On day one, Donuts in breach of new gTLD contract

Ooops! Donuts accidentally broke the terms of its first new gTLD Registry Agreement last night, just hours after its first string, .游戏, was delegated to the DNS root.
If you’ve been following the name collisions debate closely, you’ll recall that all new gTLD registries are banned from activating any second-level domains for 120 days after they sign their contracts:

Registry Operator shall not activate any names in the DNS zone for the Registry TLD (except for “NIC”) until at least 120 calendar days after the effective date of this agreement.

For the first four gTLDs to go live, that clock doesn’t stop ticking until November 12.
And yet, last night, Donuts activated donuts.游戏, apparently in violation of its new contractual obligations with ICANN.
The name was live and resolving for at least an hour. Donuts pulled it after we asked a company executive whether it might be a breach of contract.
I don’t think it’s a big deal, and I doubt ICANN needs to take any action.
Chalk it down to the understandable ebullience that naturally accompanies finally getting delegated to the root after such a long and painful evaluation process.
The 120-day rule was also a late amendment to Specification 6 of the RA, added by ICANN just seven days before .游戏 was delegated and over three months after Donuts signed the original contract.
It’s designed to address the potential for collisions between second-level domains in new gTLDs and names used on internal networks that already have working SSL certificates.
The no-activation window was chosen to match the 120-day period that the CA/Browser Forum gives its certificate authority members to revoke clashing certificates.
It seems unlikely donuts.游戏 will have caused any security issues during the brief period it was alive.

First new gTLDs delegated (really!)

ICANN has delegated the first new gTLDs to the DNS root.
All four of the first batch of internationalized domain names appear to be present right now in root zone file:

• .xn--ngbc5azd (شبكة.) — means “.web” in Arabic. Operated by dotShabaka Registry.
• .xn--unup4y (.游戏) — means “.games” in Chinese. Operated by Donuts.
• .xn--80aswg (.сайт) — means “.site” in several Cyrillic languages. Operated by CORE Association.
• .xn--80asehdb (.онлайн) — means “.online” in several Cyrillic languages. Also operated by CORE Association.

Infuriatingly, and appropriately given the glitches that have plagued the program for the last 18 months, the news seems to have been announced unexpectedly by ICANN VP Christine Willett during a webinar that most listeners had been kicked out of due to a technical problem.
The race is now one to see which of the four will be the first to go live with a resolving web site.

Directi’s Radix wins .website gTLD auction

Directi-affiliated TLD registry Radix, has won the private auction for the .website gTLD, according to Radix.
The company beat rival portfolio applicants Donuts and Top Level Domain Holdings to the string, in an auction that was managed by Innovative Auctions, likely one of several going on this week.
There’s no outstanding Governmental Advisory Committee advice or objections to the Radix application, so its path to contracting and eventual delegation should be relatively uncontroversial now.
The price was undisclosed, Innovative’s standard terms.
Directi is in the process of being acquired by Endurance International, owner of Domain.com, which promised Radix up to $62 million to help with its gTLD auctions.

Let’s Learn IDNs!

The eagle-eyed regular DI reader will have noticed earlier today that I published an article claiming the first new gTLD had already gone live. Not only that, it already had a resolving web site!
That was dead wrong. The story lasted about a minute before I yanked it.
I won’t go into all the details, but suffice it to say that the confusion arose because I don’t read a word of Arabic.
I don’t read a character of Arabic either. I don’t even know where one character ends and the next begins. Or, given the way the script functions, where one begins and the next ends.
So I thought today would be an excellent time to launch Let’s Learn IDNs!, an irregular series of posts in which I, with a significant amount of help from new gTLD registries, attempt to explain IDN strings.
I’m guessing there are a large number of readers out there whose eyes, like mine, glaze over whenever they see an IDN.
We can’t tell one Chinese (or Arabic, Cyrillic, Hebrew…) TLD from another, but it would probably make our professional lives a fair bit easier if we could.
Let’s Learn IDNs! will therefore contain just enough information to help DI’s largely Latin-script-using readers recognize an IDN when they see one.
I’m not going to attempt to teach anyone Greek, but hopefully you’ll be able to come away from the series with a better chance of telling the difference between .新闻 and .八卦.
Which is obviously hugely, hugely important.
(That’s DI’s first joke in Chinese. Thanks.)
The first post, coming later today or tomorrow, will focus on TLD Registry’s .中文网 (“.chinesewebsite”).
If you’re an IDN gTLD registry and I’ve not reached out to you already, feel free to get in touch to find out how to get a Let’s Learn IDNs! post for your own string.

First new gTLDs to go live “in the next few hours”

The first four new gTLDs are expected to go live in the next few hours.
That’s according to the registries themselves, and reports out of the Internet Governance Forum in Bali, where ICANN division president Akram Atallah was speaking on a panel earlier today.
The gTLDs are: .сайт (Russian “.site”) and .онлайн (Russian “.online”) from CORE Association, شبكة. (Arabic “.web”) from dotShabaka Registry and .游戏 (Chinese “.games”) from Donuts.
By “go live” I mean of course that the ASCII versions of these strings (for example, .xn--ngbc5azd for شبكة.) will be entered into the DNS root.
It may take a short while for the registries to activate second-level domains (such as nic.) under their new TLDs, and nothing will actually go on sale for weeks.
They’re all of course internationalized domain names, given ICANN’s decision almost a year ago to prioritize IDNs at all stages of the evaluation and delegation process.
All four received their block-lists of “collision risk” second-level domains on Friday and elected to implement the blocks to get to delegation faster.
The three registries signed their contracts on stage at the ICANN meeting in Durban July 15.
This is a pretty big day for ICANN and its community. After many years and countless arguments and delays, new gTLDs are actually about to go live!

Live new gTLDs this month? First four pass to delegation

New gTLDs are on the home stretch, after ICANN sent the first four applications to the final delegation stage of the process.
The four are: .сайт (Russian “.site”) and .онлайн (Russian “.online”) from Core Association, شبكة. (Arabic “.web”) from dotShabaka Registry and .游戏 (Chinese “.games”) from Donuts.
These were also the first four to sign their registry contracts with ICANN — over three months ago — and the first to be given their name collisions mitigation plan, just a few days ago.
Proceeding to delegation means the applications are now in the hands of IANA, the ICANN department with responsibility over changes to the DNS root system.
IANA has its own set of procedures to follow before delegating, which have historically taken a couple of weeks to process. If I recall correctly, .xxx was with IANA for about 10 days before it went live.
It seems possible that the first new gTLDs could be live this month, meaning the first sunrise periods could kick off in early December, with general availability following a month later.
However, the Christmas and New Year holiday period may wind up forcing some registrars to stagger their dates in order to benefit from the best publicity window when they finally go on sale.

First collision block-lists out now. How painful will they be for new gTLDs?

ICANN has published the name collision block-lists for the first four new gTLDs, and they making pretty interesting reading.
The four registries in question will be required to block between 104 and 680 unique second-level domains from their gTLDs if they want to use the fastest path to delegation on offer.
The four gTLDs with lists published this morning are: .сайт (Russian “.site”), .онлайн (Russian “.online”), شبكة. (Arabic “.web”) and .游戏 (Chinese “.games”).
These were the first four new gTLDs with signed Registry Agreements. ICANN seems to be following the order contracts were signed, rather than the official prioritization number.
So what’s on the lists?
Gibberish
The first thing to note is that, as expected, ICANN has helpfully removed invalid strings (such as those with underscores) and gibberish Google Chrome strings from the lists, greatly reducing their size.
The block-lists are based on Day In The Life Of The Internet data, which recorded DNS root queries for applied-for gTLDs over 48-hour periods between 2006 and 2013.
According to ICANN, “a significant proportion” of the DITL queries were for the nonsense 10-character strings that Chrome generates and sometimes accidentally sends to the public DNS.
Because these “appear to present minimal risk if filtered from the block lists”, ICANN has made an effort to automatically remove as many as possible, while acknowledging it may not have caught them all. The human eye is good at spotting meaningless strings, software is not so adept.
All four lists still contain plenty of gibberish strings, according to this human eye, but mostly they’re not of 10 characters in length.
IDNs
All four lists published today are for non-Latin domain names and are presumably expecting their registries to be mostly populated with IDN.IDN domain names.
As such, the impact of their mostly Latin block-lists may be even smaller than it first appears.
For example, if we look at the list for .сайт, which has 680 strings to block, we discover that only 80 of them are IDNs (beginning with xn--). I assume they’re all, like the gTLD, in Cyrillic script.
I haven’t decoded all of these strings from Punycode and translated them from Russian, but the fact is there’s only 80 of them, which may not be unduly punitive on CORE Association’s launch plan.
At the other end of the spectrum, Donuts will only have to block 13 IDN strings from its .游戏 (Chinese .games) gTLD, and the ASCII strings on its list are mostly numeric or gibberish.
There’s very probably some potentially valuable generic strings on these lists, of course, which could impact the landrush purse, but it’s beyond this monoglot’s expertise to pick them out.
Trademarks
A small number of Latin-script brands appear on all four lists.
Donuts will have to block nokia.游戏, htc.游戏 and ipad.游戏 in its Chinese “.games”, for example. CORE will have to block iphone.сайт and brazzersnetwork.онлайн. DotShabaka Registry will have to block شبكة.redbull.
The impact of this on the registries could be minimal — a few fewer sunrise sales, assuming the brand owner intended to defensively register.
If the blocked brand was a potential launch partner it could be much more annoying and even a launch-delaying factor. It’s not yet clear how registries and brand owners will be able to get these names unblocked.
Bear in mind that registries are not allowed to activate these domains in any sense for any use — they must continue to return NXDOMAIN error responses as they do today.
I’m sure ipad.游戏 (“ipad.games”) could have some value to Apple — and to Donuts, in the unlikely event it managed to persuade Apple to be an anchor tenant — but it’s no longer available.
ICANN will deliver full mitigation plans for each gTLD, which may often include releasing blocked names to their ‘rightful’ owner, but that’s not expected for some months.
Generic terms
A number of generic dictionary terms are getting blocked, which may prove irksome for those registries with long lists. For example, CORE will have to block photo.сайт and forum.сайт.
So far, .онлайн has by far the longest list of ASCII generics to block — stuff like “football”, “drinks”, “poker” and “sex”. Even weirdness like “herpesdating” and “musclefood”.
As it’s an IDN, this might not be too painful, but once ICANN starts publishing lists for Latin gTLDs we might start seeing some serious impact on registries’ ability to sell and market premium domains.
Shurely shome mishtake
There are a few strings on these lists that are just weird, or are likely to prove annoying to registries.
All four of these gTLDs are going to have to block “www” at the second level, for example, which could impact their registry marketing — www.tld is regularly used by TLD registries.
It is going to be really problematic if “www” shows up on the block-lists for dot-brand registries — many applicants say “www.” is likely to be the default landing page for their dot-brand.
The only string that ICANN says it won’t put on any block-list is “nic”, which was once the standard second-level for every TLD’s registry web site but doesn’t really have mass recognition nowadays.
The block-lists also include two-letter strings, most of which correspond to ccTLDs and all of which are already banned by the base Registry Agreement for precisely that reason.
There’s no reason for these two-letter names to be on the lists, but I don’t see their presence causing any major additional heartaches for registries.
So is this good news or what?
As the four block-lists to be released so far are for IDN gTLDs, and because I don’t speak Chinese, Arabic or Russian, it’s a difficult call today to say how painful this is going to be.
There are plenty of reasons to be worried if you’re a new gTLD applicant, certainly.
Premium names will be taken out of play.
You may lose possible anchor tenants.
Your planned registry-use domain names may be banned.
If you’re a dot-brand, you’d better start thinking of alternatives to “www.”.
But the block-lists are expected to be temporary, pending permanent mitigation, and they’re so far quite small in terms of meaningful strings, so on balance I’d say so far it’s not looking too bad.
On the other hand, nothing on the published lists jumps out at me like a massive security risk, so the whole exercise might be completely pointless and futile anyway.

Donuts and Uniregistry sign more new gTLD contracts

ICANN has signed eight more Registry Agreements with new gTLD applicants, six of them with Donuts.
Donuts’ newly contracted gTLDs are .photos, .recipes, .limo, .domains, .coffee and .viajes (.travel in Spanish).
Uniregistry, meanwhile, signed an RA for .gift and Luxury Partners signed for .luxury.
As you might expect from these portfolio applicants, they’re all expected to be open, unrestricted registries.

It’s official: Verisign has balls of steel

Verisign has spent the last six months telling anyone who will listen that new gTLDs will kill Japanese people and cause electricity grids to fail, so you’d expect the company to be a little coy about its own activities that (applying Verisign logic) endanger life and the global economy.
But apparently not.
Verisign today decided to use the same blog it has been using to play up the risks indicated by NXDOMAIN traffic in new gTLDs to plug its own service that actively encourages people to register error-traffic domains.
The company has launched DomainScope, which combines several older “domain discovery” tools — DomainFinder, DomainScore and DomainCountdown — under one roof.
According to an unsigned corporate blog post, with my emphasis:

DomainScope enables users to discover domain name registration opportunities through learning about the recent history of a domain name, understanding a domain name’s DNS traffic patterns, and knowing which domains are available that are receiving traffic.

That’s right, Verisign is giving malicious hackers the ability, for free, to find out which .com, .net and .tv domains currently receive NXDOMAIN traffic, so that the hackers can pay Verisign to register them and cause mayhem.
I used the service today see what mischief might be possible, and hit paydirt on my first query.
Typing in “mail” as the search query, ordering the results by “Traffic Score” — a 1 to 10 measure of how much error traffic a domain already gets — I got these results:

You’ll notice (click to enlarge if you don’t) that the third result, with a 9.9 out of 10 score, is netsoolmail.net.
That caught my attention for obvious reasons, and a little Googling seems to confirm that it’s a typo of netsolmail.net, a domain Network Solutions uses for its mail servers (or possibly a spam filter).
Network Solutions is of course a top-ten registrar with millions of mostly high-end customers.
So what?
Well, if Verisign’s arguments are to be believed, this poses a huge risk of information leakage — something that should be avoided at all costs in new gTLDs but which is apparently just fine in .com and .net.
Emails set to go to netsoolmail.net will fail today due to an NXDOMAIN response. But what happens when somebody registers that domain (which is likely to happen about 10 minutes after this post is published)?
Do they suddenly start receiving thousands of sensitive emails intended for NetSol’s customers?
Could NetSol’s spam filters all start to fail, causing SOMEBODY TO DIE! from a dodgy Viagra?
I don’t know. No clue. Probably not.
But there’s a risk, right? Even if it’s a very small risk (as Verisign argues), shouldn’t ICANN be preventing Verisign from promoting these domains, maybe using some kind of massive block-list?
Data leakage is important enough to Versign that it was the headline risk it posed in a recent report aimed at getting new gTLDs delayed.
In an August “technical report” entitled “New gTLD Security, Stability, Resiliency Update: Exploratory Consumer Impact Analysis”, somebody from Verisign wrote (pdf):

once delegated, the registrants under new gTLDs have the ability to register specific domains for targeted collisions
…
This form of information leakage can violate privacy of users, provide a competitive advantage between business rivals, expose details of corporate network infrastructures, or even be used to infer details about geographical locations of network assets or users

What the report fails to mention is that registrants today have this ability, and that Verisign is actively encouraging the practice.
In Yiddish they call what Verisign has done today chutzpah.
In British English, we call it taking the piss.

dotShabaka Diary — Day 20, Positive signs?

The twentieth installment of dotShabaka Registry’s journal, charting its progress towards becoming one of the first new gTLDs to go live, written by general manager Yasmin Omer.

Friday 18 October 2013
Maybe we are starting to see some positive steps from ICANN towards delegation:
We received a revised Registry Agreement, Specification six that includes the requirements for Name Collision Occurrence Management and Report Handling.
ICANN made an announcement that included the statement that collision “…assessments and SLD lists will be posted to the specific TLD’s registry agreement page on the ICANN website. The first of these will be available before the end of this week.”
ICANN reached out this week and requested a detailed list of contacts for legal, media, financial, emergency, CZDS, TMDB, abuse, URS and compliance.
We are still waiting for ICANN to comment on the TMCH launch issues highlighted in our 12 October 12 journal.
Oh, and we are still waiting for the Welcome Pack!

Read previous and future diary entries here.