Latest news of the domain name industry

Recent Posts

Cahn says .hiphop premiums could show up at auction next month

Kevin Murphy, January 26, 2022, Domain Sales

“Premium” .hiphop domains could show up at auction next month, according to RightOfTheDot.

The company is planning a “digital asset auction” for February 24 and boss Monte Cahn said in a press release “you may also see some .hiphop premium reserve names as well as some other premium TLDs.”

Cahn is a partner in Dot Hip Hop, along with JJN Consulting and DigitalAMN, the new company currently battling ICANN bureaucracy for the right to have UNR’s .hiphop registry contract reassigned.

Along with 22 other UNR buyers, DHH is waiting for ICANN approval of its purchase. ICANN is wary and/or confused by UNR’s representations about matching blockchain alt-root TLDs that accompanied the sales.

The company plans to lower the cost of .hiphop names to bring them to a wider audience.

DHH filed a Request for Reconsideration with ICANN recently, to speed up a process that has so far taken almost six months, but withdrew it when it became clear it had merely triggered another time-consuming bureaucratic process.

ROTD was formed to coordinate gTLD auctions, but is perhaps better known nowadays for selling left-of-the-dot domains, such as at its annual NamesCon conference live auctions.

The company is currently seeking lots for its February 24 auction, including high-value domains and NFTs. The deadline for submissions is February 17.

1 Comment Tagged: , , , , , ,

No SSAD before 2028? ICANN publishes its brutal review of Whois policy

Kevin Murphy, January 25, 2022, Domain Policy

Emergency measures introduced by ICANN to reform Whois in light of new privacy laws could wind up taking a full decade, or even longer, to bear dead-on-the-vine fruit.

That’s arguably the humiliating key takeaway from ICANN’s review of community-created policy recommendations to create a Standardized System for Access and Disclosure (SSAD), published this evening.

The Org has released its Operational Design Assessment (pdf) of SSAD, the first-ever ODA, almost nine months after the Operational Design Phase was launched last April.

It’s a 122-page document, about half of which is appendices, that goes into some detail about how SSAD and its myriad components would be built and by whom, how long it would take and how much it would cost.

It’s going to take a while for the community (and me) to digest, and while it generally veers away from editorializing it does gift opponents of SSAD (which may include ICANN itself) with plenty of ammunition, in the form of enumerated risk factors and generally impenetrable descriptions of complex systems, to strangle the project in the crib.

Today I’m just going to look at the timing.

Regular DI readers will find little to surprise them among the headline cost and timeline predictions — they’ve been heavily teased by ICANN in webinars for over a month — but the ODA goes into a much more detailed breakdown.

SSAD, ICANN predicts, could cost as much as $27 million to build and over $100 million a year to operate, depending on adoption, the ODA says. We knew this already.

But the ODA contains a more detailed breakdown of the timeline to launch, and it reveals that SSAD, at the most-optimistic projections, would be unlikely to see the light of day until 2028.

That’s a decade after the European Union introduced the GDPR privacy law in May 2018.

Simply stated, the GDPR told registries and registrars that the days of unfettered access to Whois records was over — the records contain personal information that should be treated with respect. Abusers could be fined big.

ICANN had been taken off-guard by the law. GDPR wasn’t really designed for Whois and ICANN had not been consulted during its drafting. The Org started to plan for its impact on Whois barely a year before it became effective.

It used the unprecedented top-down emergency measure of the Temporary Specification to force contracted parties to start to redact Whois data, and the GNSO Council approved an equally unprecedented Expedited Policy Development Process, so the community could create some bottom-up policy.

The EPDP was essentially tasked with creating a way for the people who found Old Whois made their jobs easier, such as intellectual property lawyers and the police, to request access to the now-private personal data.

It came up with SSAD, which would be a system where approved, accredited users could funnel their data requests through a centralized gateway and have some measure of assurance that they would at least be looked at in a standardized way.

But, considering the fact that they would not be guaranteed to have their requests approved, the system would be wildly complex, potentially very expensive, and easily circumvented, the ODP found.

It’s so complex that ICANN reckons it will take between 31.5 and 42 months for an outsourced vendor to build, and that’s after the Org has spent two years on its Implementation Review Team activities.

SSAD timeline

That’s up to almost six years from the moment ICANN’s board of directors approves the GNSO’s SSAD recommendations. That could come as early as next month (but as I reported earlier today, that seems increasingly unlikely).

The ODA points out that this timetable could be extended due to factors such as new legislation being introduced around the world that would affect the underlying privacy assumptions with which SSAD was conceived.

And this is an “expedited” process, remember?

Ten years ago, under different management and a different set of bylaws, ICANN published some research into the average duration of a Policy Development Process.

The average PDP took 620 days back then, from the GNSO Council kicking off the process to the ICANN board voting to approve or reject the policy. I compared it to an elephant pregnancy, the longest gestation period of all the mammals, to emphasize how slow ICANN had become.

Slow-forward to today, when the “expedited” PDP leading to SSAD has so far lasted 1,059 days, if we’re counting from when Phase 2 began in March 2019. It’s taken 1,287 days if we’re being less generous and counting from the original EPDP kicking off.

Nelly could have squeezed out two ankle-nibblers in that time. Two little elephants, one of which would most assuredly be white.

1 Comment Tagged: , , , , , , ,

ICANN board not happy with $100 million Whois reform proposals

Kevin Murphy, January 25, 2022, Domain Policy

ICANN’s board of directors has given its clearest indication yet that it’s likely to shoot down community proposals for a new system for handling requests for private Whois data.

Referring to the proposed System for Standardized Access and Disclosure, ICANN chair Maarten Botterman said “the Board has indicated it may not be able to support the SSAD recommendations as a whole”.

In a letter (pdf) to the GNSO Council last night, Botterman wrote:

the complexity and resources required to implement all or some of the recommendations may outweigh the benefits of an SSAD, and thus may not be in the best interests of ICANN nor the ICANN community.

The SSAD would be a centralized way for accredited users such as trademark lawyers, security researchers and law enforcement officers to request access to Whois data that is currently redacted due to privacy laws such as GDRP.

The system was the key recommendation of a GNSO Expedited Policy Development Process working group, but an ICANN staff analysis last year, the Operational Design Phase, concluded that it could be incredibly expensive to build and operate while not providing the functionality the trademark lawyers et al require of it.

ICANN was unable to predict with any accuracy how many people would likely use SSAD. It will this week present its final ODP findings, estimating running costs of between $14 million and $107 million per year and a user base of 25,000 to three million.

At the same time, ICANN has pointed out that its own policies cannot overrule GDPR. Registries and registrars still would bear the legal responsibility to decide whether to supply private data to requestors, and requestors could go to them directly to bypass the cost of SSAD altogether. Botterman wrote:

This significant investment in time and resources would not fundamentally change what many in the community see as the underlying problem with the current process for requesting non-public gTLD registration data: There is no guarantee that SSAD users would receive the registration data they request via this system.

ICANN management and board seem to be teasing the GNSO towards revising and scaling back its recommendations to make SSAD simpler and less costly, perhaps by eliminating some of its more expensive elements.

This moves ICANN into the perennially tricky territory of opening itself up to allegations of top-down policy-making.

Botterman wrote:

Previously, the Board highlighted its perspective on the importance of a single, unified model to ensure a common framework for requesting non-public gTLD registration data. However, in light of what we’ve learned to date from the ODP, the Board has indicated it may not be able to support the SSAD recommendations as a whole as envisioned by the EPDP. The Board is eager to discuss next steps with the Council, as well as possible alternatives to design a system that meets the benefits envisioned by the EPDP

The board wants to know whether the GNSO Council shares its concerns. The two parties will meet via teleconference on Thursday to discuss the matter. The ODP’s final report may be published before then.

Comment Tagged: , , , , , ,

Over 6,000 Brexit domains snapped up after mass delete

Kevin Murphy, January 21, 2022, Domain Registries

EURid saw about 6,000 .eu domain names that formerly belonged to Brits re-registered in the first day after a mass delete at the start of the month.

“Around 6000 Brexit-related domain names were re-registered during the first day, and around 6500 as of today,” a registry spokesperson said.

EURid had released around 48,000 domains in batches on January 3, so the portion of domains considered valuable enough to snap up was about 13.5%.

The domains had belonged to UK citizens who no longer qualify for .eu after Brexit came into effect a year ago.

Registrants had been given many chances to retain their names by transferring them to an entity in the remaining EU and EEA states, or to an EU/EEA citizen residing in the UK.

There were almost 300,000 .eu domains registered in the UK at the time of the Brexit referendum in 2016.

Comment Tagged: , ,

Verisign saw MASSIVE query spike during Facebook outage

Kevin Murphy, January 21, 2022, Domain Tech

Verisign’s .com and .net name servers saw a huge spike in queries when Facebook went offline for hours last October, Verisign said this week.

Queries for facebook.com, instagram.com, and whatsapp.net peaked at over 900,000 per second during the outage, up from a normal rate of 7,000 per second, a more than 100x increase, the company said in a blog post.

The widely publicized Facebook outage was caused by its IP addresses, including the IP addresses of its DNS servers, being accidentally withdrawn from routing tables. At first it looked to outside observers like a DNS failure.

When computers worldwide failed to find Facebook on their recursive name servers, they went up the hierarchy to Verisign’s .com and .net servers to find out where they’d gone, which led to the spike in traffic to those zones.

Traffic from DNS resolver networks run by Google and Cloudflare grew by 7,000x and 2,000x respectively during the outage, Verisign said.

The company also revealed that the failure of .club and .hsbc TLDs a few days later had a similar effect on the DNS root servers that Verisign operates.

Queries for the two TLDs at the root went up 45x, from 80 to 3,700 queries per second, Verisign said.

While the company said its systems were not overloaded, it subtly criticized DNS resolver networks such as Google and Cloudflare for “unnecessarily aggressive” query-spamming, writing:

We believe it is important for the security, stability and resiliency of the internet’s DNS infrastructure that the implementers of recursive resolvers and public DNS services carefully consider how their systems behave in circumstances where none of a domain name’s authoritative name servers are providing responses, yet the parent zones are providing proper referrals. We feel it is difficult to rationalize the patterns that we are currently observing, such as hundreds of queries per second from individual recursive resolver sources. The global DNS would be better served by more appropriate rate limiting, and algorithms such as exponential backoff, to address these types of cases

Verisign said it is proposing updates to internet standards to address this problem.

Comment Tagged: , , , , , , ,

.xxx shows up in botnet top-five TLDs for the first time

Kevin Murphy, January 21, 2022, Domain Registries

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.

1 Comment Tagged: , , , , ,

ICANN splits $9 million new gTLD ODP into nine tracks

Kevin Murphy, January 20, 2022, Domain Policy

ICANN has added a little more detail to its plans for the Operational Design Phase for the next round of the new gTLD program.

VP and ODP manager Karen Lentz last night blogged that the project is being split into nine work tracks, each addressing a different aspect of the work.

She also clarified that the ODP officially kicked off January 3, meaning the deadline for completion, barring unforeseen issues, is November 3. The specific dates hadn’t been clear in previous communications.

The nine work tracks are “Project Governance”, “Policy Development and Implementation Materials”, “Operational Readiness”, “Systems and Tools”, “Vendors”, “Communications and Outreach”, “Resources, Staffing, and Logistics”, “Finance”, and “Overarching”.

Thankfully, ICANN has not created nine new acronyms to keep track of. Yet.

Pro-new-gTLD community members observing how ICANN’s first ODP, which addressed Whois reform, seemed to result in ICANN attempting to kill off community recommendations may be worried by how Lenzt described the new ODP:

The purpose of this ODP, which began on 3 January, is to inform the ICANN Board’s determination on whether the recommendations are in the best interests of ICANN and the community.

I’d be hesitant to read too much into this, but it’s one of the clearest public indications yet that subsequent application rounds are not necessarily a fait accompli — the ICANN board could still decide force the community to go back to the drawing board if it decides the current recommendations are harmful or too expensive.

I don’t think that’s a likely outcome, but the thought that it was a possibility hadn’t seriously crossed my mind until quite recently.

Lentz also refers to “the work required to prepare for the next round and subsequent rounds”, which implies ICANN is still working on the assumption that the new gTLD program will go ahead.

The ICANN board has give Org 10 months and a $9 million budget, paid out of 2012-round application fee leftovers, to complete the ODP. The output will be an Operational Design Assessment, likely to be an enormous document, that the board will consider, probably in the first half of next year, before implementation begins.

Comment Tagged: , , , ,

“We fell short” — Tucows says sorry for Enom downtime

Kevin Murphy, January 19, 2022, Domain Registrars

Tucows has apologized to thousands of Enom customers who suffered days of downtime after a planned data center migration went badly wrong.

Showing true Canadian humility, the registrar posted the following statement this evening:

Beginning Saturday, January 15, 2022, Enom experienced a series of complications with a planned data center migration that caused significant disruptions for a subset of our customers.

We sincerely apologize to all of those impacted. We pride ourselves on being a reliable domain registration platform, and this weekend we fell short. We are committed to regaining your trust and to serving you better.

A full internal audit is underway and an incident report is forthcoming. This will include a summary of events and scope, learnings, and policy and process changes to mitigate future issues.

We reported on the downtime on Monday, as some customers were entering their third day of non-resolving DNS, which led to broken web sites and email.

At the time, Enom was saying it was tracking a “few hundred” affected domains. As customers suspected, that turned out to be a huge underestimate. The true number was closer to 350,000 domains, Tucows is now saying.

The company had been warning its customers about the planned maintenance for weeks, but it did not anticipate a “a bug in the new DNS provisioning system” that stopped customers’ domains resolving.

The migration started Saturday January 15 at 1400 UTC and was expected to last 12 hours. In the end, the DNS issue was not fully fixed until Monday January 17 at about 1845 UTC.

Comment Tagged: , ,

Crain named ICANN CTO

Kevin Murphy, January 19, 2022, Domain Policy

ICANN veteran John Crain has been named the Org’s new chief technology officer.

He’s replacing David Conrad, who he’s been subbing in for since Conrad left at the end of September.

Crain has been with ICANN for 20 years and was most recently chief security, stability, and resiliency officer.

Comment Tagged:

Bank spends $800,000 to move from a .bank to the exact-match .com

Kevin Murphy, January 19, 2022, Domain Sales

A small Wisconsin bank has acquired the exact-match .com for its brand for $800,000.

Bank First currently uses a .bank domain, bankfirstwi.bank, but has decided to rebrand to bankfirst.com, CFO Kevin LeMahieu told DI today.

In what many domainers will consider an “upgrade”, the .com was purchased during the fourth quarter from another financial institution.

Its new domain currently redirects to the old .bank domain.

The exact-match .bank domain, bankfirst.bank, belongs to an unrelated Mississippi bank with a similar name. But that company doesn’t use it, preferring instead bankfirstfs.com.

.bank is a tightly restricted and secured gTLD launched in 2015 where domains cost about $1,000 a year. It currently has fewer than 5,000 domains under management.

Comment Tagged: ,