Latest news of the domain name industry

Recent Posts

Six more gTLDs shown the door, five may be auctioned

Kevin Murphy, January 30, 2025, Domain Registries

There are to be six fewer gTLDs on the internet, after ICANN terminated its registry contracts with two companies.

Asia Green IT System’s agreements for .pars, .shia, .tci, .nowruz and .همراه (.xn--mgbt3dhd) have been cancelled, after a lengthy compliance process, while Kerry Trading Co self-terminated .kerrylogistics.

Despite being contracted for a decade, none of AGIT’s TLDs had ever meaningfully launched. The Iranian new-year-themed .nowruz had a handful of registrations.

The registry had stopped paying CoCCA, its back-end provider, bringing it into serious breach of its Registry Agreements. It had also failed to pay its ICANN fees.

According to ICANN correspondence, after it entered into mediation with AGIT last August it came up with a secret term sheet to give the company a way out, but it breached the terms of that deal too.

All five were terminated over the Christmas period, but they could return if ICANN decides to sell them off to the highest bidder.

ICANN told the company it “will conduct an assessment and make its determination whether to transition operation of the .nowruz gTLD to a successor registry operator.”

But they all look like poison chalices. They’re all related in some way to Iran, and could raise cultural or legal sensitivities.

.shia is related to the branch of Islam, .pars is related to the language and culture of Iran and .nowruz is the Persian new year holiday.

.tci, which I can easily imagine being picked up and repurposed by a discount-names portfolio registry, was supposed to be a dot-brand for the Telecommunication Company of Iran and همراه. is the brand of its mobile phone subsidiary, meaning something like “companion”.

Neither was technically a Spec 13 dot-brand, which is usually enough to for ICANN to rule out a redelegation.

But even if ICANN decides to sell off these five dead strings to another registry under the Registry Transition Process, there’s no guarantee that will ever actually happen.

Org decided to auction failed gTLD .wed almost five years ago and there’s been no movement on that ever since. Failed .desi is in a similar situation.

.kerrylogistics was a Spec 13, and will not be transitioned, after Hong Kong based delivery company Kerry unilaterally told ICANN it no longer wished to run the TLD.

Kerry has five remaining dot-brands, including .kerryhotels and .kerryproperties, that it does not use but does not seem to want to kill off just yet.

1 Comment Tagged: , , , ,

Registrar terminated after ignoring Whois transition

Kevin Murphy, January 30, 2025, Domain Registrars

A registrar has lost its right to sell gTLD domains in part due to its failure to migrate from Whois to RDAP.

Spain-based Abansys & Hostytec has had its ICANN registrar contract terminated over a litany of alleged breaches dating back to 2023, and its meager collection of domains will now be given to another registrar.

ICANN said in its termination notice that the company had failed to implement the Registration Data Access Protocol, the successor to Whois that this week became the new industry standard for domain ownership lookups.

The registrar was also past due on its fees, hadn’t given ICANN evidence the was still in good standing, hadn’t had an employee attend compliance training and was not publishing masked contact addresses in Whois results, among other things.

While its accreditation dates back to the noughties, Abansys has never had more than 600 gTLD domains under management and it seems very unlikely that it was making enough money from those domains to cover the cost of compliance.

ICANN said the termination became effective January 26, but it still wants its past-due fees paid.

Separately, Compliance has also sent breach notices to four other registrars — US-based Zoo Hosting, UK-based Nerd Origins, and China-based Mixun and Mixun Network Technology — that cite RDAP failures as an area of non-compliance but appear to be primarily based on non-payment of fees.

All four registrars appear to have got accredited between 2019 and 2021 and stopped paying their fees not long afterwards. None of them has sold a single gTLD domain, ever, and two of their web sites suggest the companies are no longer around.

They’ve all got until February 12 to magically rectify their compliance problems or face execution.

Comment Tagged: , , , , , , ,

$10 million ICANN giveaway winners picked

Kevin Murphy, January 30, 2025, Domain Policy

ICANN has picked the beneficiaries of up to $10 million it plans to give away in the first year of its Grant Program.

The board of directors approved the final slate of applicants, which will now have to sign contracts with ICANN, at its retreat this weekend.

While the recipients will not be publicly named until March at the earliest, ICANN has previously said it expects to give an average of $200,000 to about 50 applicants.

The applications — there were 247 in this round — were all expected to be funding requests for projects that align with ICANN’s technical stability and internet governance missions.

The Grant Program is funded by the proceeds of auctions for contested new gTLDs, notably .web, up to a decade ago. The fiscal 2025 budget sees the fund start with $217 million in the bank.

The program is expected to cost $2 million to administer this year, with the cost covered by expected investment gains on the principle sum.

Comment Tagged: ,

Whois officially died today

Kevin Murphy, January 28, 2025, Domain Tech

Domain registries and registrars are no longer obliged to offer Whois services as of today, the deadline ICANN set for formally sunsetting the protocol.

It’s been replaced by RDAP, the newer Registration Data Access Protocol, which offers a more structured way to deliver domain ownership information.

Under ICANN’s standard Registry Agreement and Registrar Accreditation Agreement, January 28 marks the end of the RDAP “ramp up period” and the moment Whois becomes purely optional.

I expect many registrars will offer Whois and RDAP in parallel for a while, so ingrained in internet architecture is the older protocol. Likewise, the term “Whois” will likely be used colloquially to refer to RDAP for some time.

The data delivered by RDAP is not substantially different to that delivered by Whois, and those who access Whois via a web interface, such as ICANN’s lookup.icann.org, probably won’t notice any difference.

The main headaches will likely be experienced by those using custom software to access Whois over port 43, who may find they have to tweak their code to parse incoming RDAP responses instead.

Importantly, the switch to RDAP does not mean users will get data that was already redacted in Whois. Privacy laws such as GDPR apply equally to RDAP.

The only way to obtain private data is contacting the relevant registrar, directly or via ICANN’s Registration Data Request Service, and crossing your fingers.

Comment Tagged: , ,

Typo left MasterCard open to hackers for years

Kevin Murphy, January 23, 2025, Domain Tech

A typo in MasterCard’s DNS configuration left the company open to hackers for years, it has emerged.

As first reported by Krebs On Security, from June 2020 until this month one of az.mastercard.com’s nameservers was set as akam.ne rather that akam.net, a domain used by DNS resolution provider Akamai.

The .ne version, in Niger’s ccTLD, was unregistered until security researcher Philippe Caturegli discovered the typo and spent $300 to secure the domain and check to see how much traffic it was getting, before handing it to MasterCard.

Had Caturegli been a bad actor, he could have used the domain to set up a man-in-the-middle attack, diverting a big chunk of traffic intended for mastercard.com to the server of his choosing.

MasterCard said its systems were not at risk and the typo has been corrected, Krebs reports.

4 Comments Tagged: , , ,

Could ICANN approve an R-word gTLD?

Kevin Murphy, January 22, 2025, Domain Policy

ICANN could be faced with the headache of approving or rejecting a new gTLD containing a term broadly considered a slur for the first time.

Unstoppable Domains has revealed that it is working with a client on an application for .retardio, which is linked to a memecoin cryptocurrency of the same name.

Unstoppable says the domain “symbolizes pride and a blend of brilliance with eccentricity”.

But the application could come up against significant challenges if it goes ahead, due to the various reviews and objection procedures all applications face.

The word “retard”, originally a medical term for people with mental disabilities, over the years morphed into a fun playground insult but is now considered offensive enough that, unless you’re Elon Musk, it’s often referred to as the “R-word”.

(I’m only typing it out in full here for the benefit of people who are reading this in their second language, who otherwise might not know what I’m talking about.)

Since 2009, the Special Olympics has held an annual Spread the Word to End the Word awareness day, which seeks to reduce usage of the word, which it describes as a form of “bullying”.

The British comedian Rosie Jones, who has cerebral palsy, faced a barrage of criticism from her own community when she provacatively titled her 2023 documentary about online ableist bullying “Am I a R*tard?” (asterisk in original).

There can be little doubt that it’s an offensive term in most of the Anglophone world, but does that mean it cannot be included in a gTLD string?

The current draft of ICANN’s Applicant Guidebook says that applicants “should be mindful of limitations to free expression” and there are multiple avenues through which a .retardio application could be killed off.

The most obvious way would be via the Governmental Advisory Committee, which has broad powers to instruct ICANN to reject applications on public policy grounds.

The AGB says the GAC Advice objection is for applications that are “problematic” or “potentially violate national law or raise sensitivities”, but that’s a pretty wide net.

If a couple of governments decided to champion an objection to .retardio, it’s easy to imagine they’d be able to rustle up enough support to meet the “consensus” threshold for formal GAC Advice.

ICANN’s board of directors is able to reject such advice, but in the 2012 application round it pretty much did what it was told.

Another way .retardio could fail is through the Limited Public Interest Objection, which can be filed against strings that are “contrary to generally accepted legal norms of morality and public order that are recognized under principles of international law”, such as:

Incitement to or promotion of discrimination based upon race, color, gender, ethnicity, religion or national origin, or other similar types of discrimination that violate generally accepted legal norms recognized under principles of international law

Literally anybody can file a LPI Objection, and they presumably could use the UN Convention on the Rights of Persons with Disabilities to tick the “principles of international law” box.

If successful, such objections force the applicant to withdraw.

The International Olympic Committee has never been shy about participating in ICANN, so if the affiliated Special Olympics, or the IOC, or indeed any disability rights advocacy groups, wanted to make a point by objecting to .retardio, the LPI Objection would be the way to do it.

2 Comments Tagged: , , , , ,

These are the TLD growers and shrinkers of 2024 (part two)

Kevin Murphy, January 20, 2025, Domain Registries

Following on from the annual ccTLD growth statistics DI published last week, today we’ll look at the gTLDs, where .shop was by far the biggest volume winner and .com was by far the biggest loser.

GMO Registry’s .shop added 1,315,000 names to its zone file in 2024, ending the year with 3,470,000 domains. It’s now the second-largest of the 2012 batch of gTLDs, after .xyz.

The growth seems to have been pretty consistent across the year and is presumably due to the low first-year prices offered by many registrars. At least 10 registrars offer .shop for under a dollar currently, one as low as $0.27, though around $25 appears to be the floor for renewals.

.xyz, .lol, .bond and .sbs recorded similar growth stats, up 495,000, 487,000, 468,000 and 459,000 domains to end the year with 3,801,000, 601,000, 710,000 and 824,000 respectively.

Of the 750-odd gTLDs (excluding dot-brands) for which I have stats, only about 200 grew by more than one domain per day. About 60 grew by five-figure amounts. About 280 shrank. The rest were either still unlaunched or recorded negligible growth.

Only about 80 currently have over 50,000 names in the zones which, if the number matched domains under management, would be the threshold for triggering ICANN’s per-transaction fees.

At the other end of the table, .com was by far the biggest volume loser, down 3,769,000 zone file domains to end the period at 153,856,000. Verisign has blamed economic factors in China and price increases at American registrars for the decline. Verisign’s .net lost 424,000 names to end with 12,485,000.

ShortDot’s .cfd, a stable sister to .sbs and .bond at the top end of the table, lost over three quarters of its domains over the course of the year, ending December down 782,000 at 238,000 names, showing that domains sold for pennies tend not to stick around very long.

The next five shrinkers were .click, .space, .buzz, .live and .bio, which were down 94,000, 72,000, 43,000, 41,000 and 30,000 to end the year with 471,000, 310,000, 316,000, 545,000 and 48,000 domains respectively.

.social, .gay, .win, .mobi, .monster, .website and .biz all saw declines in the low five figures in the period.

Figures in this article are sourced from domain counts in zone files collected on January 1 2024 and 2025, rounded to the nearest thousand.

Comment Tagged: ,

GoDaddy ordered to stop lying about crappy security

Kevin Murphy, January 16, 2025, Domain Registrars

GoDaddy has agreed to roll out some pretty basic security measures and has been told to stop lying about how secure its hosting is, under an agreement with US regulators.

It turns out that the company, while claiming that security “was at the core of everything we do”, was failing to do some pretty basic stuff like installing software patches, retiring end-of-life servers, or securing internet-facing APIs.

Its settlement with the Federal Trade Commission finds that GoDaddy engaged in “false or misleading” advertising and orders that it “must not misrepresent in any manner” its security profile in future.

The FTC complaint (pdf), filed in 2023 after reports of mass hacking incidents, states:

Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.

The complaint says that GoDaddy had a slack patching regime that was left up to individual product teams to execute, with no centralized management.

This meant thousands of boxes in its Shared Hosting environment were subject to critical vulnerabilities that allowed bad guys to get in and steal data such as user credentials and credit card info for months.

The complaint also describes a custom internet-facing API designed to enable customer support staff to access details about managed WordPress users, such as login credentials.

This API was apparently open to the internet, unfirewalled, used plaintext for credentials, and had no multi-factor authentication in place, again enabling hackers to steal data.

One or more “threat actors” abused this lax security to pwn tens of thousands of servers between October 2019 and December 2022, according to the complaint.

The settlement (pdf), in which GoDaddy does not admit or deny any wrongdoing, does not come with an associated fine.

Instead, GoDaddy has agreed to a fairly extensive list of requirements designed to increase the security of its hosting services.

Comment Tagged: , ,

These are the TLD growers and shrinkers of 2024 (part one)

Kevin Murphy, January 14, 2025, Domain Registries

With all the excitement and concern surrounding the rise of artificial intelligence, the smart money might have been on .ai being the fastest-growing ccTLD in 2024. It wasn’t.

That honor instead goes to Russia’s .ru, which grew by the largest number of domains last year of any of the ccTLDs that have so far published statistics.

.ru grew by almost 388,000 domains to end the year at around 5,817,000, according to the registry. The matching Cyrillic ccTLD, .РФ, declined a little from 768,000 domains to 760,000.

Anguilla’s .ai, currently being re-homed on an Identity Digital back-end grew by just over 244,000 domains between late December 2023 and January 2 2025, according to registry stats.

After Russia, Indonesian ccTLD .id added the most domains in 2024, growing by almost 289,000 and breaking into seven figures in November to end the year with about 1,215,000 names.

Turkiye’s .tr is next on the list. Its second-level liberalization saw a sharp increase in registrations mid-year, and it ended the year with 1.283.000 names, up 271,000 over the period.

Portugal and Brazil (.pt and .br) are the only other two ccTLDs to report six-figure increases so far, with growth of 149,000 and 134,000 to 1,930,000 and 5,372,000 domains respectively.

.fr (France), .ir (Iran), .pl (Poland), .de (Germany), .my (Malaysia), .ca (Canada), .vn (Vietnam), .jp (Japan), .cz (Czechia) and .hu (Hungary) all reported growth measured in the five digits for the year.

At the other end of the table, the UK saw the biggest shrinkage in terms of registered domains in 2024, with .uk (second and third levels combined) down about 472,000 to end December at 10,261,000 domains.

The decline was primarily at the third level (such as the popular .co.uk), which lost 371,000 names compared to 100,000 at the second level. The third-level total is now 8,967,852 — below nine million for the first time in 15 years.

The ccTLD reporting the second-biggest loss was .nl, which lost 106,000 names to end the year with 6,192,000. The TLD has been on a downwards trajectory since its peak of 6.3 million domains in mid-2023.

Ukraine’s up next, reporting a 57,000-name decline to 458,000 at the end of December. Much as it’s hard to not speculate that international sanctions are behind the rise of .ru, one wonders whether the ongoing Russian invasion is not behind the decline of .ua. Entrepreneurial-aged men have more existential concerns right now.

.ar (Argentina), .dk (Denmark), .kr (South Korea), .at (Austria), .se (Sweden), .eu (European Union), .be (Belgium) and .nu (Niue, mainly sold in Sweden) all saw five-figure declines in their reg totals over the year.

.hk (Hong Kong), .cl (Chile), .it (Italy), .il (Israel), .mx (Mexico) and .ie (Ireland) all also saw modest dips in their totals.

About three quarters of the ccTLDs for which I have data were up in the year, with the rest going down.

I should note that this prose league table cannot be considered comprehensive. Many ccTLD registries with substantial DUM (eg China, the US) will not report their year-end numbers for months and others (eg .tv, .co, .in, .me) typically do not report numbers at all.

In addition, strict apples-to-apples comparisons between ccTLDs may not be fair, given the differing ways registries calculate their totals.

1 Comment Tagged:

Dead terrorist domains for sale, just without the hyphens

Kevin Murphy, January 2, 2025, Gossip

People are trying to make a quick buck flogging domains matching the names of suspects in recent terrorist atrocities, but they’re stopping short of including the hyphens.

The 2024 Christmas-New Year period was marked by two vehicular terrorist incidents on either side of the Atlantic: the Christmas market attack in Magdeburg, Germany on December 20 and the Bourbon Street attack in New Orleans, Louisiana in the early hours of January 1.

In both cases, domains (almost) matching the names of the alleged attackers were registered within minutes of their identities being revealed.

The suspect in the New Orleans ramming attack, who was shot dead by police, has been named by authorities as Shamsud-Din Jabbar, and the .com matching his name was registered even before it was officially announced.

It seems reporters at NOLA.com were the first to reveal his identity, at around 1700 UTC yesterday, and shamsuddinjabbar.com was registered at 1720 UTC, some time before the news conference where he was officially named.

The more correct spelling, shamsud-dinjabbar.com, has not been registered. Apparently, attempting to make money from an attack that killed 15 people is okay, but registering a domain containing a hyphen is a step too far.

The domain that was registered leads to a Dynadot sales lander with a $7,038.94 buy-it-now price. This converts to a round €6,800, suggesting the owner is based in the Eurozone.

The matching .net has also been registered and currently leads to a GoDaddy parking page.

The suspect in the Magdeburg attack , currently in police custody and charged with five counts of murder, was named by German authorities as Taleb A., abbreviated due to German privacy laws, just a few hours after the fact, but his full name has been widely reported as Taleb Al-Abdulmohsen.

The .com matching (almost) his name, talebalabdulmohsen.com, was registered shortly before 0500 UTC on December 21, hours before it had been reported by major news outlets’ live blogs. It’s currently parked with GoDaddy.

Again, the hyphenated version was not registered and is still available. The matching .de has not been registered.

Professional domain investors consider registering such domains for profit not only pointless but unethical. The Internet Commerce Association, which represents domainers, has in its code of conduct:

Respect for Human Suffering and Victims of Tragedy. A [ICA] member shall be respectful of persons and communities involved in tragedy. A member shall not register domains with the intent to profit from a recent tragedy.

The ICA has no policy on hyphens, to my knowledge.

Comment Tagged: