Straggler gTLD signs first ICANN contract for years

One of the outstanding contested gTLDs from the 2012 application round looks set to be delegated finally, after the winning bidder signed its Registry Agreement with ICANN.

Merck Registry Holdings Inc is now the officially contracted registry for .merck, and it appears the intent is to be a dot-brand jointly controlled by two unaffiliated chemical companies of the same name.

An American company and a German company, both called Merck and with common roots that were severed during World War I, now seem set to have equal ownership rights to .merck, after over a decade of legal wrangling.

Both companies applied for .merck, and according to the ICANN process the American one won because the German one withdrew its application.

However, the winning application was amended in 2021 to say that the registry intends to transfer its contract to a newly formed UK company called MM Domain Holdco Ltd.

Company records indicate that this shell firm is a 50:50 joint venture of the two Mercks, with over a million dollars cash in the bank.

It seems that the two firms intend to share the gTLD, and run it as a dot-brand for both of their benefit, which is pretty rare.

GoDaddy likely to win relaxed .xxx deal

GoDaddy seems set to get a renewed and relaxed .xxx registry contract, after ICANN dismissed the concerns of critics of the deal.

In a much-delayed analysis of submissions to a recent public comment period, Org indicated that it is in favor of GoDaddy, via subsidiary ICM Registry, migrating to a Registry Agreement much more in line with sister gTLDs .porn, .adult and .sex.

That would mean an end to the “sponsored” status of .xxx, removing the largely pointless restrictions and streamlining the registration process, and the dissolution of IFFOR, the nominal sponsor, which was criticized by one commenter as a toothless “gravy train”.

Only nine comments were received, and views were mixed, but where commenters were critical of the proposed deal ICANN has stood firm.

Notably, Org dismissed the idea that a public comment period on a Registry Agreement renewal is an appropriate forum to question whether a signatory to that Registry Agreement has historically complied with its terms.

At least two commenters had raised issues, some of which I have reported, about whether ICM had stuck to promises related to funding IFFOR and whether IFFOR had stuck to promises to issue cash grants to worthy causes.

Commenters also said that ICM has already stopped verifying the identities of registrants in its made-up “sponsored community”, which would have enabled it to more easily tackle repeatedly abusive registrants.

But ICANN doesn’t think that kind of thing — which it files under “Misconceptions, assumptions, and allegations and claims” — is suitable for discussion in Public Comments.

“If there are concerns regarding ICM’s compliance with the .XXX RA, such concerns (if any) should be raised with ICANN Compliance for investigation and are considered outside of the scope of this Public Comment proceeding,” the analysis reads.

There’s also no need to replace ICM’s sponsorship commitments with Public Interest Commitments along the lines of those found in most post-2012 gTLDs, according to the Org analysis.

“ICANN has not identified a need to add further, new obligations for the operation of .XXX or to treat .XXX differently than other adult-themed gTLDs, particularly in light of the similar PICs that the .ADULT, .PORN, and .SEX gTLDs have utilized for approximately the last decade,” it reads.

The .xxx agreement was due to expire in early 2021, but its term has been repeatedly extended as negotiations continued behind the scenes. Likewise, the public comment analysis was originally due to be published in late May but was repeatedly delayed.

It’s now up to ICANN’s board of directors, which has already been briefed on the analysis contents, to approve the renegotiated deal.

Tonkin promoted to CEO at auDA

Australian ccTLD overseer auDA has appointed industry veteran Bruce Tonkin to CEO.

It’s an internal promotion; Tonkin has been chief operating officer at auDA since 2018.

He’s replacing Rosemary Sinclair, who intends to leave at the end of the year.

Tonkin was formerly chief strategy officer of Melbourne IT, one of the very first batch of registrars accredited by ICANN a quarter-century ago. It’s now part of Webcentral, though the brand was resurrected a couple years ago.

He also spent nine years on the ICANN board of directors.

.my global relaunch starts slowly despite cheapo prices

Malaysia’s .my ccTLD has so far failed to attract the hoped-for thousands of new registrations since it relaunched to a global audience a few months ago, according to registry statistics.

MYNIC puts the total number of .my domains, including third-levels under the likes of .com.my and .biz.my, at 313,588 at the end of August, barely 3,500 above the end of May number.

Second-level domains directly under .my grew by about 3,000 over the same period to end August at 149,273.

June was when .my was due to go to general availability with scrapped local presence restrictions and a worldwide registrar channel under partnership with Internet Naming Co and Tucows.

Previously, .my domains were only available to Malaysia-based entities. Third-level domains continue to be available only to Malaysians.

MYNIC told the local Malaysian press in April, before the global launch was announced, that it hoped to hit the 400,000-domains mark by the end of the year. Its best monthly number so far was about 341,000, back in June 2018.

There’s not a great deal of retail registrar coverage outside of Asia right now, judging by the registry’s web site, but those registrars actually selling it are selling it cheap — around the $2 mark for the first year at Spaceship and Namecheap.

Hackers break .mobi after Whois domain expires

It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.

White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.

Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.

WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.

Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.

GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.

Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.

More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.

WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.

“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.

They said they would have also been able to send malicious code payloads to vulnerable Whois clients.

While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.

As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.

The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.

China loses over half a million domains

The Chinese ccTLD .cn shrunk by over half a million domains in the first half of the year, according to the latest semiannual report from the local registry.

There were 19,562,007 registered .cn names at the end of June, down from 20,125,764 at the end of 2023, a decline of 563,757 domains, according to the CNNIC report.

Despite the decline, .cn is still the largest ccTLD, ahead of the 17,703,602 that Germany’s DENIC (.de) reported June 30.

The dip is not surprising. Verisign has pointed to weakness in China as a reason .com’s volume has been tumbling in recent quarters.

The fact that .cn is going down too suggests the negative growth is in fact due to macroeconomic factors rather that Chinese .com registrants migrating to their local ccTLD.

Microsoft switches two gTLDs from GoDaddy to Nominet

Microsoft has moved two of its branded gTLDs from GoDaddy’s registry back-end to Nominet’s.

Records show that .skype and .office both recently made the switch.

Microsoft had already moved six TLDs — .azure, .bing, .hotmail, .microsoft, .windows and .xbox — from Verisign to Nominet about a year ago, and .skype and .office mean its whole collection is now on Nominet’s service.

While .office isn’t technically a dot-brand because it does not have a Spec13 exemption in its ICANN contract, it is in use — you can log in to your email and other services, at least for now, via www.office.

.skype, meanwhile, has a handful of domains that work as redirects to skype.com.

ICANN homes in on new gTLD application fee

ICANN has narrowed down the expected application fee for the next round of new gTLDs, and while it’s towards the lower end of previous guidelines, it’s still much higher than in 2012.

The bog-standard base application fee is now expected to be $220,000, according to a draft document circulated by ICANN.

That’s up on the $185,000 applicants paid in 2012, but it’s at the less-pricey end of the $208,000 to $293,000 range ICANN outlined at its meeting in Rwanda this June.

But the base fee is simply to get your foot in the door. It’s accompanied by an à la carte menu of additional services incurring additional fees, some of which were part of the base fee in 2012.

Because the new gTLD program is being run on a cost-recovery basis, the fee is set according to how many applications ICANN expects to receive, which is rather speculative and based largely on anecdotal evidence.

That predicted number is now 1,500, down on the 1,930 actual applications received in 2012.

The $220,000 fee is the lowest up-front fee that applicants would have to pay, and does not include extra payments they would have to make in the event of contention, additional evaluations or objections.

There are 10 different additional fees that could be incurred by applicants, including one that’s new to me — an “Occupancy fee” which the document says is “for lingering applications”.

I can’t help but think that this is an attempt to avoid a repeat of Nameshop, which applied for the banned string .idn in 2012 and continues to refuse to admit defeat, withdraw its application, and get its refund.

The new ICANN document notes that this proposed squatters’ rent is still open to discussion, but other fees, while not given a price tag yet, appear more likely to become a reality.

It seems dot-brand applicants will have to pay extra fees for their Spec9 and Spec13 exemptions, which allow them to work outside the usual registrar channel and allocate names only to themselves.

Applicants for community gTLDs and geographic strings would also pay extra fees.

There’s also the chance that the base fee could go up before the application window opens, depending on the outcome of some still-unconfirmed parts of the application process, such as the mechanism to address name collision risk. This alone could add thousands to each applicant’s bill.

The good news is that if the next round is significantly over-subscribed and ICANN makes back the $70 million it reckons the program cost, it plans to offer rebates to applicants dependent on how much extra cash it has received.

The draft document also includes estimates for the cost of the Registry Service Provider Evaluation Program, which enables RSPs to get the ICANN seal of approval before pitching their services to new gTLD applicants.

Also priced on a cost-recovery basis, this program is still expected to cost a maximum of $92,000 per RSP, with the costs potentially falling if more than 50 RSPs apply to be accredited.

ICANN has a pretty good idea that the roughly 45 companies currently providing back-end registry services for gTLDs will probably use the RSP program. If a large number of startups or ccTLD registries want to get involved too, that would bring the price down.

Four more dot-brands switch back-ends

Four dot-brand gTLDs have recently changed their back-end providers, according to the latest records, three moving away from Verisign.

US insurance company American Family Insurance has moved its .americanfamily and .amfam from Verisign to GoDaddy, as has AARP, a US interest group representing retired people, with .aarp.

Aquarelle.com Group, a French flower delivery company, has meanwhile switched from French ccTLD operator Afnic to London-based CentralNic (which is still Team Internet’s registry brand).

The AmFam moves are notable because while Verisign has for some time been getting out of the dot-brand back-end business, most of its clients have been migrating to Identity Digital.

I count seven gTLDs making the Verisign-GoDaddy switch, compared to 60 going Verisign-Identity Digital over the last couple years. Verisign is now down to a few dozen dot-brands.

The Aquarelle.com move is notable because it’s rare for a dot-brand to use a back-end in a different time zone that predominantly uses a different language, but Team Internet does have a footprint in France and other Francophone countries so it’s perhaps not wholly weird.

Three of the dot-brands are not heavily used — .aarp has three resolving domains that redirect to aarp.org, while .amfam has about 10 names in its zone that do not publicly resolve and .americanfamily has none.

You might infer from the name “Aquarelle.com” that the company is not a big believer in the dot-brand concept, but you’d be surprisingly wrong — .aquarelle has more than 50 domains that resolve to web sites without redirecting to traditional TLDs.

Almost 100,000 .tr domains registered in one day

Türkiye’s ccTLD has seen a massive spike in registrations, experiencing instant growth of about 8%, at the end of its year-long second-level liberalization process.

The .tr space had 1,187,324 domains at the end of yesterday, according to stats published by government-run registry Trabis, up about 91,000 on the previous day.

That’s more that four time’s .com’s daily growth over the same period.

The sudden growth spurt came due to the registry’s allocation of second-level domains that match previously registered third-level domains under several extensions including .com.tr, .org,tr and .info.tr.

The multi-stage grandfathering process latterly prioritized registrants based on which extension their domain was in and ran from February to early August. The registry decided which registrants had made the cut August 27.

The liberalization came about after Trabis took over from previous registry Nic.tr in 2022. The number of .tr domains has almost doubled since then, crossing on million late last year.

Trabis intends to open up the .tr second level to all comers, full general availability, next Wednesday, September 4.

Türkiye follows the likes of the UK, New Zealand and Australia in opening up the second level of their traditionally three-level spaces.