Recent Posts
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
More consolidation? Endurance said to be up for sale
Endurance International Group is reportedly up for sale, perhaps the next piece of consolidation or privatization in a rapidly changing domain name market.
Bloomberg, citing unnamed sources, reports today that EIG is “is considering strategic options, including a possible sale”.
EIG owns domain brands Domain.com, BigRock, BuyDomains and ResellerClub, along with a bunch of hosting properties such as HostGator.
Bloomberg’s sources stressed that no final decision has been made, and that the company could remain public.
It’s currently listed on Nasdaq where it has a market cap today of almost $1.38 billion .
The company would be far from the first to change ownership in the last couple of years.
Most recently, Web.com (Network Solutions et al) announced a plan to go private in a $2 billion deal.
A year ago, Neustar went private in a $2.9 billion deal.
In terms of industry consolidation, we’ve more recently seen KeyDrive reverse into CentralNic and MMX buy ICM Registry.
ICANN faces critical choice as security experts warn against key rollover
Members of ICANN’s top security body have advised the organization to further delay plans to change the domain name system’s top cryptographic key.
Five dissenting members of the influential, 22-member Security and Stability Advisory Committee said they believe “the risks of rolling in accordance with the current schedule are larger than the risks of postponing”.
Their comments relate to the so-called KSK rollover, which would see ICANN for the first time ever change the key-signing key that acts as the trust anchor for all DNSSEC queries on the internet.
ICANN is fairly certain rolling the key will cause DNS resolution problems for some — possibly as much as 0.05% of the internet or a couple million people — but it currently lacks the data to be absolutely certain of the scale of the impact.
What it does know — explained fairly succinctly in this newly published guide (pdf) — is that within 48 hours of the roll, a certain small percentage of internet users will start to see DNS resolution fail.
But there’s a prevailing school of thought that believes the longer the rollover is postponed, the bigger that number of affected users will become.
The rollover is currently penciled in for October 11, but the ultimate decision on whether to go ahead rests with the ICANN board of directors.
David Conrad, the organization’s CTO, told us last week that his office has already decided to recommend that the roll should proceed as planned. At the time, he noted that SSAC was a few days late in delivering its own verdict.
Now, after some apparently divisive discussions, that verdict is in (pdf).
SSAC’s majority consensus is that it “has not identified any reason within the SSAC’s scope why the rollover should not proceed as currently planned.”
That’s in line with what Conrad, and the Root Server System Advisory Committee have said. But SSAC noted:
The assessment of risk in this particular area has some uncertainty and therefore includes a component of subjective judgement. Individuals (including some members of the SSAC) have different assessments of the overall balance of risk of the resumption of this plan.
It added that it’s up to the ICANN board (comprised largely of non-security people) to make the final call on what the acceptable level of risk is.
The minority, dissenting opinion gets into slightly more detail:
The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc.
While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties.
We would like to reiterate that we understand our colleagues’ position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision.
SSAC members are no slouches when it comes to security expertise, and the dissenting members are no exception. They are:
- Lyman Chapin, co-owner of Interisle Consulting, a regular ICANN contractor perhaps best-known to DI readers for carrying out a study into new gTLD name collisions five years ago.
- Kimberly “kc claffy” Claffy, head of the Center for Applied Internet Data Analysis at the University of California in San Diego. CAIDA does nothing but map and measure the internet.
- Jay Daley, a registry executive with a technical background whose career includes senior stints at .uk and .nz. He’s currently keeping the CEO’s chair warm at .org manager Public Interest Registry.
- Warren Kumari, a senior network security engineer at Google, which is probably the largest early adopter of DNSSEC on the resolution side.
- Danny McPherson, Verisign’s chief security officer. As well as .com, Verisign runs the two of the 13 root servers, including the master A-root. It’s running the boxes that sit at the top of the DNSSEC hierarchy.
It may be the first time SSAC has failed to reach a full-consensus opinion on a security matter. If it has ever published a dissenting opinion before, I certainly cannot recall it.
The big decision about whether to proceed or delay is expected to be made by the ICANN board during its retreat in Brussels, a three-day meeting that starts September 14.
Given that ICANN’s primary mission is “to ensure the stable and secure operation of the Internet’s unique identifier systems”, it could turn out to be one of ICANN’s biggest decisions to date.
.CLUB revenue not all that
.CLUB Domains may be one of the 5000 fastest-growing companies in the US, according to Inc magazine, but it’s returning the majority of its revenue back to its registrars.
CEO Colin Campbell revealed this week that the company returns almost 70% of its gross revenue in the form of rebates.
The revelation came in an interview with Domain Name Wire on its latest podcast.
Campbell told Andrew Allemann that in 2017 .CLUB had $9.3 million in what he called “cash flow” or “gross revenue”.
But “net cash” or “net revenue”, after rebates was just $2.8 million, meaning $6.5 million was returned to registrars via promotions.
The interview came a few days after Inc named the company 1164th in its 2018 list of fastest-growing US companies.
Inc had .CLUB’s revenue at $7.2 million, but that appears to have been calculated using the usual accounting standards of deferring revenue into future periods over the lifetime of the domain subscription.
.club has something like 1.4 million names under management.
Campbell said that the company is “adding about a million dollars of net revenue per year” and he predicted 2018 gross cash to come in at $10.5 million and net to come in at $3.7 million.
That’s a net revenue figure, remember, not a profit or net income line. Campbell said he’s more interested in growing the business rather than paying taxes on profits.
The aggressive rebating seems to have a focus in China, where it has regular deals with the likes of Alibaba (which was .club’s biggest registrar with 20% of the market at the last count) and West.cn.
While .CLUB is private, Campbell has been frank about its performance in the past.
The DNW interview follows DI’s interview with Campbell on more or less the same topic last September, and DNW’s in 2016.
It’s a good podcast, you should have a listen.
Microsoft seizes “Russian election hacking” domains
Microsoft has taken control of six domains associated with a hacker group believed to be a part of Russian military intelligence, according to the company.
Company president Brad Smith blogged yesterday that Microsoft obtained a court order allowing it to seize the names, which it believes were to be used to attack institutions including the US Senate.
The domains in question look like they could be used in spear-phishing attacks. The are: my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.
Historical Whois records archived by DomainTools show they were registered last year behind WhoisGuard, the Panama-based privacy service. Now, of course, the Whois records are all redacted due to GDPR.
Smith said that Microsoft believes intended targets besides the Senate also include the International Republican Institute and the Hudson Institute, two conservative think-tanks.
The company believes, though it did not show evidence, that the domains were created by the group it calls “Strontium”.
Strontium is also known as “Fancy Bear”, among other names. It’s believed to be backed by the GRU, Russia’s intelligence agency.
It’s the same group alleged members of which Special Counsel Robert Mueller recently indicted as part of his investigation into Russian meddling in the 2016 US presidential election.
“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith said in his blog post.
He added that Microsoft does not know whether the domains have been used in an attack yet.
New gTLDs rebound in Q2
New gTLD registration volumes reversed a long trend of decline in the second quarter, according to Verisign’s latest Domain Name Industry Brief.
The DNIB (pdf), published late last week, shows new gTLD domains up by 1.6 million sequentially to 21.8 million at the end of June, a 7.8% increase.
That’s the first time Verisign’s numbers have shown quarterly growth for new gTLDs since December 2016, five quarters of shrinkage ago.
[table id=51 /]
The best-performing new gTLD across Q2 was .top according to my zone file records, adding about 600,000 names.
.top plays almost exclusively into the sub-$1 Chinese market and is regularly singled out as a spam-friendly zone. SpamHaus currently ranks it as almost 45% “bad”.
Overall, the domain universe saw growth of six million names, or 1.8%, finishing the quarter at 339.8 million names, according to Verisign.
Verisign’s own .com ended Q2 with 135.6 million domains, up from 133.9 million at the end of March.
That’s a sequential increase of 1.7 millions, only 100,000 more than the total net increase from the new gTLD industry.
.net is still suffering, however, flat in the period with 14.1 million names.
ccTLDs saw an increase of 3.5 million names, up 2.4%, to end June at 149.7 million, the DNIB states.
But that’s mainly as a result of free TLD .tk, which never deletes names. Stripping its growth out (Verisign and partner ZookNic evidently have access to .tk data now) total ccTLD growth would only have been 1.9 million names.
.CLUB revenue reportedly $7.2 million
.CLUB Domains had $7.2 million of revenue in 2017.
That’s according to Inc magazine, which ranked the company at 1164th in its 2018 Inc 5000 list of the fastest-growing US-based companies.
Growth over three years for .CLUB, which is listed as having 17 employees, was 419%, according to the profile.
.club is one of the best-performing new gTLDs in terms of volume, with over 1.3 million domains under management, according to the company.
While it has generally steered away from deep discounting, it has in recent weeks benefited from a huge increase in sales — adding over 100,000 names to its zone file in just a few days earlier this month — as a result of a sale at the Chinese registrar Alibaba, which sold .club names for the RNB equivalent of $0.44.
That had the effect of diverting .club from a decline that looked like it would shortly have seen it dip below one million zone names for the first time in over a year.
How a single Whois complaint got this registrar shitcanned
A British registrar has had its ICANN contract terminated after a lengthy, unprecedented fight instigated by a single complaint about the accuracy of a single domain’s Whois.
Astutium, based in London and with about 5,000 gTLD domains under management, finally lost its right to sell gTLD domains last week, after an angry battle with ICANN Compliance, the Ombudsman, and the board of directors.
While the company is small, it does not appear to be of the shady, fly-by-night type sometimes terminated by ICANN. Director Rob Golding has been an active face at ICANN for many years and Astutium has, with ICANN approval, taken over portfolios from other de-accredited registrars in the past.
Nevertheless, its Registrar Accreditation Agreement has been torn up, as a result of a complaint about the Whois for the domain name tomzink.com last December.
Golding told DI today that he considers the process that led to his de-accreditation broken and that he’s considering legal action.
The owner of tomzink.com and associated web site appears to be a Los Angeles-based music producer called Tom Zink. The web site seems legit and there’s no suggestion anywhere that Zink has done anything wrong, other than possibly filling out an incomplete Whois record.
The person who complained about the Whois accuracy, whose identity has been redacted from the public record and whose motives are still unclear, had claimed that the domain’s Whois record lacked a phone and fax number and that the registrant and admin contacts contained “made-up” names.
Historical Whois records archived by DomainTools show that in October last year the registrant name was “NA NA”.
The registrant organization was “Astutium Limited” and the registrant email was an @astutium.com address. The registrant mailing address was in Long Beach, California (the same as Zink). There were no phone/fax numbers in the record.
Golding told DI that some of these details were present when the domain was transferred in from another registrar. Others seem to have been added because the registrar was looking after the name on behalf of its client.
The admin and technical records both contained Astutium’s full contact information.
Following the December complaint, the record was cleaned up to remove all references to Astutium and replace them with Zink’s contact data. Judging by DomainTools’ records, this seems to have happened the same day as ICANN forwarded the complaint to Astutium, December 20.
So far, so normal. This kind of Whois cleanup happens many times across the industry every day.
But this is where relations between Astutium and ICANN began to break down, badly.
Even though the Whois record had been cleaned up already, Golding responded to Compliance, via the ICANN complaints ticketing system:
Please dont forward bigus/meaningless whois complaints which are clearly themselves totally inaccurate… No action is necessary or will be taken on bogus/incomplete/rubbish reports. [sic]
Golding agreed with me today that his tone was fairly belligerent from the outset, but noted that it was far from the first time he’d received a compliance complaint he considered bogus.
In the tomzink.com case, he took issue with the fact that the complainant had said that the admin/tech records contained no fax number. Not only was this not true (it was Astutium’s own fax number), but fax numbers are optional under ICANN’s Whois policy.
He today acknowledges that some parts of the complaint were not bogus, but notes that the Whois record had been quickly updated with the correct information.
But simply changing the Whois record is not sufficient for ICANN. It wants you to show evidence of how you resolved the problem in the form of copies of or evidence of communications with the registered name holder.
The Whois Accuracy Program Specification, which is part of the RAA, requires registrars to verify and validate changes to the registered name holder either automated by phone or email, or manually.
Golding told DI that in this case he had called the client to advise him to update his contact information, which he did, so the paper trail only comprises records of the client logging in and changing his contact information.
What he told ICANN in January was:
If ICANN compliance are unable to do the simple job they have been tasked with (to correctly vet and format the queries before sending them on, as they have repeatedly agreed they will do *on record* at meetings) then Registrars have zero obligations to even look at them. Any ‘lack of compliance’ is firmly at your end and not ours in this respect.
However in this specific case we chose to look, contacted the registrant, and had them update/correct/check the records, as can easily be checked by doing a whois
ICANN then explained that “NA NA” and the lack of a phone number were legitimate reasons that the complaint was not wholly bogus, and again asked Golding to provide evidence of Astutium’s correspondence with Zink.
After ignoring a further round or two of communication via the ticketing system, Golding responded: “No, we don’t provide details of private communications to 3rd parties”.
He reiterated this point a couple more times throughout February, eventually saying that nothing in WAPS requires Astutium to “demonstrate compliance” by providing such communications to ICANN, and threatening to escalate the grievance to the Ombudsman.
(That may be strictly true, but the RAA elsewhere does require registrars to keep records and allow ICANN to inspect them on demand.)
It was around the same time that Compliance started trying to get in touch with Golding via phone. While it was able to get through to the Astutium office landline, Compliance evidently had the wrong mobile phone number for Golding himself.
Golding told DI the number ICANN was trying to use (according to ICANN it’s the one listed in RADAR, the official little black book for registrars) had two digits transposed compared to his actual number, but he did not know why that was. Several other members of ICANN staff have his correct number and call him regularly, he said.
By February 27, Compliance had had enough, and issued Astutium with its first public breach notice (pdf)
Allowing a compliance proceeding to get to this stage is always bad news for a registrar — when ICANN hits the public breach notice phase, staff go out and actively search for other areas of potential non-compliance.
Golding reckons Compliance staff are financially incentivized, or “get paid by the bullet point”, at this stage, but I have no evidence that is the case.
Whatever the reason, Compliance in February added on claims:
- that Astutium was failing to output Whois records in the tightly specified format called for by the RAA (Golding blames typos and missed memos for this and says the errors have been corrected),
- that Astutium’s registration agreement failed to include renewal and post-renewal fees (Golding said every single page of the Astution web site, including the registration agreement page, carries a link to its price list. While he admitted the text of the agreement does not include these prices, he claimed the same could be said of some of the biggest registrars),
- that the registration agreement does not specify how expiration notices are delivered (according to Golding, the web site explains that it’s delivered via email)
- that the address published on the Astutium web site does not match the one provided via the Registrar Information Specification, another way ICANN internally tracks contact info for its registrars (Golding said that his company’s address is published on every single page of its site)
A final bullet point asked the company to implement corrective measures to ensure it “will respond to ICANN compliance matters timely, completely and in line with ICANN’s Expected Standards of Behavior”.
The reference to the Expected Standards of Behavior — ICANN’s code of politeness for the community — is a curious one, not typically seen in breach notices. Unless I’m reading too much into it, it suggests that somebody at ICANN wasn’t happy with Golding’s confrontational, sometimes arguably condescending, attitude.
Golding claims that some of ICANN’s allegations in this breach notice are “provably false”.
He told us he still hasn’t ruled out legal action for defamation against ICANN or its staff as a result of the publication of the notice.
“I’ll be in California, serving the paperwork myself,” he said.
Astutium did not respond to the breach notice, according to ICANN documents, and it was escalated to full-blown termination March 21.
On March 30, the registrar filed a Request for Reconsideration (pdf) with ICANN. That’s one of the “unprecedented” things I referred to at the top of this article — I don’t believe a registrar termination has been challenged through the RfR process before.
The second unprecedented thing was that the RfR was referred to Ombudsman Herb Waye, under ICANN’s relatively new, post-transition, October 2016 bylaws.
Waye’s evaluation of the RfR (pdf), concluded that Astutium was treated fairly. He noted multiple times that the company had apparently made no effort to come into compliance between the breach notice and the termination notice.
Golding was not impressed with the Ombudsman’s report.
“The Ombudsman is totally useless,” he said.
“The entire system of the Ombudsman is designed to make sure nobody has to look into anything,” he said. “He’s not allowed to talk to experts, he’s not actually allowed to talk to the person who made the complaint [Astutium], his only job is to ask ICANN if they did the right thing… That’s their accountability process.”
The Board Accountability Mechanisms Committee, which handles reconsideration requests, in June found against Astutium, based partly on the Ombudsman’s evaluation.
BAMC then gave Golding a chance to respond to its decision, before it was sent to the ICANN board, something I believe may be another first.
He did, with a distinctly more conciliatory tone, writing in an email (pdf):
Ultimately my aim has always been to have the ‘final decision’ questioned as completely disproportionate to the issue raised… and the process that led to the decisions looked into so that improvements can be made, and should there still be unresolved issues, opportunity to work in a collaborative method to solve them, without the need to involve courts, lawyers, further complaints/challenge processes and so on.
And then the ICANN board voted to terminate the company, in line with BAMC’s recommendation.
That vote happened almost a month ago, but Astutium did not lose its IANA number until a week ago.
According to Golding, the company is still managing almost all of its gTLD domains as usual.
One registry, CentralNic, turned it off almost immediately, so Astutium customers are not currently able to manage domains in TLDs such as .host, he said. The other registries still recognize it, he said. (CentralNic says only new registrations and transfers are affected, existing registrants can manage their domains.)
After a registrar termination, ICANN usually transfers the affected domains to another accredited registrar, but this has not happened yet in Astutium’s case.
Golding said that he has a deal with fellow UK registrar Netistrar to have the domains moved to its care, on the understanding that they can be transferred back should Astutium become re-accredited.
He added that he’s looking into acquiring three other registrar accreditations, which he may merge.
So, what is to be learned from all this?
It seems to me that we may be looking at a case of a nose being cut off to spite a face, somebody talking themselves into a termination. This is a compliance issue that probably could have been resolved fairly quickly and quietly many months ago.
Another takeaway might be that, if the simple act of making a phone call to a registrar presents difficulties, ICANN’s Compliance procedures may need a bit of work.
A third takeaway might be that ICANN Compliance is very capable of disrupting registrars’ businesses if they fail to meet the letter of the law, so doing what you’re told is probably the safest way to go.
Or, as Golding put it today: “The lesson to be learned is: if you don’t want them fucking with your business, bend over, grab your ankles, and get ready.”
38th dot-brand bows out after acquisition
Telecity Group, which used to be a major London-based internet collocation facilities operator, has told ICANN it no longer wishes to run its dot-brand gTLD.
.telecity will become the 38th dot-brand gTLD to terminate its registry agreement.
The company, which had close to £350 million ($445 million) revenue in 2014, was acquired by US-based rival Equinix for £2.35 billion ($3 billion) in early 2016.
Equinix has since started to transition away from the Telecity brand. Its old .com home page now instructs visitors to visit the Equinix site instead.
Like most of the other dead dot-brands, .telecity was never used.
ICANN CTO: no reason to delay KSK rollover
ICANN’s board of directors will be advised to go ahead with a key security change at the DNS root — “the so-called KSK rollover” — this October, according to the organization’s CTO.
“We don’t see any reason to postpone again,” David Conrad told DI on Monday.
If it does go ahead as planned, the rollover will see ICANN change the key-signing key that acts as the trust anchor for the whole DNSSEC-using internet, for the first time since DNSSEC came online in 2010.
It’s been delayed since last October after it emerged that misconfigurations elsewhere in the DNS cloud could see potentially millions of internet users see glitches when the key is rolled.
Ever since then, ICANN and others have been trying to figure out how many people could be adversely affected by the change, and to reduce that number to the greatest extent possible.
The impact has been tricky to estimate due to patchy data.
While it’s been possible to determine a number of resolvers — about 8,000 — that definitely are poorly configured, that only represents a subset of the total number. It’s also been hard to map that to endpoints due to “resolvers behind resolvers behind resolvers”, Conrad said.
“The problem here is that it’s sort of a subjective evaluation,” he said. “We can’t rely on the data were seeing. We’re seeing the resolvers but we’re not seeing the users behind the resolvers.”
Some say that the roll is still too risky to carry out without better visibility into the potential impact, but others say that more delays would lead to more networks and devices becoming DNSSEC-compatible, potentially leading to even greater problems after the eventual rollover.
ICANN knows of about 8,000 resolver IP addresses that are likely to stop working properly after the rollover, because they only support the current KSK, but that’s only counting resolvers that automatically report their status to the root using a relatively new internet standard. There’s a blind spot concerning resolvers that do not have that feature turned on.
ICANN has also had difficulty reaching out to the network operators behind these resolvers, with good contact information apparently only available for about a quarter of the affected IP addresses, Conrad said.
Right now, the best data available suggests that 0.05% of the internet’s population could see access issues after the October 11 rollover, according to Conrad.
That’s about two million people, but it’s 10 times fewer people than the 0.5% acceptable collateral damage threshold outlined in ICANN’s rollover plan.
The 0.05% number comes from research by APNIC, which used Google’s advertising system to place “zero-pixel ads” to check whether individual user endpoints were using compatible resolvers or not.
If problems do emerge October 11 the temporary solution is apparently quite quick to implement — network operators can simply turn off DNSSEC, assuming they know that’s what they’re supposed to do.
But still, if a million or two internet users could have their day ruined by the rollover, why do it at all?
It’s not as if the KSK is in any danger of being cracked any time soon. Conrad explained that a successful brute-force attack on the 2048-bit RSA key would take longer than the lifetime of the universe using current technology.
Rather, the practice of rolling the key every five years is to get network operators and developers accustomed to the idea that the KSK is not a permanent fixture that can be hard-coded into their systems, Conrad said.
It’s a problem comparable to new gTLD name collisions or the Y2K problem, instances where developers respectively hard-coded assumptions about valid TLDs or the century into their software.
ICANN has already been reaching out to the managers of open-source projects on repositories such as Github that have been seen to hard-code the current KSK into their software, Conrad said.
Separately, Wes Hardaker at the University of Southern California Information Sciences Institute discovered that a popular VPN client was misconfigured. Outreach to the developer saw the problem fixed, reducing the number of users who will be affected by the roll.
“What we’re trying to avoid is having these keys hardwired into firmware, so that that it would never be changeable,” he said. “The idea is if you exercise the infrastructure frequently enough, people will know the that the key is not permanent configuration, it’s not something embedded in concrete.”
One change that ICANN may want to make in future is to change the algorithm used to generate the KSK.
Right now it’s using RSA, but Conrad said it has downsides such as rather large signature size, which leads to heavier DNSSEC traffic. By switching to elliptical curve cryptography, signatures could be reduced by “orders of magnitude”, leading to a more efficient and slimline DNS infrastructure, Conrad said.
Last week, ICANN’s Root Server Stability Advisory Committee issued an advisory (pdf) that essentially gave ICANN the all-clear to go ahead with the roll.
The influential Security and Stability Advisory Committee has yet to issue its own advisory, however, despite being asked to do so by August 10.
Could SSAC be more cautious in its advice? We’ll have to wait and see, but perhaps not too long; the current plan is for the ICANN board to consider whether to go ahead with the roll during its three-day Brussels retreat, which starts September 14.
DomainTools tracks its one billionth domain
DomainTools now has records of over a billion domain names in its database, according to the company.
The billionth name was added last month, according to a blog post.
The company notes that there are only about 350 million domains in existence today, meaning that twice as many domains have been deleted and never re-registered as are currently online.
For .com, DomainTools knows of 434 million domains that no longer exist, compared to the over 130 million registered today.
Even DomainTools, which has been collecting data for 17 years, knows its records are incomplete, but it reckons its number is probably within 10% of the total number of domains ever registered.
For new gTLDs, the one with the most deleted names is .realty (97% deleted) and the best is .boston (0.3% deleted), the company said.
More data here.
Recent Comments