Latest news of the domain name industry

Recent Posts

Donuts loses to ICANN in $135 million .web auction appeal

Kevin Murphy, October 16, 2018, Domain Registries

Donuts has lost a legal appeal against ICANN in its fight to prevent Verisign running the .web gTLD.

A California court ruled yesterday that a lower court was correct when it ruled almost two years ago that Donuts had signed away its right to sue ICANN, like all gTLD applicants.

The judges ruled that the lower District Court had “properly dismissed” Donuts’ complaint, and that the covenant not to sue in the Applicant Guidebook is not “unconscionable”.

Key in their thinking was the fact that ICANN has an Independent Review Process in place that Donuts could use to continue its fight against the .web outcome.

The lawsuit was filed by Donuts subsidiary Ruby Glen in July 2016, shortly before .web was due to go to an ICANN-managed last-resort auction.

Donuts and many others believed at the time that one applicant, Nu Dot Co, was being secretly bankrolled by a player with much deeper pockets, and it wanted the auction postponed and ICANN to reveal the identity of this backer.

Donuts lost its request for a restraining order.

The auction went ahead, and NDC won with a bid of $135 million, which subsequently was confirmed to have been covertly funded by Verisign.

Donuts then quickly amended its complaint to include claims of negligence, breach of contract and other violations, as it sought $22.5 million from ICANN.

That’s roughly how much it would have received as a losing bidder had the .web contention set been settled privately and NDC still submitted a $135 million bid.

As it stands, ICANN has the $135 million.

That complaint was also rejected, with the District Court disagreeing with earlier precedent in the .africa case and saying that the covenant not to sue is enforceable.

The Appeals Court has now agreed, so unless Donuts has other legal appeals open to it, the .web fight will be settled using ICANN mechanisms.

The ruling does not mean ICANN can go ahead and delegate .web to Verisign.

The .web contention set is currently “on-hold” because Afilias, the second-place bidder in the auction, has since June been in a so-called Cooperative Engagement Process with ICANN.

CEP is a semi-formal negotiation-phase precursor to a full-blown IRP filing, which now seems much more likely to go ahead following the court’s ruling.

The appeals court ruling has not yet been published by ICANN, but it can be viewed here (pdf).

The court heard arguments from Donuts and ICANN lawyers on October 9, the same day that DI revealed that ICANN Global Domains Division president Akram Atallah had been hired by Donuts as its new CEO.

A recording of the 32-minute hearing can be viewed on YouTube here or embedded below.

KSK vote was NOT unanimous

Kevin Murphy, September 18, 2018, Domain Policy

ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.

Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.

I understand there was also a single abstention to Sunday’s vote.

Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.

The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.

She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.

Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).

These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.

Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.

The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.

The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.

Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.

ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.

ICANN faces critical choice as security experts warn against key rollover

Kevin Murphy, August 23, 2018, Domain Tech

Members of ICANN’s top security body have advised the organization to further delay plans to change the domain name system’s top cryptographic key.

Five dissenting members of the influential, 22-member Security and Stability Advisory Committee said they believe “the risks of rolling in accordance with the current schedule are larger than the risks of postponing”.

Their comments relate to the so-called KSK rollover, which would see ICANN for the first time ever change the key-signing key that acts as the trust anchor for all DNSSEC queries on the internet.

ICANN is fairly certain rolling the key will cause DNS resolution problems for some — possibly as much as 0.05% of the internet or a couple million people — but it currently lacks the data to be absolutely certain of the scale of the impact.

What it does know — explained fairly succinctly in this newly published guide (pdf) — is that within 48 hours of the roll, a certain small percentage of internet users will start to see DNS resolution fail.

But there’s a prevailing school of thought that believes the longer the rollover is postponed, the bigger that number of affected users will become.

The rollover is currently penciled in for October 11, but the ultimate decision on whether to go ahead rests with the ICANN board of directors.

David Conrad, the organization’s CTO, told us last week that his office has already decided to recommend that the roll should proceed as planned. At the time, he noted that SSAC was a few days late in delivering its own verdict.

Now, after some apparently divisive discussions, that verdict is in (pdf).

SSAC’s majority consensus is that it “has not identified any reason within the SSAC’s scope why the rollover should not proceed as currently planned.”

That’s in line with what Conrad, and the Root Server System Advisory Committee have said. But SSAC noted:

The assessment of risk in this particular area has some uncertainty and therefore includes a component of subjective judgement. Individuals (including some members of the SSAC) have different assessments of the overall balance of risk of the resumption of this plan.

It added that it’s up to the ICANN board (comprised largely of non-security people) to make the final call on what the acceptable level of risk is.

The minority, dissenting opinion gets into slightly more detail:

The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc.

While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties.

We would like to reiterate that we understand our colleagues’ position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision.

SSAC members are no slouches when it comes to security expertise, and the dissenting members are no exception. They are:

  • Lyman Chapin, co-owner of Interisle Consulting, a regular ICANN contractor perhaps best-known to DI readers for carrying out a study into new gTLD name collisions five years ago.
  • Kimberly “kc claffy” Claffy, head of the Center for Applied Internet Data Analysis at the University of California in San Diego. CAIDA does nothing but map and measure the internet.
  • Jay Daley, a registry executive with a technical background whose career includes senior stints at .uk and .nz. He’s currently keeping the CEO’s chair warm at .org manager Public Interest Registry.
  • Warren Kumari, a senior network security engineer at Google, which is probably the largest early adopter of DNSSEC on the resolution side.
  • Danny McPherson, Verisign’s chief security officer. As well as .com, Verisign runs the two of the 13 root servers, including the master A-root. It’s running the boxes that sit at the top of the DNSSEC hierarchy.

It may be the first time SSAC has failed to reach a full-consensus opinion on a security matter. If it has ever published a dissenting opinion before, I certainly cannot recall it.

The big decision about whether to proceed or delay is expected to be made by the ICANN board during its retreat in Brussels, a three-day meeting that starts September 14.

Given that ICANN’s primary mission is “to ensure the stable and secure operation of the Internet’s unique identifier systems”, it could turn out to be one of ICANN’s biggest decisions to date.

New gTLDs rebound in Q2

Kevin Murphy, August 21, 2018, Domain Registries

New gTLD registration volumes reversed a long trend of decline in the second quarter, according to Verisign’s latest Domain Name Industry Brief.

The DNIB (pdf), published late last week, shows new gTLD domains up by 1.6 million sequentially to 21.8 million at the end of June, a 7.8% increase.

That’s the first time Verisign’s numbers have shown quarterly growth for new gTLDs since December 2016, five quarters of shrinkage ago.

Domains (millions)
Q3 201623.4
Q4 201625.6
Q1 201725.4
Q2 201724.3
Q3 201721.1
Q4 201720.6
Q1 201820.1
Q2 201821.8

The best-performing new gTLD across Q2 was .top according to my zone file records, adding about 600,000 names.

.top plays almost exclusively into the sub-$1 Chinese market and is regularly singled out as a spam-friendly zone. SpamHaus currently ranks it as almost 45% “bad”.

Overall, the domain universe saw growth of six million names, or 1.8%, finishing the quarter at 339.8 million names, according to Verisign.

Verisign’s own .com ended Q2 with 135.6 million domains, up from 133.9 million at the end of March.

That’s a sequential increase of 1.7 millions, only 100,000 more than the total net increase from the new gTLD industry.

.net is still suffering, however, flat in the period with 14.1 million names.

ccTLDs saw an increase of 3.5 million names, up 2.4%, to end June at 149.7 million, the DNIB states.

But that’s mainly as a result of free TLD .tk, which never deletes names. Stripping its growth out (Verisign and partner ZookNic evidently have access to .tk data now) total ccTLD growth would only have been 1.9 million names.

Have your say on single-character .com domains

ICANN wants your opinion on its plan to allow Verisign to auction off o.com, with a potential impact on the future release of other single-character .com domain names.

The organization has published a proposed amendment to the .com registry contract and opened it for public comment.

The changes would enable Verisign to sell o.com, while keeping all other currently unallocated single-character names on its reserved list.

The company would not be able to benefit financially from the auction beyond its standard $7.85 reg fee — all funds would be held by an independent third-party entity and distributed to undisclosed non-profit causes.

The arrangement would also see the buyer pay a premium renewal fee of 5% of the initial outlay, doubling the purchase price over the course of 25 years.

They would not be able to resell the domain without selling the registrant company itself.

It’s a pretty convoluted system being proposed, given that there may well end up only being one bidder.

Overstock.com, the online retailer, has been pressuring ICANN and Verisign to release o.com for well over a decade, and the proposed auction seems to be a way to finally shut it up.

The company has a US trademark on O.com, so any other bidder for the name would probably be buying themselves a lawsuit.

The proposed auction system does not address trademark issues — there’s no sunrise period of trademark claims period.

One party already known to be upset about lack of rights protection is First Place Internet, a search engine company that has a US trademark on the number 1.

It told ICANN (pdf) back in January that the o.com deal would “set a dangerous precedent” for future single-character name releases.

The ICANN public comment period, which comes after ICANN received the all-clear from US competition regulators, closes June 20.

As a matter of disclosure, several years ago I briefly acted as a consultant to a third party in support of the Verisign and Overstock positions, but I have no current interest in the situation one way or the other.