Latest news of the domain name industry

Recent Posts

Cloudflare “bug” reveals hundreds of secret domain prices

The secret wholesale prices for hundreds of TLDs have been leaked, due to an alleged “bug” at a registrar.

The registry fees for some 259 TLDs, including those managed by Donuts, Verisign and Afilias, are currently publicly available online, after a programmer used what they called a “bug” in Cloudflare’s API to scrape together price lists without actually buying anything.

Cloudflare famously busted into the domain registrar market last September by announcing that it would sell domains at cost, thumbing its nose at other registrars by suggesting that all they’re doing is “pinging an API”.

But because most TLD registries have confidentiality clauses in their Registry-Registrar Agreements, accredited registrars are not actually allowed to reveal the wholesale prices.

That’s kind of a problem if you’re a registrar that has announced that you will never charge a markup, ever.

Cloudflare has tried to get around this by not listing its prices publicly.

Currently, it does not sell new registrations, instead only accepting inbound transfers from other registrars. Registry transaction reports reveal that it has had tens of thousands of names transferred in, but has not created a significant number of new domains.

(As an aside, it’s difficult to see how it could ever sell a new reg without first revealing its price and therefore breaking its NDAs.).

It appears that the only way to manually ascertain the wholesale prices of all of the TLDs it supports would be to buy one of each at a different registrar, then transfer them to Cloudflare, thereby revealing the “at cost” price.

This would cost over $9,500, at Cloudflare’s prices, and it’s difficult to see what the ROI would be.

However, one enterprising individual discovered via the Cloudflare API that the registrar was not actually checking whether they owned a domain before revealing its price.

They were therefore able to compile a list of Cloudflare’s prices and therefore the wholesale prices registries charge.

The list, and the script used to compile it, are both currently available on code repository Github.

The bulk of the list comprises Donuts’ vast portfolio, but most TLDs belonging to Afilias (including the ccTLD .io), XYZ.com and Radix are also on there.

It’s not possible for me to verify that all of the prices are correct, but the ones that are comparable to already public information (such as .com and .net) match, and the rest are all in the ballpark of what I’ve always assumed or have been privately told they were.

The data was last refreshed in April, so without updates its shelf life is likely limited. Donuts, for example, is introducing price increases across most of its portfolio this year.

DI implicated in .sucks “gag order” fight

Vox Populi, the .sucks registry, terminated Com Laude’s accreditation last week due to its belief that the brand protection registrar had leaked a “confidential” document to Domain Incite.

Vox Pop CEO John Berard tonight denied that the company he works for was carrying out a “grudge” against Com Laude, which in January led a charge against a Vox “gag order” on registrars.

As we reported on Friday, Vox terminated Com Laude‘s ability to sell .sucks domains directly, due to a then-unspecified alleged breach of the Registry-Registrar Agreement that binds all .sucks domain registrars.

It now turns out the “breach” was of the part of the .sucks RRA that states that Vox registrars “shall make no disclosures whatsoever” of “confidential informational”, where such confidential information is marked as such.

Berard told DI of the termination: “It was a specific act, violating a specific clause of the contract that had to do with breaching confidentiality, and that’s why the action was taken.”

The specific act was Com Laude allegedly sending DI — me, for avoidance of doubt — a confidential document.

“They have not said they didn’t do it,” Berard said.

He said that, given the amount of scrutiny Vox is under (due to the controversy it has created with its pricing and policies), “it would be crazy of us to ignore a contract breach”.

He declined to identify the document in question.

He said that Vox Pop deployed “forensic research” to discover the identity of the alleged leak.

“It was clear that something that was confidential was distributed, we wanted to know who distributed it,” he said. “We wanted to know who breached confidentiality.”

DI has only published one third-party document related to .sucks this year.

This is it (pdf). It’s a letter drafted by the Registrars Stakeholder Group and sent to ICANN. Here it is (pdf) as published on the ICANN web site.

DI has received other documents related to Vox Pop and .sucks from various parties that I have not published, but I’ve been unable to find any that contained the word “confidential” or that were marked as “confidential”.

According to the .sucks RRA (pdf), “confidential information” is documentation marked or identified “confidential”.

Everything I’ve ever written about .sucks can be found with this search.

.sucks terminates Com Laude as “gag order” row escalates

Vox Populi, the .sucks gTLD registry, has terminated the accreditation of brand protection registrar Com Laude as part of an ongoing dispute between the two companies.

Com Laude won’t be able to sell defensive .sucks registrations to its clients any more, at least not on its own accreditation, in other words.

The London-based registrar is transferring all of its .sucks domains to EnCirca as a result of the termination and says it is considering its options in how to proceed.

The shock move, which I believe to be unprecedented, is being linked to Com Laude’s long-time criticisms of Vox Populi’s pricing and policies.

The registrar today had some rather stern words for Vox Pop. Managing director Nick Wood said in a statement:

We have always been critical of this registry and particularly its sunrise pricing model which we regard as predatory. We have advised clients where possible to consider not registering such names. We hope that all brand owners will think twice before buying or renewing a .sucks domain. After all, it is not possible to block out every variation of a trademark under .sucks. In our view, fair criticism is preferable to dealing with Vox Populi.

Ouch!

The termination is believed to be linked to controversial changes to the .sucks Registry-Registrar Agreement, which Vox Pop managed to sneak past ICANN over Christmas.

One of the changes, some registrars believed, would prevent brand protection registrars from openly criticizing .sucks pricing and policies. They called it a “gag order”.

Com Laude SVP Jeff Neuman was one of the strongest critics. I believe he was a key influence on a Registrar Stakeholder Group letter (pdf) in January which essentially said registrars would boycott the new RRA.

That letter said:

It’s ironic for a Registry whose slogan is “Foster debate, Share opinions” has now essentially proposed implementing a gag order on the registrars that sell the .sucks TLD by preventing them from doing just that

While the RRA dispute was resolved more or less amicably following ICANN mediation, with Vox Pop backpedaling somewhat on its proposed changes, Com Laude now believes the registry has held a grudge.

Its statement does not say what part of the .sucks RRA it is alleged to have breached.

Vox Pop has not yet returned a request for comment. I’ll provide an update should I receive further information.

Com Laude said in a statement today:

Jeff Neuman, our SVP of our North American business, Com Laude USA, led the effort in the Registrar Stakeholder Group to quash proposed changes to Vox Populi’s registry-registrar agreement, in order to protect the interests of brand owners and the registrars who work with them. Since then, Vox Populi has accused Com Laude of breaching the terms of the registry-registrar agreement, a claim we take seriously and refute in its entirety. We are now considering our further options.

Wood added:

We have informed our clients of the action being taken and all have expressed their support for the manner in which we have handled it. We are pleased to have received messages of support from across the ICANN community including other registry operators. Clearly there is strong distaste at the practices of Vox Populi.

Strong stuff.

.sucks “gag order” dropped, approved

Kevin Murphy, April 19, 2016, Domain Registries

Vox Populi, the .sucks registry, has had controversial changes to its registrar contract approved after it softened language some had compared to a “gag order”.

ICANN approved changes to the .suck Registry-Registrar Agreement last week, after receiving no further complaints from registrar stakeholders.

Registrars had been upset by a proposed change that they said would prevent brand-protection registrars from publicly criticizing .sucks:

The purpose of this Agreement is to permit and promote the registration of domain names in the Vox Populi TLDs and to allow Registrar to offer the registration of the Vox Populi TLDs in partnership with Vox Populi. Neither party shall take action to frustrate or impair the purpose of this Agreement.

But Vox has now “clarified” the language to remove the requirement that registrars “promote” .sucks names. The new RRA will say “offer” instead.

Registrars had also complained that the new RRA would have allowed Vox to unilaterally impose new contractual terms with only 15 days notice.

Vox has amended that proposal too, to clarify that changes would come into effect 15 days after ICANN has given its approval.

Vox CEO John Berard told ICANN in a March 18 letter:

VoxPop’s intent was never to alter any material aspect of the Registry Registrar Agreement. Our intent was to clarify legal obligations that already exist in the Agreement, and conform the timeframes for any future amendments with those specified in our ICANN registry contract.

Registrars object to “unreasonable” .bank demands

Registrars are upset with fTLD Registry Services for trying to impose new rules on selling .bank domains that they say are “unreasonable”.

The Registrar Stakeholder Group formally relayed its concerns about a proposed revision of the .bank Registry-Registrar Agreement to ICANN at the weekend.

A key sticking point is fTLD’s demand that each registrar selling .bank domains have a dedicated .bank-branded web page.

Some registrars are not happy about this, saying it will “require extensive changes to the normal operation of the registrar.”

“Registrars should not be required to establish or maintain a “branded webpage” for any extension in order to offer said extension to its clients,” they told ICANN.

i gather that registrars without a full retail presence, such as corporate registrars that sell mainly offline, have a problem with this.

There’s also a slippery slope argument — if every gTLD required a branded web page, registrars would have hundreds of new storefronts to develop and maintain.

fTLD also wants registrars to more closely align their sales practices with its own, by submitting all registration requests from a single client in a single day via a bulk registration form, rather than live, or pay an extra $125 per-name fee.

This is to cut down on duplicate verification work at the registry, but registrars say it would put a “severe operational strain” on them.

There’s also a worry about a proposed change that would make registrars police the .bank namespace.

The new RRA says: “Registrar shall not enable, contribute to or willing aid any third party in violating Registry Operator’s standards, policies, procedures, or practices, and shall notify Registry Operator immediately upon becoming aware of any such violation.”

But registrars say this “will create a high liability risk for registrars” due to the possibility of accidentally overlooking abuse reports they receive.

The registrars’ complaints have been submitted to ICANN, which will have to decide whether fTLD is allowed to impose its new RRA or not.

The RrSG’s submission is not unanimously backed, however. One niche-specializing registrar, EnCirca, expressed strong support for the changes.

In a letter also sent to ICANN, it said that none of the proposed changes are “burdensome”, writing:

EnCirca fully supports the .BANK Registry’s efforts to ensure potential registrants are fully informed by Registrars of their obligations and limitations for .BANK.  This helps avoid confusion and mis‐use by registrants, which can cause a loss of trust in the Registry’s stated mission and commitments to the banking community.

fTLD says the proposed changes would bring the .bank RRA in line with the RRA for .insurance, which it also operates.

The .insurance contract has already been signed by several registrars, it told ICANN.

  • Page 1 of 2
  • 1
  • 2
  • >