Latest news of the domain name industry

Recent Posts

Second DNSSEC screw-up takes down Aussie web sites

Kevin Murphy, September 20, 2023, Domain Tech

.au domains failed to resolve for many internet users for almost an hour on Monday, after the registry operator messed up a DNSSEC update.

ccTLD overseer auDA said the issue was caused by a “key re-signing process that generated an incorrect record”. Users on ISPs that strictly enforce DNSSEC would have returned not-found errors for .au domains during the outage.

.au’s technical back-end is managed by Identity Digital, which reportedly said that the outage lasted from 0005 UTC until 0052 UTC.

With over four million domains, .au is I believe the largest TLD zone to fall victim to DNSSEC-related downtime, but it’s not the first time it has happened to the domain.

In March 2022, thousands of .au domains were affected by a DNSSEC snafu that lasted a few hours.

DNSSEC is meant to make the DNS more secure by reducing the risk of man-in-the-middle attacks, but it’s appears to be easy to screw up, judging by a list of TLD outages. Just this year, Mexico, New Zealand and Venezuela have also suffered downtime.

Is this why WhatsApp hates some TLDs but not others?

Kevin Murphy, September 11, 2023, Domain Tech

Developers of major pieces of internet software, including the world’s most-popular messaging app, may be relying on seriously outdated lists of top-level domains.

That’s the picture that seems to be emerging from one new gTLD operator’s quest to discover why WhatsApp doesn’t recognize its TLD, and many others including major dot-brands, as valid.

And ICANN isn’t interested in helping, despite its declared focus on Universal Acceptance, the CEO of this registry claims.

When most social media apps detect the user has inputted a URL or domain name, they automatically “linkify” it so it can be easily clicked or tapped without the need for copy/paste.

But when Rami Schwartz of new gTLD .tube discovered that .tube URLs sent via WhatsApp, said to have two billion users, were not being linkified, despite the TLD being delegated by ICANN almost eight years ago, he set out to find out why.

Schwartz compiled a spreadsheet (.xlsx) listing which gTLDs are recognized by WhatsApp and which are not and discovered a rough cut-off point in November 2015. TLDs delegated before then are linkified, those delegated after were not.

According to my database, 468 TLDs have been delegated since December 2015, though not all are still in the root. That’s about a third of all TLDs.

This means that, for example, .microsoft domains linkify but .amazon and .apple domains do not; .asia domains linkify but .africa and .arab domains do not; .london works but .abudhabi doesn’t. Even .verisign missed the cut-off.

If WhatsApp users include a “www.” or “http://” then the app will linkify the domain, even if the specified TLD does not exist.

During the course of a discussion on the web site of the Public Suffix List — which maintains an open-source list of all TLDs and the levels at which names may be registered — it was discovered that the problem may be deeper rooted than the WhatsApp app.

It turns out a library in the Android operating system contains a hard-coded list of valid TLDs which hasn’t been updated since November 24, 2015.

Any app relying on Android to validate TLDs may therefore be susceptible to the same problem — any TLD younger than seven years won’t validate. Schwartz tells us he’s experienced the same issues with the Facebook app on Android devices.

The problem is of particular concern to Schwartz because he’s been planning to market .tube as a form of link-shortening service, and without full support among the most popular messaging apps such a service would be much less attractive.

“I can’t launch this now if it’s not going to work in WhatsApp, if it’s not going to work in Facebook,” he said.

While engineers from Facebook/WhatsApp parent Meta now seem to be looking into the problem, Schwartz says his complaints fell on deaf ears for a long time.

He additionally claims that “ICANN doesn’t really care about universal acceptance” and his attempts to get the Org to pay attention to the problem have been brushed off, despite ICANN making Universal Acceptance one of its key priorities.

Schwartz says ICANN is much more interested in UA when it comes to internationalized domain names (those in non-Latin scripts, such as Arabic or Chinese) and not the technical issues that underpin the functionality of all TLDs.

“I’ve no idea why ICANN makes the decisions it makes, but I think it has to do with inclusion, I think it has to do with diversity, I think it has to do with a lot of things — not technical,” he said. “But this is a technical issue.”

ICANN maintains a set of UA technical resources on its web site and supports the work of the independent Universal Acceptance Steering Group.

Whois disclosure system coming this year?

Kevin Murphy, March 2, 2023, Domain Tech

ICANN has approved the creation of a Whois Disclosure System, almost six years after Europe’s GDPR rules tore up the rule book on Whois access.

The system is likely to face a name change before going live, due to the fact that it does not guarantee, nor process, the disclosure of private Whois data.

The board of directors passed a resolution February 27, a month later than expected, “to develop and launch the WHOIS Disclosure System (System) as requested by the GNSO Council within 11 months from the date of this resolution.”

That’s two months longer than earlier anticipated, but we’re still looking potentially at a live system that people can sign up for and use a year from now.

The system is expected to be based on the Centralized Zone Data Service that many of us have been using to request and download gTLD zone files for the last decade. While not perfect, CZDS gets the job done and has improved over the years.

The technology will be adapted to create what essentially amounts to a ticketing system, allowing the likes of IP lawyers to request unredacted Whois records. The requests would then be forwarded to the relevant registrar.

It’s an incredibly trimmed-down version of what Whois users had been asking for. Participation is voluntary on both sides of the transaction, and registrars are under no new obligations to approve requests.

If nobody uses the system, it could be turned off. ICANN Org has only been directed to run it for “for up to two years”. ICANN will collect and publish usage data to figure out whether it’s worth the quite substantial number of hours and dollars that have already gone into its development.

The actual cost of development and operation had been pegged at $3.3 million, but the board’s resolution states that most of the cost will be existing staff and excess costs will come from the Supplemental Fund for Implementation of Community Recommendations (SFICR).

ICANN puts blockchain on the agenda for good

Kevin Murphy, June 23, 2022, Domain Tech

ICANN’s board of directors is apparently worried about the rise of blockchain-based alt-roots.

Its Board Technical Committee voted in May to make blockchain a permanent agenda item going forward, according to just-published minutes.

“After discussion, the Committee decided to have a standing topic on the agenda to address Blockchain Names,” the minutes read.

The minutes don’t record the content of the discussion, but the alt-root topic has been addressed at every one of the committee’s meetings since last July and resulted in the CTO’s office putting together a briefing paper I blogged about last month.

Blockchain alt-roots include the likes of ENS, Handshake and Unstoppable. They are likely to present legal challenges and interoperability problems when ICANN finally opens up the next round of new gTLDs in a couple years.

Unstoppable targets another city gTLD with free domains

Kevin Murphy, June 21, 2022, Domain Tech

Alt-root provider Unstoppable Domains has inked another partnership with a city that already has its own gTLD in the authoritative root.

The blockchain domains company said it has linked up with the City of Miami’s Venture Miami project, which encourages tech investment in Miami, to offer $50 in Unstoppable’s alternative domains to anyone attending Miami Dade College or showing up at an event there over the weekend.

For nine out of 10 of Unstoppable’s extensions, that’s enough to buy at least one domain. The company does not charge renewal fees.

It’s the second city recently that Unstoppable has partnered with, following its offer of free domains to all female residents of Abu Dhabi a couple of weeks ago.

In both of these cases, the cities in question already have their own gTLD in the authoritative, functioning, ICANN root. Unstoppable’s extensions, which are largely themed around crytopcurrency, mostly do not function without browser plug-ins.

While .abudhabi has only about a thousand registered domains, .miami, which was acquired from MMX by GoDaddy last year and has the city as a partner, has been more popular, with close to 16,000 names in its zone file currently.

Whether this can be dismissed as more “web3” hype or alt-root snake oil or not, Unstoppable seems to have secured a couple of pretty interesting marketing coups, and it will be interesting to see which city gets targeted next.

NetBeacon goes live for DNS abuse reporting

Kevin Murphy, June 10, 2022, Domain Tech

The DNS Abuse Institute has gone live with its new clearinghouse for DNS abuse reports, NetBeacon.

The service allows anyone to report any domain for four types of abuse — malware, phishing, botnets and spam — and any registry or registrar can sign up to receive the reports in a normalized feed via email or API.

The idea is to make it easier for domain companies to act on reports of abusive customers, as DNSAI director Graeme Bunton told us a few months ago.

NetBeacon is free for both reporters and registrars and is being funded by .org manager Public Interest Registry.

Some of the technology underpinning the service is being provided by CleanDNS.

Crypto domains: a feminist issue?

Kevin Murphy, June 6, 2022, Domain Tech

Unstoppable Domains has found a novel way to market its alt-root domains service — give away hundreds of thousands of free domains to female entrepreneurs and women in general.

In two separate announcements over the last few days, partners committed to give away well over a million domains, part of Unstoppable’s push to persuade women that alt-roots and “Web3” are good ideas.

First, Access Abu Dhabi, a project of the Abu Dhabi Investment Office, said it will give a domain for free to “all women residing in the UAE capital”, which is believed to be about one million people.

Abu Dhabi is an overwhelmingly immigrant and overwhelmingly male city. Men are believed to outnumber women 2:1 in the UAE, a nation where until this year women could be jailed or flogged for the crime of extramarital sex.

It’s also one of a handful of cities in the world to have its own gTLDs in the authoritative root — .abudhabi and the Arabic-script equivalent — but while fees are not too high (about $40) registration restrictions are pretty strict, requiring among other things a passport scan.

The announcement by Access Abu Dhabi was made in conjunction with Unstoppable Women of Web3, an Unstoppable spin-off project set up a few months ago to pitch alt-root crypto domains to women.

Unstoppable Women is also behind a separate announcement from The Female Quotient, an equality services company, which is promising to give away up to 600,000 domains to women at its “Equality Lounge” events at various tech conferences over the coming months.

Unstoppable’s alt-root TLDs include .x, .crypto, .bitcoin, .coin and .wallet. Prices usually range from $20 to $100, but there are no renewal fees.

Female entrepreneurs obtaining these domains will quickly realize that they don’t work for the vast majority of internet users and are probably not a sound foundation for building a business.

Blockchain domains pose “significant risks” to internet, says ICANN

Kevin Murphy, May 10, 2022, Domain Tech

The internet could be fragmented and made less secure by the proliferation of blockchain-based naming systems, according to a recent position statement from ICANN’s chief technology officer.

The report, “Challenges with Alternative Name Systems” (pdf) worries aloud about systems such as Namecoin, Ethereum Naming Service, Unstoppable Domains, and Handshake.

It says: “the creation of new namespaces without any coordination (either among themselves nor with the DNS) will necessarily lead to name collisions, unexpected behaviors, and user frustration.”

“The end result might very well be completely separate ecosystems, one for each naming system, further fragmenting the Internet,” it concludes.

It’s a pretty brisk, high-level, 15-page summary of the various alt-root naming systems grouped around the “Web3” meme that have been gaining various levels of popularity over the last few years.

It doesn’t drill too far down into any of them and doesn’t really say much that we haven’t heard from ICANN before about blockchain naming, but it does broadly cover what’s out there, how these systems are used, and why they pose risks.

Opposition to alt-roots is an almost foundational principle of ICANN, documented in ICP-3, a 21-year-old document that dates from a time when alt-roots used standard DNS but with different root servers.

ICANN has in the last year pushed back against the newer blockchain-based alts, most prominently by delaying the sale of some gTLD contracts and forcing registry’s to renounce their ownership rights to gTLD strings.

One new addition to the debate that caught my eye was OCTO noting that a lack of coordination between the various alt-roots in operation today presents similar kinds of interoperability risks as does the lack of coordination between the alts and the authoritative root.

It notes that “at least four blockchain-based naming systems are competing today” and as a result “when developing an application, one must decide which blockchain-based naming system to use.”

“As there is no namespace coordination mechanism between those alternative naming systems, name collisions must be expected,” it says.

UPDATE: This story was updated at 2232 UTC to change the headline from “Blockchain poses ‘significant risks’ to internet, says ICANN” to “Blockchain domains pose ‘significant risks’ to internet, says ICANN”

ICANN reports shocking increase in pandemic scams

Kevin Murphy, May 6, 2022, Domain Tech

The number of gTLD domains being used for malware and phishing related to the Covid-19 pandemic has increased markedly in the last eight months, according to data released by ICANN this week.

The Org revealed that since it started tracking this kind of thing in May 2020 it has flagged 23,452 domains as “potentially active and malicious”.

The data is collected by checking zone files against a list of 579 keywords and running the results through third-party abuse blocklists. Blocked domains are referred to the corresponding registrars for action.

I’m not sure you could technically call these “takedown requests”, but there’s a pretty strong implication that registrars should do the right thing when they receive such a report.

The 23,452 notices is a sharp rise from both the 12,860 potentially abusive flagged names and 3,791 “high confidence” reports ICANN has previously said it found from the start of the project until August 2021.

It’s not clear whether the rise is primarily due to an increase in abusive practices or ICANN’s improved ability to detect scams as it adds additional keywords to its watch-list.

ICANN said in March that it is now also tracking keywords related to the Russian invasion of Ukraine.

It’s also asking organizations in frequently targeted sectors to supply keyword suggestions for languages or scripts that might be under-represented.

The data was processed by ICANN’s Domain Name Security Threat Information Collection and Reporting (DNSTICR or “DNS Ticker”), which Org management previously discussed at ICANN 73.

DNSSEC claims another victim as entire TLD disappears

Kevin Murphy, March 9, 2022, Domain Tech

A country’s top-level domain disappeared from the internet for many people yesterday, apparently due to a DNSSEC key rollover gone wrong.

All domains in Fiji’s ccTLD, .fj, stopped resolving for anyone behind a strict DNSSEC resolver in the early hours of the morning UTC, afternoon local time, and stayed down for over 12 hours.

Some domains may still be affected due to caching, according to the registry and others.

The University of the South Pacific, which runs the domain, said that it had to contact ICANN’s IANA people to get the problem fixed, which took a while because it had to wait for IANA’s US-based support desk to wake up.

IANA head Kim Davies said that in fact its support runs 24/7 and in this case IANA took Fiji’s call at 2.47am local time.

Analyses on mailing lists and by Cloudflare immediately pointed to a misconfiguration in the country’s DNSSEC.

It seems Fiji rolled one of its keys for the first time and messed it up, meaning its zone was signed with a non-existent key.

Resolvers that implement DNSSEC strictly view such misconfigurations as a potential attack and nix the entire affected zone.

It happens surprisingly often, though not usually at the TLD level. That said, a similar problem hit thousands of Sweden’s .se domains, despite the registry having a decade’s more DNSSEC experience than Fiji, last month.

Domain Incite had a similar problem recently when its registrar carried on publishing DNSSEC information for the domain long after I’d stopped paying for it.

UPDATE: This post was updated with comment from IANA.