Latest news of the domain name industry

Recent Posts

No SSAD before 2028? ICANN publishes its brutal review of Whois policy

Kevin Murphy, January 25, 2022, Domain Policy

Emergency measures introduced by ICANN to reform Whois in light of new privacy laws could wind up taking a full decade, or even longer, to bear dead-on-the-vine fruit.

That’s arguably the humiliating key takeaway from ICANN’s review of community-created policy recommendations to create a Standardized System for Access and Disclosure (SSAD), published this evening.

The Org has released its Operational Design Assessment (pdf) of SSAD, the first-ever ODA, almost nine months after the Operational Design Phase was launched last April.

It’s a 122-page document, about half of which is appendices, that goes into some detail about how SSAD and its myriad components would be built and by whom, how long it would take and how much it would cost.

It’s going to take a while for the community (and me) to digest, and while it generally veers away from editorializing it does gift opponents of SSAD (which may include ICANN itself) with plenty of ammunition, in the form of enumerated risk factors and generally impenetrable descriptions of complex systems, to strangle the project in the crib.

Today I’m just going to look at the timing.

Regular DI readers will find little to surprise them among the headline cost and timeline predictions — they’ve been heavily teased by ICANN in webinars for over a month — but the ODA goes into a much more detailed breakdown.

SSAD, ICANN predicts, could cost as much as $27 million to build and over $100 million a year to operate, depending on adoption, the ODA says. We knew this already.

But the ODA contains a more detailed breakdown of the timeline to launch, and it reveals that SSAD, at the most-optimistic projections, would be unlikely to see the light of day until 2028.

That’s a decade after the European Union introduced the GDPR privacy law in May 2018.

Simply stated, the GDPR told registries and registrars that the days of unfettered access to Whois records was over — the records contain personal information that should be treated with respect. Abusers could be fined big.

ICANN had been taken off-guard by the law. GDPR wasn’t really designed for Whois and ICANN had not been consulted during its drafting. The Org started to plan for its impact on Whois barely a year before it became effective.

It used the unprecedented top-down emergency measure of the Temporary Specification to force contracted parties to start to redact Whois data, and the GNSO Council approved an equally unprecedented Expedited Policy Development Process, so the community could create some bottom-up policy.

The EPDP was essentially tasked with creating a way for the people who found Old Whois made their jobs easier, such as intellectual property lawyers and the police, to request access to the now-private personal data.

It came up with SSAD, which would be a system where approved, accredited users could funnel their data requests through a centralized gateway and have some measure of assurance that they would at least be looked at in a standardized way.

But, considering the fact that they would not be guaranteed to have their requests approved, the system would be wildly complex, potentially very expensive, and easily circumvented, the ODP found.

It’s so complex that ICANN reckons it will take between 31.5 and 42 months for an outsourced vendor to build, and that’s after the Org has spent two years on its Implementation Review Team activities.

SSAD timeline

That’s up to almost six years from the moment ICANN’s board of directors approves the GNSO’s SSAD recommendations. That could come as early as next month (but as I reported earlier today, that seems increasingly unlikely).

The ODA points out that this timetable could be extended due to factors such as new legislation being introduced around the world that would affect the underlying privacy assumptions with which SSAD was conceived.

And this is an “expedited” process, remember?

Ten years ago, under different management and a different set of bylaws, ICANN published some research into the average duration of a Policy Development Process.

The average PDP took 620 days back then, from the GNSO Council kicking off the process to the ICANN board voting to approve or reject the policy. I compared it to an elephant pregnancy, the longest gestation period of all the mammals, to emphasize how slow ICANN had become.

Slow-forward to today, when the “expedited” PDP leading to SSAD has so far lasted 1,059 days, if we’re counting from when Phase 2 began in March 2019. It’s taken 1,287 days if we’re being less generous and counting from the original EPDP kicking off.

Nelly could have squeezed out two ankle-nibblers in that time. Two little elephants, one of which would most assuredly be white.

Comment Tagged: , , , , , , ,

ICANN board not happy with $100 million Whois reform proposals

Kevin Murphy, January 25, 2022, Domain Policy

ICANN’s board of directors has given its clearest indication yet that it’s likely to shoot down community proposals for a new system for handling requests for private Whois data.

Referring to the proposed System for Standardized Access and Disclosure, ICANN chair Maarten Botterman said “the Board has indicated it may not be able to support the SSAD recommendations as a whole”.

In a letter (pdf) to the GNSO Council last night, Botterman wrote:

the complexity and resources required to implement all or some of the recommendations may outweigh the benefits of an SSAD, and thus may not be in the best interests of ICANN nor the ICANN community.

The SSAD would be a centralized way for accredited users such as trademark lawyers, security researchers and law enforcement officers to request access to Whois data that is currently redacted due to privacy laws such as GDRP.

The system was the key recommendation of a GNSO Expedited Policy Development Process working group, but an ICANN staff analysis last year, the Operational Design Phase, concluded that it could be incredibly expensive to build and operate while not providing the functionality the trademark lawyers et al require of it.

ICANN was unable to predict with any accuracy how many people would likely use SSAD. It will this week present its final ODP findings, estimating running costs of between $27 million and $107 million per year and a user base of 25,000 to three million.

At the same time, ICANN has pointed out that its own policies cannot overrule GDPR. Registries and registrars still would bear the legal responsibility to decide whether to supply private data to requestors, and requestors could go to them directly to bypass the cost of SSAD altogether. Botterman wrote:

This significant investment in time and resources would not fundamentally change what many in the community see as the underlying problem with the current process for requesting non-public gTLD registration data: There is no guarantee that SSAD users would receive the registration data they request via this system.

ICANN management and board seem to be teasing the GNSO towards revising and scaling back its recommendations to make SSAD simpler and less costly, perhaps by eliminating some of its more expensive elements.

This moves ICANN into the perennially tricky territory of opening itself up to allegations of top-down policy-making.

Botterman wrote:

Previously, the Board highlighted its perspective on the importance of a single, unified model to ensure a common framework for requesting non-public gTLD registration data. However, in light of what we’ve learned to date from the ODP, the Board has indicated it may not be able to support the SSAD recommendations as a whole as envisioned by the EPDP. The Board is eager to discuss next steps with the Council, as well as possible alternatives to design a system that meets the benefits envisioned by the EPDP

The board wants to know whether the GNSO Council shares its concerns. The two parties will meet via teleconference on Thursday to discuss the matter. The ODP’s final report may be published before then.

Comment Tagged: , , , , , ,

Over 6,000 Brexit domains snapped up after mass delete

Kevin Murphy, January 21, 2022, Domain Registries

EURid saw about 6,000 .eu domain names that formerly belonged to Brits re-registered in the first day after a mass delete at the start of the month.

“Around 6000 Brexit-related domain names were re-registered during the first day, and around 6500 as of today,” a registry spokesperson said.

EURid had released around 48,000 domains in batches on January 3, so the portion of domains considered valuable enough to snap up was about 13.5%.

The domains had belonged to UK citizens who no longer qualify for .eu after Brexit came into effect a year ago.

Registrants had been given many chances to retain their names by transferring them to an entity in the remaining EU and EEA states, or to an EU/EEA citizen residing in the UK.

There were almost 300,000 .eu domains registered in the UK at the time of the Brexit referendum in 2016.

Comment Tagged: , ,

Verisign saw MASSIVE query spike during Facebook outage

Kevin Murphy, January 21, 2022, Domain Tech

Verisign’s .com and .net name servers saw a huge spike in queries when Facebook went offline for hours last October, Verisign said this week.

Queries for facebook.com, instagram.com, and whatsapp.net peaked at over 900,000 per second during the outage, up from a normal rate of 7,000 per second, a more than 100x increase, the company said in a blog post.

The widely publicized Facebook outage was caused by its IP addresses, including the IP addresses of its DNS servers, being accidentally withdrawn from routing tables. At first it looked to outside observers like a DNS failure.

When computers worldwide failed to find Facebook on their recursive name servers, they went up the hierarchy to Verisign’s .com and .net servers to find out where they’d gone, which led to the spike in traffic to those zones.

Traffic from DNS resolver networks run by Google and Cloudflare grew by 7,000x and 2,000x respectively during the outage, Verisign said.

The company also revealed that the failure of .club and .hsbc TLDs a few days later had a similar effect on the DNS root servers that Verisign operates.

Queries for the two TLDs at the root went up 45x, from 80 to 3,700 queries per second, Verisign said.

While the company said its systems were not overloaded, it subtly criticized DNS resolver networks such as Google and Cloudflare for “unnecessarily aggressive” query-spamming, writing:

We believe it is important for the security, stability and resiliency of the internet’s DNS infrastructure that the implementers of recursive resolvers and public DNS services carefully consider how their systems behave in circumstances where none of a domain name’s authoritative name servers are providing responses, yet the parent zones are providing proper referrals. We feel it is difficult to rationalize the patterns that we are currently observing, such as hundreds of queries per second from individual recursive resolver sources. The global DNS would be better served by more appropriate rate limiting, and algorithms such as exponential backoff, to address these types of cases

Verisign said it is proposing updates to internet standards to address this problem.

Comment Tagged: , , , , , , ,

.xxx shows up in botnet top-five TLDs for the first time

Kevin Murphy, January 21, 2022, Domain Registries

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.

1 Comment Tagged: , , , , ,

ICANN splits $9 million new gTLD ODP into nine tracks

Kevin Murphy, January 20, 2022, Domain Policy

ICANN has added a little more detail to its plans for the Operational Design Phase for the next round of the new gTLD program.

VP and ODP manager Karen Lentz last night blogged that the project is being split into nine work tracks, each addressing a different aspect of the work.

She also clarified that the ODP officially kicked off January 3, meaning the deadline for completion, barring unforeseen issues, is November 3. The specific dates hadn’t been clear in previous communications.

The nine work tracks are “Project Governance”, “Policy Development and Implementation Materials”, “Operational Readiness”, “Systems and Tools”, “Vendors”, “Communications and Outreach”, “Resources, Staffing, and Logistics”, “Finance”, and “Overarching”.

Thankfully, ICANN has not created nine new acronyms to keep track of. Yet.

Pro-new-gTLD community members observing how ICANN’s first ODP, which addressed Whois reform, seemed to result in ICANN attempting to kill off community recommendations may be worried by how Lenzt described the new ODP:

The purpose of this ODP, which began on 3 January, is to inform the ICANN Board’s determination on whether the recommendations are in the best interests of ICANN and the community.

I’d be hesitant to read too much into this, but it’s one of the clearest public indications yet that subsequent application rounds are not necessarily a fait accompli — the ICANN board could still decide force the community to go back to the drawing board if it decides the current recommendations are harmful or too expensive.

I don’t think that’s a likely outcome, but the thought that it was a possibility hadn’t seriously crossed my mind until quite recently.

Lentz also refers to “the work required to prepare for the next round and subsequent rounds”, which implies ICANN is still working on the assumption that the new gTLD program will go ahead.

The ICANN board has give Org 10 months and a $9 million budget, paid out of 2012-round application fee leftovers, to complete the ODP. The output will be an Operational Design Assessment, likely to be an enormous document, that the board will consider, probably in the first half of next year, before implementation begins.

Comment Tagged: , , , ,

“We fell short” — Tucows says sorry for Enom downtime

Kevin Murphy, January 19, 2022, Domain Registrars

Tucows has apologized to thousands of Enom customers who suffered days of downtime after a planned data center migration went badly wrong.

Showing true Canadian humility, the registrar posted the following statement this evening:

Beginning Saturday, January 15, 2022, Enom experienced a series of complications with a planned data center migration that caused significant disruptions for a subset of our customers.

We sincerely apologize to all of those impacted. We pride ourselves on being a reliable domain registration platform, and this weekend we fell short. We are committed to regaining your trust and to serving you better.

A full internal audit is underway and an incident report is forthcoming. This will include a summary of events and scope, learnings, and policy and process changes to mitigate future issues.

We reported on the downtime on Monday, as some customers were entering their third day of non-resolving DNS, which led to broken web sites and email.

At the time, Enom was saying it was tracking a “few hundred” affected domains. As customers suspected, that turned out to be a huge underestimate. The true number was closer to 350,000 domains, Tucows is now saying.

The company had been warning its customers about the planned maintenance for weeks, but it did not anticipate a “a bug in the new DNS provisioning system” that stopped customers’ domains resolving.

The migration started Saturday January 15 at 1400 UTC and was expected to last 12 hours. In the end, the DNS issue was not fully fixed until Monday January 17 at about 1845 UTC.

Comment Tagged: , ,

Crain named ICANN CTO

Kevin Murphy, January 19, 2022, Domain Policy

ICANN veteran John Crain has been named the Org’s new chief technology officer.

He’s replacing David Conrad, who he’s been subbing in for since Conrad left at the end of September.

Crain has been with ICANN for 20 years and was most recently chief security, stability, and resiliency officer.

Comment Tagged:

Bank spends $800,000 to move from a .bank to the exact-match .com

Kevin Murphy, January 19, 2022, Domain Sales

A small Wisconsin bank has acquired the exact-match .com for its brand for $800,000.

Bank First currently uses a .bank domain, bankfirstwi.bank, but has decided to rebrand to bankfirst.com, CFO Kevin LeMahieu told DI today.

In what many domainers will consider an “upgrade”, the .com was purchased during the fourth quarter from another financial institution.

Its new domain currently redirects to the old .bank domain.

The exact-match .bank domain, bankfirst.bank, belongs to an unrelated Mississippi bank with a similar name. But that company doesn’t use it, preferring instead bankfirstfs.com.

.bank is a tightly restricted and secured gTLD launched in 2015 where domains cost about $1,000 a year. It currently has fewer than 5,000 domains under management.

Comment Tagged: ,

Battle for .web “far from over”, says Afilias lawyer

Kevin Murphy, January 19, 2022, Domain Registries

Altanovo Domains’ fight with Verisign and ICANN for the .web gTLD is not over, despite an adverse ruling late last month, according to a top lawyer for the company.

Altanovo, the company previously known as Afilias Domains No 3, has not thrown in the towel and left the path clear for Verisign to launch .web, Arif Ali of the law firm Dechert told DI last night.

“Bottom line: this matter is far from over and no, Verisign doesn’t ‘get to run .web after all;’ certainly if the Board does its job objectively and fairly,” he said in an email.

He said this just hours before ICANN published its latest, but by no means final, board resolution on the .web case.

Ali represented Afilias in its Independent Review Process complaint against ICANN’s decision to award .web to Verisign following a 2016 auction, which was won by a company called Nu Dot Co, secretly backed by $135 million of Verisign’s money.

Afilias technically won its IRP, with the panel ruling last May that ICANN broke its bylaws by shirking its duty to address Afilias’ claim that NDC broke new gTLD program rules. Afilias said ICANN should have forced NDC to disclose itself a Verisign pawn before the auction went ahead.

ICANN got close to signing a registry agreement for .web with NDC, despite it being an open question as to whether the auction was legit, the panel ruled. It ordered ICANN to pay Afilias its $450,000 in legal fees and $479,458 of IRP costs.

What the IRP did not do was void the Verisign/NDC bid, nor give Afilias rights to .web.

Instead, it instructed ICANN to stay the .web contract-signing until its board has formally “considered and pronounced upon the question of whether the [Verisign-NDC Domain Acquisition Agreement] complied with the New gTLD Program Rules”.

The board had held a secret, undocumented discussion about the case in November 2016 and decided to keep its mouth shut and just let the IRP play out, according to the IRP ruling, which essentially told the board to stop avoiding difficult questions and to actually make a call on the legitimacy of the Verisign play.

Before the board could do so, Afilias/Altanovo filed an unprecedented appeal with the IRP panel. Technically an “application for an additional decision and interpretation”, Afilias asked the IRP panel to definitively answer the question of whether Verisign broke the rules rather than merely passing the hot potato back to ICANN’s board.

But in a December 21 decision (pdf), the IRP panel denied Afilias’ request as “frivolous” in its entirely, writing:

The Panel has dismissed the [Afilias] Application in its entirety. In the opinion of the Panel, under the guise of seeking an additional decision, the Application is seeking reconsideration of core elements of the Final Decision. Likewise, under the guise of seeking interpretation, the Application is requesting additional declarations and advisory opinions on a number of questions, some of which had not been discussed in the proceedings leading to the Final Decision.

In such circumstances, the Panel cannot escape the conclusion that the Application is “frivolous” in the sense of it “having no sound basis (as in fact or law)”. This finding suffices to entitle the Respondent [ICANN] to the cost shifting decision it is seeking and obviates the necessity of determining whether the Application is also “abusive”.

The panel told Afilias to pay ICANN’s $236,884 legal fees and the panel’s costs of $140,335, leaving Afilias out of pocket and back to square one in terms of getting clarity on whether Verisign’s actions were kosher.

Afilias had basically accused the panel of shirking its duties and punting its decision on Verisign’s auction bid in much the same way as the panel decided that ICANN had shirked its duties and punted its decision on Verisign’s auction bid.

Nobody seems to want to make a call on whether the successful Verisign-NDC ploy to win the .web auction with a secretly bankrolled bid was legit.

On Sunday, the full ICANN board met to discuss the outcome of the IRP and — surprise surprise — it punted again, instructing a subcommittee to look more closely at the matter:

the Board asks the Board Accountability Mechanisms Committee (BAMC) to review, consider, and evaluate the IRP Panel’s Final Declaration and recommendation, and to provide the Board with its findings to consider and act upon before the organization takes any further action toward the processing of the .WEB application(s).

There’s not yet a publicly announced date for the next BAMC meeting. It tends to meet as and when needed, so we might not have too long to wait.

Once the committee has made a decision, it would be referred back to the full board for a final rubber stamp, and it seems that only after that would Afilias make its next move.

Ali, in an email sent to DI just a few hours before ICANN published its Sunday board resolution last night, said:

The [IRP] Panel also made it clear that the Board can’t just punt on the matter as it did previously, but must decide it, and that its decision is subject to review by a future IRP panel.

There’s nothing preventing Afilias filing another IRP to challenge the board’s ultimate decision, should it favor Verisign. Likewise, if it favors Afilias, Verisign could use IRP to appeal.

Verisign has been pursuing a counter-claim against Afilias, albeit so far only in the court of public opinion, accusing the company of breaking ICANN’s rules by trying to secretly “rig” the .web auction during a communications blackout period.

Ali calls this a “red herring”, among other things.

In my view, whichever way ICANN’s board goes, it’s going to wind up back in an IRP.

With IRP proceedings typically measured in years, and no indication that Afilias or Verisign are ready to back down, it seems the .web saga may still have some considerable time left on the clock.

If you’re desperate to register a .web domain, don’t hold your breath.

Note: most of Afilias was acquired by Donuts a year ago, but the .web application was not part of the deal. The IRP proceedings have continued to refer to “Afilias” interchangeably with “Altanovo”, and I’m doing the same in my coverage.

1 Comment Tagged: , , , , , , , ,