrote.

The next KSK rollover is not expected for years, and the root traffic is now returning to normal levels, so there’s no urgency.

Nazis rejoice! A TLD for you could be coming soon

Kevin Murphy, January 21, 2019, Domain Registries

The domain name system could soon get its first new standard country-code domain for eight years.

This weekend, ICANN’s board of directors is set to vote on whether to allow the delegation of a ccTLD for the relatively new nation of South Sudan.

The string would be .ss.

It would be the first Latin-script ccTLD added to the root since 2010, when .cw and .sx were delegated for Curaçao and Sint Maarten, two of the countries formed by the breakup of the Netherlands Antilles.

Dozens of internationalized domain name ccTLDs — those in non-Latin scripts — have been delegated in the meantime.

But South Sudan is the world’s newest country. It formed in 2011 following an independence referendum that saw it break away from Sudan.

It was recognized by the UN as a sovereign nation in July that year and was given the SS delegation by the International Standards Organization on the ISO 3166-2 list a month later.

The country has been wracked by civil war for almost all of its existence, which may well be a reason why it’s taken so long for a delegation request to come up for an ICANN vote. The warring sides agreed to a peace treaty last year.

South Sudan is among the world’s poorest and least-developed nations, with shocking levels of infant and maternal mortality. Having an unfortunate ccTLD is the very least of its problems.

The choice of .ss was made in 2011 by the new South Sudan government in the full knowledge that it has an uncomfortable alternate meaning in the global north, where the string denotes the Schutzstaffel, the properly evil, black-uniformed bastards in every World War II movie you’ve ever seen.

The Anti-Defamation League classifies “SS” as a “hate symbol” that has been “adopted by white supremacists and neo-Nazis worldwide”.

When South Sudan went to ISO for the SS delegation, then-secretary of telecommunications Stephen Lugga told Reuters

We want our domain name to be ‘SS’ for ‘South Sudan’, but people are telling us ‘SS’ has an association in Europe with Nazis… Some might prefer us to have a different one. We have applied for it anyway, SS, and we are waiting for a reply.

To be fair, it would have been pretty dumb to have applied for a different string, when SS, clearly the obvious choice, was available.

There’s nothing ICANN can do about the string. It takes its lead from the ISO 3166 list. Nor does it have the authority to impose any content-regulation rules on the new registry.

Unless the new South Sudan registry takes a hard line voluntarily, I think it’s a near-certainty that .ss will be used by neo-Nazis who have been turfed out of their regular domains.

The vote of ICANN’s board is scheduled to be part of its main agenda, rather than its consent agenda, so it’s not yet 100% certain that the delegation will be approved.

KSK vote was NOT unanimous

Kevin Murphy, September 18, 2018, Domain Policy

ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.

Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.

I understand there was also a single abstention to Sunday’s vote.

Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.

The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.

She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.

Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).

These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.

Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.

The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.

The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.

Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.

ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.