Latest news of the domain name industry

Recent Posts

Cloudflare “bug” reveals hundreds of secret domain prices

The secret wholesale prices for hundreds of TLDs have been leaked, due to an alleged “bug” at a registrar.
The registry fees for some 259 TLDs, including those managed by Donuts, Verisign and Afilias, are currently publicly available online, after a programmer used what they called a “bug” in Cloudflare’s API to scrape together price lists without actually buying anything.
Cloudflare famously busted into the domain registrar market last September by announcing that it would sell domains at cost, thumbing its nose at other registrars by suggesting that all they’re doing is “pinging an API”.
But because most TLD registries have confidentiality clauses in their Registry-Registrar Agreements, accredited registrars are not actually allowed to reveal the wholesale prices.
That’s kind of a problem if you’re a registrar that has announced that you will never charge a markup, ever.
Cloudflare has tried to get around this by not listing its prices publicly.
Currently, it does not sell new registrations, instead only accepting inbound transfers from other registrars. Registry transaction reports reveal that it has had tens of thousands of names transferred in, but has not created a significant number of new domains.
(As an aside, it’s difficult to see how it could ever sell a new reg without first revealing its price and therefore breaking its NDAs.).
It appears that the only way to manually ascertain the wholesale prices of all of the TLDs it supports would be to buy one of each at a different registrar, then transfer them to Cloudflare, thereby revealing the “at cost” price.
This would cost over $9,500, at Cloudflare’s prices, and it’s difficult to see what the ROI would be.
However, one enterprising individual discovered via the Cloudflare API that the registrar was not actually checking whether they owned a domain before revealing its price.
They were therefore able to compile a list of Cloudflare’s prices and therefore the wholesale prices registries charge.
The list, and the script used to compile it, are both currently available on code repository Github.
The bulk of the list comprises Donuts’ vast portfolio, but most TLDs belonging to Afilias (including the ccTLD .io), XYZ.com and Radix are also on there.
It’s not possible for me to verify that all of the prices are correct, but the ones that are comparable to already public information (such as .com and .net) match, and the rest are all in the ballpark of what I’ve always assumed or have been privately told they were.
The data was last refreshed in April, so without updates its shelf life is likely limited. Donuts, for example, is introducing price increases across most of its portfolio this year.

Afilias buys the other half of .global

Afilias has acquired one of its new gTLD back-end customers, Dot Global Domain Registry Limited, the registry for .global.
It immediately makes .global Afilias’ best-performing 2012-round new gTLD.
The price of the deal, between two private companies, was undisclosed.
As DI reported last November, Afilias already owned 45% of the company, which had 2017 revenue of $1.9 million and a $320,000 loss.
.global is a relatively good new gTLD business, as new gTLDs go.
We’re looking at a business with probably still low-seven-digit annual revenue, with annual adds and renewals trending upwards.
It had over 48,000 domain under management at the last count, with about about 22,500 annual renews.
The names renew at $100 at GoDaddy, which with 30% of .global regs is the largest .global registrar.
NameCheap, the second-largest registrar (with 11%), renews at about $65.
Anecdotally, it’s a new gTLD that I regularly come across in the wild, which is still relatively noteworthy. It’s often used by multinational companies for global gateway sites.
Afilias said that because .global already runs on its back-end, there won’t be any burdensome migration work for registrars, just some “paperwork will need to be updated”.
In terms of domains under management, .global immediately becomes Afilias’ highest-volume new gTLD (excluding pre-2012 .info, .pro and .mobi).
Its biggest 2012-round TLD, from the about 20 it owns, was .red, with around 34,000 DUM.

Time for some more ICANN salary porn

Kevin Murphy, June 3, 2019, Domain Policy

ICANN has filed its tax return for its fiscal 2018, so it’s once again that time of the year in which the community gets to salivate over how much its top staffers get paid.
The latest form 990, covering the 12 months to June 30, 2018, shows that the top 21 ICANN employees were compensated to the tune of $10.3 million, an average of $492,718 each.
That’s up about 4% from $9.9 million in the previous year, an average across the top 21 staffers of $474,396 apiece.
These numbers include base salary, bonuses, and benefits such as pension contributions.
Employee compensation overall increased from $60 million to $73.1 million.
The biggest earner was of course CEO Göran Marby, who is now earning more than his immediate predecessor Fadi Chehadé but a bit less than last-but-one boss Rod Beckstrom.
Marby’s total compensation was $936,585, having received a bonus of almost $200,000 during the year. His base salary was $673,133.
The number of staffers receiving six-figure salaries increased from 159 in fiscal 2017 to 183 — about 44% of its estimated end-of-year headcount.
Towards the end of the reported year, as ICANN faced a budget crunch, many members of the ICANN community had called on the organization to rein in its spending on staff.
ICANN says it targets compensation in the 50th to 75th percentile range for the relevant industry.
The top five outside contractors in the year were:

  • Jones Day, ICANN’s go-to law firm. It received $5.4 million, down from $8.7 million in 2017.
  • Zensar Technologies, the IT consultancy that develops and supports ICANN software. It received $3.7 million.
  • IIS, the Swedish ccTLD registry, which does pre-delegation testing for new gTLDs. It received $1.3 million.
  • Iron Mountain, the data escrow provider. It received $1.1 million.
  • Infovity, which provides Oracle software support. It received $1 million.

The return shows that ICANN made a loss of $23.9 million in the year, on revenue that was down from $302.6 million to $136.7 million.
The primary reason for this massive decrease in revenue was the $135 million Verisign paid for the rights to run .web, at an ICANN last-resort auction, in ICANN’s fiscal 2017.
The tax form for 2018 can be found here (pdf) and 2017’s can be found here (pdf).

GRS has lost three million domains since Famous Four died

The old Famous Four Media gTLD portfolio has shrunk by roughly 60% since old management were kicked out.
At the same time, the new registry is selling less than one percent of the domains it used to add each month.
The 16 TLDs, now managed by GRS Domains, have a total of approximately 2 million domains in their zone files today, compared to about 5 million at the end of August 2018.
Last August was when GRS, which seems to have taken over the portfolio about a year ago, announced that it was introducing “much more transparent and sensible pricing strategy” of $9.98 per domain per year across the board.
Its 16 TLDs include the likes of .loan, .win and .bid. Many had been offered in the sub-$1 range, largely via former affiliate AlpNames, attracting huge volumes of registrations but low renewals and a lot of spammers.
I compared the zone file counts at the end of August 2018 to yesterday’s numbers, rounding to the nearest thousand, and came up with this:
[table “55” not found /]

Don’t think for a second that the correction is over. The story of the old FFM portfolio’s decline will roll for many more months. Each TLD is still seeing monthly deletes in the thousands.
The number of new regs across the portfolio every month has dropped off a cliff — a big cliff with jagged rocks and sharks circling at the bottom — since the August price changes.
Whereas in January 2018 the 16 gTLDs saw a combined total of over 400,000 adds, by January 2019 this had dropped to fewer than 1,700, a 99.59% decline.
[table “56” not found /]

In each case, the drop-off in adds started in August last year. Each TLD went almost immediately from thousands of new regs per month, to under 100.
I compared Januaries because January 2019 is the date of the most-recent registry transaction data. January 2018 was not an atypically strong month for sales for any of the TLDs; for many, it was on the slow side.
Famous Four was replaced by GRS about a year ago after investors in Domain Venture Partners, the ultimate owner of the portfolio, fell out with FFM management.
The registrar AlpNames, which was responsible for a huge share of FFM’s sales and was managed by the same people, has also since gone out of business.

CENTR: domain growth now slowest EVER

The number of registered domain names in the world is growing at its slowest rate ever, according to CENTR.
Its latest CENTRstats Global TLD Report, covering the first quarter of 2019, shows median domain growth of 3.4% year-over-year, a “record low”.
That stat peaked at 29.8% in the third quarter of 2015, according to the report. That was when the first significant wave of new gTLDs were hitting the market.
The 3.4% figure is the median growth rate across the top 500 TLDs CENTR tracks.
The group tracks 1,486 TLDs in total, a little under the 1,531 currently in the root, ignoring TLDs that are too small or have unreliable data.
The report says that growth rates are similar across ccTLDs and gTLDs, though gTLDs seem to be faring slightly better.
The median growth rate of the top 300 gTLDs was 4.1%.
For ccTLDs, the percentage growth varied between regions, from 1.4% in the Americas to 6.3% in the still much smaller African markets.
CENTR estimates that there were 351 million registered domains at the end of the quarter.

Brand-blocking service plotted for porn gTLDs

MMX wants to offer a new service for trademark owners worried about cybersquatting in its four porn-themed gTLDs.
The proposed Adult Block Services would be similar to Donuts’ groundbreaking Domain Protected Marks List and the recent Trademark Sentry offering from .CLUB Domains.
The service would enable big brands to block their marks from registration across all four TLDs for less than the price of individual defensive registrations.
Prices have not been disclosed, but a more-expensive “Plus” version would also allow the blocking of variants such as typos. The registry told ICANN:

The Adult Block Services will be offered as a chance for trademark owners to quickly and easily make labels unavailable for registration in our TLDs. For those trademark owners registering domain names as a defensive measure only, the Adult Block Services offer an easy, definitive, and cost-effective method for achieving their goals by offering at-a-stroke protection for TLDs included in the program. The Adult Block Services are similar to the Donuts’ DPML, Uniregistry’s EP and EP Plus and the .Club UNBS and should be immediately understood and accepted by the trademark community.
The Adult Block will allow trademark owners to block unregistered labels in our TLDs that directly match their trademarks. The Adult Block Plus will allow trademark owners to block unregistered, confusingly similar variations of their trademarks in our TLDs.

It seems more akin to DPML, and Uniregistry’s recently launched clone, than to .CLUB’s forthcoming single-TLD offering.
The Registry Service Evaluation Process request was filed by ICM Registry, which was acquired by MMX last year.
It only covers the four porn gTLDs that ICM originally ran, and not any of the other 22 gTLDs managed by MMX (aka Minds + Machines).
This will certainly make the service appear less attractive to the IP community than something like DPML, which covers Donuts stable of 242 TLDs.
While there’s no public data about how successful blocking services have been, anecdotally I’m told they’re quite popular.
What we do have data on is how popular the ICM gTLDs have been in sunrise periods, where trademark owners showed up in higher-than-usual numbers to defensively register their marks.
.porn, .adult and .sex garnered about 2,000 sunrise regs each, more than 20 times the average for a new gTLD, making them three of the top four most-subscribed sunrise periods.
Almost one in five of the currently registered domains in each of these TLDs is likely to be a sunrise defensive.
Now that sunrise is long gone, there may be an appetite in the trademark community for less-expensive blocks.
But there have been calls for the industry to unify and offer blocking services to cover all gTLDs.
The brand-protection registrar Com Laude recently wrote:

What brands really need is for registry operators to come together and offer a universal, truly global block that applies across all the open registries and at a reasonable price that a trademark owner with multiple brands can afford.

Quite how that would happen across over 1,200 gTLDs is a bit of a mystery, unless ICANN forced such a service upon them.

These five TLDs contain 80% of all child abuse images

Online child abuse watchdog the Internet Watch Foundation has released its 2018 annual report, and it fingers the five TLDs that host four in five cases of child sexual abuse images and videos.
The TLDs in question are Verisign’s .com and .net, Neustar’s repurposed Colombian ccTLD .co, Russia’s .ru and Tonga’s .to.
IWF found the illegal content in 3,899 unique domains, up 3% from 2017’s 3,791 domains, in 151 different TLDs.
Despite the apparent concentration of illegal web pages in just five TLDs, it appears that this is largely due to the prevalence of image-hosting and file-sharing “cyberlocker” sites in these TLDs.
These are sites abused by the purveyors of this content, rather than being specifically dedicated to abuse.
It would be tricky for a registry to take action against such sites, as they have substantial non-abusive uses. It would be like taking down twitter.com whenever somebody tweets something illegal.
In terms of domains being registered specifically for the purpose of distributing child abuse material, the new gTLDs created since 2012 come off looking much worse.
IWF said that last year it found this material on 1,638 domains across 62 new gTLDs. That’s 42% of the total number of domains used to host such content, compared to new gTLDs’ single-figures overall market share.
The number of URLs (as opposed to domains) taken down in new gTLD web sites was up 17% to 5,847.
IWF has a service that alerts registries when child abuse material is found in their TLDs.
Its 2018 report can be found here (pdf).

.CLUB to let brands block “trillions” of domains for $2,000

.CLUB Domains has launched a service for trademark owners that will enable them to block an essentially infinite number of potential cybersquats for a $2,000 payment every three years.
But the restrictions in place to avoid false positives mean that some of the world’s most recognizable brands would not be eligible to use it.
The service is called Trademark Sentry. In February, .CLUB asked ICANN for approval to launch it under the name Unlimited Name Blocking Service.
It’s cast by the registry roughly as a kind of clone of Donuts’ five-year-old Domain Protected Marks List, which enables brands to block their marks across Donuts’ entire portfolio of 242 gTLDs for far less than they would pay defensively registering 242 domains individually.
But while Donuts has a massive stable of TLDs, .CLUB is a one-horse town, so what’s going on?
Based on promotional materials .CLUB sent me, it appears that Trademark Sentry is primarily a way to reduce not defensive registration costs but rather UDRP costs.
Instead of blocking a single trademarked string across a broad portfolio of TLDs — for example google.ninja, google.bike, google.guru, google.charity… — the .CLUB service allows brands to block any domain that contains that string in a single TLD.
For example, Google could pay .CLUB $2,000, and for the next three years it would be impossible for anyone to register any .club domain that contained the substring “google”.
Any potential cybersquatter who went to a registrar and tried to register domains such as “mygooglesearch.club” or “googlefootball.club” or “bestgoogle.club” or “xreegtegooglefwrreed.club” would be told by the registrar that the domain was unavailable.
It would be blocked at the registry level, because it contained the blocked string “google”.
Customers will be able to add typos to the blocklist for a 50% discount.
To the best of my knowledge, this is not a service currently offered by any other gTLD registry.
It’s precisely the kind of thing that the IP lobby at ICANN was crying out for — albeit without the obligation to pay for it — prior to the 2012 application round.
.CLUB reckons it’s a money-saver for brand owners who find themselves filing lots of UDRP complaints.
UDRP complaints cost at least $1,500, just for the filing fees with outfits such as WIPO. They can cost many hundreds more in lawyers fees.
Basically, if you expect your brand will be hit by at least one UDRP in .club in the next three years, $2,000 might look like a decent investment.
.club domains have been subject to 279 UDRP complaints over the last five years, according to UDRPSearch.com.
But .CLUB has put in place a number of restrictions that are likely to seriously restrict its potential customer base.
First, the trademark will have to be “fanciful”. The registry says:

To qualify for Unlimited Name Blocking a trademark must be fanciful as defined by the USPTO and meet the .CLUB Registry’s additional requirements and subject to the .CLUB Registry’s discretion. Marks that are not fanciful but when combined with another word become sufficiently unique may be allowed.

“Apple” would not be permitted, but “AppleComputer” might be.
.CLUB told me that any trademark that, if blocked, would prevent non-infringing uses of the string would also not qualify for the service.
If you look at a UDRP-happy brand like Lego, which has already filed several complaints about alleged cybersquats in .club, it would certainly not qualify. Too many words end in “le” and begin with “go” for .CLUB to block every domain containing “lego”.
Similarly, Facebook would likely not qualify because one can imagine non-infringing uses such as facetofacebookmakers.club. Twitter is a dictionary word, as is Coke. Pepsi is a substring of dyspepsia. Amazon is primarily a geographic term. McDonald’s is derived from a common surname, as are Cartier and Heinz.
For at least half of the famous brands that pop into my head, I can think of a reason they will probably not be allowed to use this service.
.CLUB also won’t allow trademarks shorter than five characters.
Still, for those brands that do qualify, and do have an aggressive UDRP-based enforcement policy, the service seems to be priced at a point where an ROI case can be made.
Like Donuts’ DPML domains, anything blocked under Trademark Sentry is not going to show up in zone files, so we’re not going to have any objective data with which to monitor its success.

Governments demand Whois reopened within a year

Kevin Murphy, April 29, 2019, Domain Policy

ICANN’s government advisers wants cops, trademark owners and others to get access to private Whois data in under a year from now.
The Governmental Advisory Committee wants to see “considerable and demonstrable progress, if not completion” of the so-called “unified access model” for Whois by ICANN66 in Montreal, a meeting due to kick off November 4 this year.
The demand came in a letter (pdf) last week from GAC chair Manal Ismail to her ICANN board counterpart Cherine Chalaby.
She wrote that the GAC wants “phase 2” of the ongoing Expedited Policy Development Process on Whois not only concluded but also implemented “within 12 months or less” of now.
It’s a more specific version of the generic “hurry up” advice delivered formally in last month’s Kobe GAC communique.
It strikes me as a ludicrously ambitious deadline.
Phase 2 of the EPDP’s work involves deciding what “legitimate interests” should be able to request access to unredacted private Whois data, and how such requests should be handled.
The GAC believes “legitimate interests include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection”.
IP interests including Facebook want to be able to vacuum up as much data as they want more or less on demand, but they face resistance from privacy advocates in the non-commercial sector (which want to make access as restrictive as possible) and to a lesser extent registries and registrars (which want something as cheap and easy as possible to implement and operate that does not open them up to legal liability).
Ismail’s letter suggests that work could be sped up by starting the implementation of stuff the EPDP group agrees to as it agrees to it, rather than waiting for its full workload to be complete.
Given the likelihood that there will be a great many dependencies between the various recommendations the group will come up with, this suggestion also comes across as ambitious.
The EPDP group is currently in a bit of a lull, following the delivery of its phase 1 report to ICANN, which is expected to approve its recommendations next month.
Since the phase 1 work finished in late February, there’s been a change of leadership of the group, and bunch of its volunteer members have been swapped out.
Volunteers have also complained about burnout, and there’s been some pressure for the pace of work — which included four to five hours of teleconferences per week for six months — to be scaled back for the second phase.
The group’s leadership has discussed 12 to 18 months as a “realistic and desirable” timeframe for it to reach its Initial Report stage on the phase 2 work.
For comparison, it published its Initial Report for phase 1 after only six stressful months on the job, and not only have its recommendations not been implemented, they’ve not even been approved by ICANN’s board of directors yet. That’s expected to happen this Friday, at the board’s retreat in Istanbul.
With this previous experience in mind, the chances of the GAC getting a unified Whois access service implemented within a year seem very remote.

Oh, the irony! Banned anti-Islam activist shows up on “Turkish” new gTLD domain

Kevin Murphy, April 23, 2019, Domain Policy

Tommy Robinson, who has been banned from most major social media platforms due to his anti-Islam “hate speech”, is now conducting business via a domain name that some believe rightfully belongs to the Muslim-majority nation of Turkey.
The registration could add fuel to the fight between ICANN and its governmental advisers over whether certain domains should be blocked or restricted.
Robinson, the nom de guerre of the man born Stephen Yaxley-Lennon, is the founder and former leader of the far-right English Defence League and known primarily for stirring up anti-Muslim sentiment in the UK for the last decade.
He’s currently, controversially, an adviser to the UK Independence Party. Former UKIP leader Nigel Farage, also a thoroughly unpleasant bloke, considers Robinson so far to the right he quit the party in response to the appointment.
Over the last year, Robinson has been banned from Twitter, Facebook and Instagram, and had his YouTube account placed under serious restrictions. This month, he was also banned from SnapChat, and the EDL he used to lead was among a handful of far-right groups banned from Facebook.
Since his personal Facebook page went dark in February, he’s been promoting his new web site as the primary destination for his supporters.
It features news about his activities — mainly his ongoing fights against social media platforms and an overturned contempt of court conviction in the UK — as well as summaries of basically any sufficiently divisive anti-Islam, anti-immigration, or pro-Brexit stories his writers come across.
The domain he’s using is tr.news, a new gTLD domain in a Donuts-owned registry. It was registered in December via GoDaddy.
Given it’s a two-character domain, it will have been registry-reserved and would have commanded a premium price. Other two-character .news domains are currently available on GoDaddy for between $200 and $10,000 for the first year.
It will come as no surprise at all for you to learn that the domain was transferred out of GoDaddy, which occasionally kicks out customers with distasteful views, to Epik, now de facto home of those with far-right views, a couple of weeks after the web site launched.
The irony of the choice of domain is that many governments would claim that tr.news — indeed any two-character domain, in any gTLD, which matches any country-code — rightfully belongs to Turkey, a nation of about 80 million nominal Muslims.
TR is the ISO 3166-1 two-character code for Turkey, and until a couple of years ago new gTLD registries were banned from selling any of these ccTLD-match two-letter domains, due to complaints from ICANN’s Governmental Advisory Committee.
Many governments, including the UK and US, couldn’t care less who registers their matching domain. Others, such as France, Italy and Israel, want bans on specific domains such as it.pizza and il.army. Other countries have asked for blanket bans on their ccTLD-match being used at all, in any gTLD.
When new gTLDs initially launched in 2012, all ccTLD matches were banned by ICANN contract. In 2014, ICANN introduced a cumbersome government-approval system under which governments had to be consulted before their matches were released for registration.
Since December 2016, the policy (pdf) has been that registries can release any two-letter domains, subject to a provision that they not be used by registrants to falsely imply an affiliation with the country or registry with the matching ccTLD.
Robinson is certainly not making such an implication. I imagine he’d be as surprised as his readers to learn that his new domain has a Turkish connection. It’s likely the only people who noticed are ICANN nerds and the Turkish themselves.
Would the Turkish people look at tr.news and assume, from the domain alone, that it had some connection to Turkey? I think many would, though I have no idea whether they would assume it was endorsed by the government or the ccTLD registry.
Would Turkey — a government whose censorship regime makes Robinson’s social media plight look like unbounded liberalism — be happy to learn the domain matching its country code is being used primarily to deliver divisive content about the coreligionists of the vast majority of its citizens? Probably not.
But under current ICANN policy it does not appear there’s much that can be done about it. If Robinson is not attempting to pass himself of as an affiliate of the Turkish government or ccTLD registry, there’s no avenue for complaint.
However, after taking the cuffs off registries with its December 2016 pronouncement, allowing them to sell two-letter domains with barely any restrictions, ICANN has faced continued complaints from the GAC — complaints that have yet to be resolved.
The GAC has been telling ICANN for the last two years that some of its members believe the decision to release two-character names went against previous GAC advice, and ICANN has been patiently explaining the process it went through to arrive at the current policy, which included taking GAC advice and government comments into account.
In what appears to be a kind of peace offering, ICANN recently told the GAC (pdf) that it is developing an online tool that “will provide awareness of the registration of two-character domains and allow for governments to report concerns”.
The GAC, in its most-recent communique, told ICANN its members would test the tool and report back at the public meeting in Montreal this November.
The tool was not available in December, when tr.news was registered, so it’s not clear whether Turkey will have received a formal notification that its ccTLD-match domain is now registered, live, and being used to whip up mistrust of Muslims.
Update April 30: ICANN informs me that the tool has been available since February, but that it does not push notifications to governments. Rather, governments can search to see if their two-letter codes have been registered in which gTLDs.