Recent Posts
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
.xxx reveals new gTLD support problems
It’s late 2012. You’ve spent your $185,000, fought your way through objections, won your contention set, and proved to ICANN that you’re technically and financially capable of running a new generic top-level domain.
The registry contracts have been signed. But will your gTLD actually work?
The experiences of .xxx manager ICM Registry lately suggest that a certain amount of outreach will be needed before new gTLDs receive universal support in applications.
I’ve encountered three examples over the last few days of .xxx domain names not functioning as expected in certain apps. I expect there will be many more.
Skype. Type http://casting.com into a chat window and Skype will automatically make the link clickable. Do the same for the .xxx equivalent, and it does not.
Android, the Google mobile platform. I haven’t tested this, but according to Francesco Cetaro on Twitter, unless you manually type the http:// the domain doesn’t resolve.
TweetDeck, now owned by Twitter. It doesn’t auto-link or auto-shorten .xxx domains either, not even if you include the http:// prefix.
This problem is well known from previous new gTLD rounds. ICANN even warns applicants about it in the Applicant Guidebook, stating:
All applicants should be aware that approval of an application and entry into a registry agreement with ICANN do not guarantee that a new gTLD will immediately function throughout the Internet. Past experience indicates that network operators may not immediately fully support new top-level domains, even when these domains have been delegated in the DNS root zone, since third-party software modification may be required and may not happen immediately.
Similarly, software applications sometimes attempt to validate domain names and may not recognize new or unknown top-level domains.
As a 10-year .info registrant, I can confirm that some web sites will still sometimes reject email addresses at .info domains.
Sometimes this is due to outdated validation scripts assuming no TLD is longer than three characters. Sometimes, it’s because the webmaster sees so much spam from .info he bans the whole TLD.
This is far less of an issue that it was five or six years ago, due in part to Afilias’s outreach, but just this week I found myself unable to sign up at a certain phpBB forum using my .info address.
I understand ICM has also been reaching out to affected app developers recently to make them aware that .xxx now exists in the root and has resolvable domains.
ICANN also has released code in C#, Java, Perl, and Python (though not, annoyingly, PHP) that it says can be easily dropped into source in order to validate TLDs against the live root.
The last beta was released in 2007. I’m not sure whether it’s still under development.
(UPDATE: CentralNic CTO Gavin Brown has knocked up a PHP implementation here.)
Bit-squatting – the latest risk to domain name owners
Forget phishing, forget cybersquatting, forget typosquatting, high-value domain name owners may have a whole new threat to worry about – “bit-squatting”.
This appears to be the conclusion of fascinating new research to be presented by Artem Dinaburg at the Black Hat and DEF CON hacker conferences in Las Vegas next week.
Defective internet hardware, it turns out, may be enabling a whole new category of typosquatting that could prove worrying for companies already prone to domain name abuse.
According to a summary of Dinaburg’s research, RAM chips can sometimes malfunction due to heat or radiation, resulting in “flipped bits”, where a 1 turns into a 0 or vice-versa.
Because the DNS uses ASCII encoding, a query containing a single flipped bit could actually send the user to a completely different domain name to the one they intended to visit.
To test the theory, Dinaburg appears to have registered the typo domain name mic2osoft.com. While it’s not visually confusing or a likely typo, in binary it is only one bit different to microsoft.com.
The ASCII binary code for the digit 2 is 00110010, which is only one bit different to the lower-case letter r, 01110010.
The binary for the string “microsoft” is:
011011010110100101100011011100100110111101110011011011110110011001110100
and the binary encoding for “mic2osoft” is (with the single changed bit highlighted):
011011010110100101100011001100100110111101110011011011110110011001110100
Therefore, if that one bit were to be accidentally flipped by a dodgy chip, the user could find themselves sending data to the bit-squatter’s domain rather than Microsoft’s official home.
I would assume that this is statistically only a concern for very high-traffic domains, and only if the bit-flipping malfunction is quite widespread.
But Dinaburg, who works for the defense contractor Raytheon, seems to think that it’s serious enough to pay attention to. He wrote:
To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates.
…
I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors.
His conference presentations will also discuss possible hardware and software solutions.
For large companies particularly at risk of typosquatting, the research may also present a good reason to conduct a review of their trademark enforcement strategies.
I’m not going to be in Vegas this year, but I’m looking forward to reading more about Dinaburg’s findings.
The annual Black Hat and DEF CON conferences are frequently the venues where some of the most beautifully creative DNS hacks are first revealed, usually by Dan Kaminsky.
Kaminsky is not discussing DNS this year, judging by the agendas.
The conferences were founded by Jeff Moss, aka The Dark Tangent, who joined ICANN as its chief security officer earlier this year.
Why we won’t see dotless domain names
Will http://google ever work?
Will any of the hundreds of .brand gTLDs expected to be approved by ICANN in its first round of new top-level domains resolve without dots?
Will users be able to simply type in the name of the brand they’re looking for into their browser’s address bar and have it resolve to the company’s official site?
Probably not, according to the experts.
ICANN’s Applicant Guidebook answers this question, but you need to know where to look, and to know a little about DNS records, to figure it out what it actually says.
Section 2.2.3.3 of the Guidebook (page 75 of the May 30 PDF) provides a list of the permissible contents of a new gTLD zone.
Specifically not allowed are A and AAAA records, which browsers need in order to find web sites using IPv4 and IPv6 respectively.
“To facilitate a dotless domain, you would need to place an A or a AAAA record in the zone, and these are not on the list of permitted record types,” said Kim Davies, root zone manager at IANA. “The net result is a default prohibition on dotless domains.”
Applicants may be able to obtain A/AAAA records if they specifically ask for them, but this is very likely to trigger an Extended Evaluation and a Registry Services Review, according to Davies and the Guidebook.
There’s an additional $50,000 fee for a Registry Services Review, with no guarantee of success. It will also add potentially months to the application’s processing time.
(Incidentally, ICANN has also banned DNS “wildcards”. You cannot have an infinite SiteFinder-style catch-all at the second level, you need to allocate domain names individually.)
Applicants that successfully obtain A/AAAA records, enabling dotless domains, would face a far greater problem than ICANN’s rules – endpoint software probably won’t support them.
“As it stands, most common software does not support the concept,” Davies said. “There is a common assumption that fully qualified domain names will have at least one dot in them.”
You can type IP addresses, host names, domain names or search terms into browser address bars, and dots are one of the ways the software figures out you’re looking for a domain.
You can test this today. There are already a handful of top-level domains, probably fewer than 20 and all ccTLDs, that have implemented an A record at the TLD level.
On some platforms, you may be able to get URLs such as http://io and http://ac to work.
They don’t revolve on any Windows 7 browser I’ve tested (Firefox/IE/Chrome), but I’d be interested in hearing your experiences, if you’d be so good as to leave a comment below.
Given the lack of software support, it may be a poor use of time and resources to fight ICANN for a dotless gTLD that most internet users won’t even be able to resolve.
According to a recent CircleID article by Paul Vixie, chairman of the Internet Systems Consortium, many browsers treat domains without dots as local resources.
Only if the browser’s “DNS search list” cannot find a local resource matching the dotless TLD will it then go out to the internet to look for it.
In some organizations, a local resource may have been configured which matches a new gTLD. There may be a local server called “mail” for example, which could clash with a .mail gTLD.
A recent article in The Register quoted security people fretting about what would happen if a malicious hacker somehow persuaded ICANN to approve a string such as .localhost or .lan.
These worries appear to be largely reliant on an erroneous belief that getting your hands on a gTLD is going to be as simple as registering a domain name.
In reality, there’s going to be months of technical evaluation – conducted in a fish-bowl, subject to public comment, applicant background checks and, in the case of a request for A records, the aforementioned Registry Services Review – before a gTLD is approved.
If everything works according to plan, security problems will be highlighted by this process and any gTLDs that would break the internet will be caught and rejected.
So it seems very unlikely that we’re going to see domains without dots hitting the web any time soon.
Domain names are designed to help people find you. Dotless domains today will not do that, even if ICANN does approve them.
Firm offers .xxx trademark checks
We’ve seen domain “reservation” services and “preregistration” services, now the soon-to-launch .xxx top-level domain is getting a pre-sunrise trademark verification service.
Trademark Fact Check is a new offering from EnCirca president Tom Barrett and Mark Kudlacik, formerly of NetNames and now president of Checkmark Network.
It’s an automated tool for checking whether a trademark will qualify for the .xxx sunrise period – and the sunrise periods of other new gTLDs – according to the service’s web site.
The output, among other things, consists of a list of domain names you qualify to register in the sunrise.
It supports about 30 national jurisdictions.
Checks will cost $10 a pop, but Barrett and Kudlacik think they can save applicants money.
If a sunrise application is rejected due to a filing error, the only option is to pay again to file again, which for .xxx is likely to cost at least $200 with the cheapest registrars.
There’s a money back guarantee if Trademark Fact Check says an application will pass and it does not.
I’m not sure how much of a market there will be for this kind of thing when the new gTLDs start to launch in 2013 and sunrise trademark validation will be largely handled by the Trademark Clearinghouse.
Firefox gives greater visibility to domains
Mozilla has reportedly dropped the http:// from the address bar in the latest pre-release version of the Firefox browser, in order to make the domain more prominent.
The changes, spotted over at ConceivablyTech, would also remove the trailing slash from URLs and present everything other than the top and second level of the domain in gray text.
So instead of
http://www.example.com/
you’d see something like
www.example.com
Google Chrome already does something similar, although it presents the lower levels of the domain in the same shade text as the top two.
The blog reported that the https:// will continue to be displayed for encrypted pages.
Earlier this year, Google was reported to be working on a Chrome UI that dropped the address bar altogether, which struck me as one of the more idiotic ideas — from a choice of many — to come out of the company.
Find domain keywords with new VeriSign apps
VeriSign has released a suite of cute applications for visualizing keywords mined from newly registered domain names.
DomainView has been around for a few months as a tag cloud on the VeriSign web site, but it’s now also an embeddable web widget and a scrolling ticker plug-in for Firefox and Chrome browsers.
The service samples recently registered .com and .net domains for recurring keywords, and spits those keywords back out, along with a short list of related domains that are available to register.
The company is planning to release an iPhone app in the near future, and there’s an API for developers to use today.
I’ve installed the ticker. It’s a nice idea, but it does get a bit distracting after a few minutes. Thankfully, it can be hidden through the options menu.
You can find the new applications here.
IPv6 addresses are the new domain hacks
It’s World IPv6 Day today, and a number of companies have decided to get a little playful with their new IP addresses, using them to spell out their brands.
IPv6 uses hexadecimal notation – the 10 digits and the letters A through F – so it’s possible to use them as “vanity” addresses using something like h4x0r-speak or license plate hacks.
Here’s a few IPv6 “hacks” I’ve found in AAAA records so far today:
BBC – bbc.net.uk – 2001:4b10:bbc::1
Facebook – facebook.com – 2620:0:1c18:0:face:b00c:0:3
Cisco – cisco.com – 2001:420:80:1:c:15c0:d06:f00d (Cisco dog food)
F5 Networks – f5.com – 2001:19b8:101:2::f5f5:1d
US Department of Commerce – commerce.gov – 2610:20:0:20:5ec:d0c:d0c:d0c
A few more, such as Daily Kos’ 2001:48c8:1:c::feeb:beef, seem deliberate but don’t seem to pertain particularly to the site’s brand.
I don’t think anybody’s going to use these addresses to navigate, but I suppose they make prove useful mnemonics for address administrators within those companies.
Experts say piracy law will break the internet
Five of the world’s leading DNS experts have come together to draft a report slamming America’s proposed PROTECT IP Act, comparing it to the Great Firewall of China.
In a technical analysis of the bill’s provisions, the authors conclude that it threatens to weaken the security and stability of the internet, putting it at risk of fragmentation.
The bill (pdf), proposed by Senator Leahy, would force DNS server operators, such as ISPs, to intercept and redirect traffic destined for domains identified as hosting pirated content.
The new paper (pdf) says this behavior is easily circumvented, incompatible with DNS security, and would cause more problems than it solves.
The paper was written by: Steve Crocker, Shinkuro; David Dagon, Georgia Tech; Dan Kaminsky, DKH; Danny McPherson, Verisign and Paul Vixie of the Internet Systems Consortium.
These are some of the brightest guys in the DNS business. Three sit on ICANN’s Security and Stability Advisory Committee and Crocker is vice-chairman of ICANN’s board of directors.
One of their major concerns is that PROTECT IP’s filtering would be “fundamentally incompatible” with DNSSEC, the new security protocol that has been strongly embraced by the US government.
The authors note that any attempts to redirect domains at the DNS level would be interpreted as precisely the kind of man-in-the-middle attack that DNSSEC was designed to prevent.
They also point out that working around these filters would be easy – changing user DNS server settings to an overseas provider would be a trivial matter.
PROTECT IP’s DNS filtering will be evaded through trivial and often automated changes through easily accessible and installed software plugins. Given this strong potential for evasion, the long-term benefits of using mandated DNS filtering to combat infringement seem modest at best.
If bootleggers start using dodgy DNS servers in order to find file-sharing sites, they put themselves at risk of other types of criminal activity, the paper warns.
If piracy sites start running their own DNS boxes and end users start subscribing to them, what’s to stop them pharming users by capturing their bank or Paypal traffic, for example?
The paper also expresses concern that a US move to legitimize filtering could cause other nations to follow suit, fragmenting the mostly universal internet.
If the Internet moves towards a world in which every country is picking and choosing which domains to resolve and which to filter, the ability of American technology innovators to offer products and services around the world will decrease.
This, incidentally, is pretty much the same argument used to push for the rejection of the .xxx top-level domain (which Crocker voted for).
ICANN hires hacker Dark Tangent as security chief
Noted white-hat hacker Jeff “Dark Tangent” Moss is to join ICANN as its new chief security officer.
Moss founded the Black Hat and Def Con hacker conferences (which I highly recommend), and was once a director of firewall vendor Secure Computing.
If you’re not familiar with security lingo, “hacker” in this context means he’s one of the good guys. He’s also one of a couple dozen members of the US Department of Homeland Security’s Advisory Council.
The ICANN press release announcing the appointment (pdf) is filled with plaudits from some of the industry’s top DNS security geeks.
Paul Vixie, chairman and chief scientist of the Internet Systems Consortium is quoted as saying:
This is a great hire for ICANN. Jeff’s been in the infosec community since the dawn of time and not only knows where the weak spots are but also how they got that way, and what needs to be done and by whom. He’s the ideal person to drive ICANN’s security agenda.
He’s also been named vice-president. He starts work at the ICANN Washington DC office tomorrow.
Plug-in works around seized domains
Disgruntled coders have come up with a new Firefox plug-in to help people find piracy web sites after their domain names are seized by the authorities.
MAFIAA-Fire hooks into the browser, checking DNS queries against a list supplied by the developers, to see if the name corresponds to a seized domain.
If it does, the browser is redirected to an approved mirror. If it does not, the DNS query is handled as normal through the browser’s regular resolvers.
The plug-in was created in response to the seizure of domain names alleged to be involved in distributing bootleg movies, music and software.
The US Immigration and Customs Enforcement agency has been sending court-ordered take-down notices to US-based registry operators such as VeriSign for the last several months.
Some sites immediately relocate to top-level domains outside of US jurisdiction. MAFIAA-Fire is designed to make the process of finding these new sites easier.
As the plug-in site acknowledges, if any fraudulent data were to make its way onto its manually-authenticated list of domains, it could cause a security problem for end users.
MAFIAA stands for “Music and Film Industry Association of America”, a corruption of RIAA and MPAA. The “Fire” suffix comes from the fact that fire melts ICE.
The plug-in, which was first reported by TorrentFreak, is hosted at a .com address.
Recent Comments