Recent Posts
- Domain world growth despite .com slide
- Verisign predicts more gloom as registrars shun .com growth
- Republicans quiz NTIA on Verisign .com renewal
- Smaller, more intense ICANN meetings with no free cocktails?
- Private auctions to be banned in next new gTLD round
- .au prices going up
- Nominet names director hopefuls
- Crowdstrike screw-up took down ICANN’s email
- We grassed up .TOP, says free abuse outfit
- ICANN to earmark $10 million for new gTLD subsidies
- TV network rebrands on single-letter domain
- First registry gets breach notice over new abuse rules
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
InternetNZ loses two of its three CEOs as it simplifies
InternetNZ has announced the results of a consultation into a restructuring of the organization.
The .nz ccTLD manager is to cut one of its three operating companies and reduce the number of CEOs from three to one.
NZRS, which actually runs the registry, will be folded into InternetNZ, while policy-setting body Domain Name Commission Ltd will remain a separate company in the same group.
Jordan Carter, CEO of the company since 2013, has been picked to carry on leading InternetNZ and to chair the board of DNCL, which is losing three of its 12 seats.
The company threw open the idea of a restructuring back in June, noting that it had 20 governors, three CEOs and 10 senior executives for the 35 full time employees across the three organisations
InternetNZ leadership said in a statement that they hope the changes will help the registry become more effective as it simplifies.
China and cheapo TLDs drag down industry growth — CENTR
The growth of the worldwide domain industry continued to slow in the third quarter, according to data out today from CENTR.
There were 311.1 million registered domains across over 1,500 TLDs at the end of September, according to the report, 0.7% year-over-year growth.
The new gTLD segment, which experienced a 7.2% decline to 20.6 million names, was the biggest drag.
But that decline is largely due to just two high-volume, low-price gTLDs — .xyz and .top — which lost millions of names that had been registered for pennies apiece.
Excluding these TLDs, year-over-year growth for the whole industry would have been 2.5%, CENTR said. The report states:
Over the past 2 years, quarterly growth rates have been decreasing since peaks in early 2016. The slowdown is the result of deletes after a period of increased investment from Chinese registrants. Other explanations to the slowdown are specific TLDs, such as .xyz and .top, which have contracted significantly.
The legacy gTLDs inched up by 0.2%, largely driven by almost two million net new names in .com. In fact, only five of the 17 legacy gTLDs experienced any growth at all, CENTR said.
In the world of European ccTLDs, the average (median) growth rate has been flat, but CENTR says it sees signs of a turnaround.
CENTR is the Council of European National Top-Level Domain Registries. Its Q3 report can be downloaded here (pdf).
Over 750 domains hijacked in attack on Gandi
Gandi saw 751 domains belonging to its customers hijacked and redirected to malware delivery sites, the French registrar reported earlier this month.
The attack saw the perpetrators obtain Gandi’s password for a gateway provider, which it did not name, that acts as an intermediary to 34 ccTLD registries including .ch, .se and .es.
The registrar suspects that the password was obtained by the attacker exploiting the fact that the gateway provider does not enforce HTTPS on its login pages.
During the incident, the name servers for up up to 751 domains were altered such that they directed visitors to sites designed to compromise unpatched computers.
The redirects started at 0804 UTC July 7, and while Gandi’s geeks had reversed the changes by 1615 it was several more hours before the changes propagated throughout the DNS for all affected domains.
About the theft of its password, Gandi wrote:
These credentials were likewise not obtained by a breach of our systems and we strongly suspect they were obtained from an insecure connection to our technical partner’s web portal (the web platform in question allows access via http).
It’s not clear why a phishing attack, which would seem the more obvious way to obtain a password, was ruled out.
Gandi posted a detailed timeline here, while Swiss registry Switch also posted an incident report from its perspective here. An effected customer, which just happened to be a security researcher, posted his account here.
Gandi says it manages over 2.1 million domains across 730 TLDs.
ICANN finds no conflict of interest in .sport decision
ICANN has rejected claims that the .sport gTLD contention set was settled by an arbitrator who had undisclosed conflicts of interest with the winning applicant.
Its Board Governance Committee last week decided that Community Objection arbitrator Guido Tawil had no duty to disclose his law firm’s ties to major sports broadcasters when he effectively eliminated Famous Four Media from its fight with SportAccord.
Back in 2013, SportAccord — an applicant backed by pretty much all of the world’s major sporting organizations — won the objection when Tawil ruled that FFM’s fully commercial, open-registration bid could harms its members interests.
FFM complained with Requests for Reconsideration, Ombudsman complaints and then an Independent Review Process complaint.
It discovered, among other things, that Tawil’s law firm was helping broadcaster DirecTV negotiate with the International Olympic Committee (one of SportAccord’s backers) for Olympics broadcasting rights at the time of the Community Objection.
The IRP panel ruled in February this year that the BGC had failed to take FFM’s allegations of Tawil’s “apparent bias” into account when it processed Reconsideration requests back in 2013 and 2014.
So the BGC reopened the two Reconsideration decisions, looking at whether Tawil was required by International Bar Association guidelines to disclosed his firm’s client’s interests.
In a single decision (pdf) late last week, the BGC said that he was not required to make these disclosures.
In each of the three claims of bias, the BGC found that the connections between Tawil and the alleged conflict were too tenuous to have required disclosure under the IBA rules.
It found that the IOC and SportAccord are not “affiliates” under the IBA definition, which requires some kind of cross-ownership interests, even though the IOC is, judging by the .sport application, SportAccord’s most valued supporter.
The BGC also found that because Tawil’s firm was representing DirecTV, rather than the IOC, the relationship did not technically fall within the disclosure guidelines.
For these and other reasons, the BGC rejected FFM’s Reconsideration requests for a second time.
The decision, and the fact that FFM seems to have exhausted ICANN’s appeals mechanisms, means it is now more likely that SportAccord’s application will be allowed to continue negotiating its .sport Registry Agreement with ICANN, where it has been frozen for years.
Emoji domains get a 👎 from security panel
The use of emojis in domain names has been discouraged by ICANN’s Security and Stability Advisory Committee.
In a paper late last week, SSAC told ICANN that emojis — aka emoticons or smileys — lack standardization, are barred by the relevant domain name technical standards, and could cause user confusion.
Emoji domains, while technically possible, are not particularly prevalent on the internet right now.
They’re implicitly banned in gTLDs due to the contractual requirement to adhere to the IDNA2008 standard, which restricts internationalized domain names to actual spoken human languages, and the only ccTLD I’m aware of actively marketing the names is Samoa’s .ws.
There was a notable example of Coca Cola registering 😀.ws (xn--h28h.ws) for a billboard marketing campaign in Puerto Rico a couple of years ago, but that name has since expired and been registered by an Australian photographer.
The SSAC said that emoji use should be banned in TLDs and discouraged at the second level for several reasons.
Mainly, the problem is that while emojis are described in the Unicode standards, there’s no standardization across devices and applications as to how they are displayed.
A certain degree of creative flair is permitted, meaning a smiling face in one app may look unlike the technically same emoji in another app. On smaller screens and with smaller fonts, technically different emojis may look alike.
This could lead to confusion, which could lead to security problems, SSAC warns:
It is generally difficult for people to figure out how to specify exactly what happy face they are trying to produce, and different systems represent the same emoji with different code points. The shape and color of emoji can change while a user is viewing them, and the user has no way of knowing whether what they are seeing is what the sender intended. As a result, the user is less likely to reach the intended resource and may instead be tricked by a phishing site or other intentional misrepresentation.
SSAC added that it:
strongly discourages the registration of any domain name that includes emoji in any of its labels. The SSAC also advises registrants of domain names with emoji that such domains may not function consistently or may not be universally accessible as expected
The brief paper can be read here (pdf).
After price hike, now Tucows drops support for Uniregistry TLDs
Tucows is to drop OpenSRS support for nine Uniregistry gTLDs after the registry announced severe price increases.
The registrar told OpenSRS resellers that it will no longer support .audio, .juegos, .diet, .hiphop, .flowers, .guitars, .hosting, .property and .blackfriday from September 8, the date the increases kick in.
It’s the second major registrar, after GoDaddy, to drop support for Uniregistry TLDs in the wake of the pricing news.
“The decision to discontinue support for these select TLDs was made to protect you and your customers from unknowingly overpaying in a price range well beyond $100 per year,” OpenSRS told its resellers.
It will continue to support seven other Uniregistry gTLDs, including .click and .link, which are seeing more modest price increases and will remain at $50 and under.
While Tucows is a top 10 registrar in most affected TLDs, its domains under management across the nine appears to be under 3,000.
These domains will expire at their scheduled expiry date and OpenSRS will not allow their renewal after the September 8 cut-off. Customers will be able to renew at current prices for one to 10 years, however.
Tucows encouraged its roughly 40,000 resellers to offer to migrate their customers to other TLDs.
Uniregistry revealed its price increases in March, saying moving to a premium-pricing model was necessary to make the gTLDs profitable given the lack of volume.
Pricing for .juegos and .hosting is to go up from under $20 retail to $300. The other seven affected gTLDs will increase from the $10 to $25 range to $100 per year.
After GoDaddy pulled support for Uniregistry TLDs, the registry modified its plan to enable all existing registrations to renew at current prices.
That clearly was not enough for Tucows, which has sent a pretty clear message that it’s not prepared to be the public face of such significant price hikes.
Massive ransomware attack hits 150 countries, brought down by a domain reg
A massive outbreak of malware on Friday hit thousands of organizations in an estimated 150 countries and had a big impact on the UK National Health Service before being temporarily thwarted by a single domain name registration.
WannaCry, as the malware has been called, targets Windows boxes that have not installed a March security patch. It encrypts files on the hosts it infects and demands money for the decryption key.
The attack is Big News for several reasons.
First, it spread ransomware over the network using a remotely exploitable vulnerability that required no user error or social engineering to install itself.
Second, it hit an estimated quarter-million machines, including thousands at big organizations such as Telefonica, the NHS, Deutsche Bahn and FedEx.
Third, it posed a real risk to human life. A reported 70,000 NHS machines, including medical devices, were said to be infected. Reportedly, some non-critical patients had to be turned away from UK hospitals and operations were cancelled due to the inability of doctors to access medical records.
Fourth, WannaCry appears to have been based on code developed by the US National Security Agency and leaked last month.
All in all, it was an attack the scale of which we have not seen for many years.
But it seems to have been “accidentally” prevented from propagating further on Friday, at least temporarily, with the simple act of registering a domain name.
A young British security researcher who goes by the online handle MalwareTech said he was poring over the WannaCry code on Friday afternoon when he came across an unregistered domain name.
On the assumption that the malware author perhaps planned to use the domain as a command and control center, MalwareTech spent the ten bucks to register it.
MalwareTech discovered that after the domain was registered, the malware stopped encrypting the hard drives it infected.
He first thought it was a fail-safe or kill-switch, but he later came to the conclusion that the author had included the domain lookup as a way to thwart security researchers such as himself, who run malware code in protected sandbox environments.
MalwareTech wrote:
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as [if] it were registered
Once the domain was registered, WannaCry iterations on newly infected machines assume they were running in sandboxes and turned themselves off before causing additional damage.
MalwareTech was naturally enough proclaimed the hero of the day by many news outlets, but it appears that versions of the malware without the DNS query kill-switch already started circulating over the weekend.
Many are warning that the start of the work week today may see a new rash of infections.
The researcher’s account of the incident can be read in full here.
Uniregistry to grandfather existing domains before big price increases
Uniregistry has backtracked on its plan to hike renewal fees on thousands of domain name registrations.
CEO Frank Schilling described the U-turn, which followed a ferocious backlash from domain investors, as “the right thing to do”.
The company had announced price increases across 16 of its 27 gTLDs that in one case exceeded 3,000% but in many more cases represented increases in the hundreds of percent.
The increases were to apply to new and renewing registrations, and Schilling had said that they were necessary to keep the affected TLDs afloat.
But domainers were furious, taking to blogs and message boards to announce and decry the death of all new gTLDs.
Leading registrar Go Daddy soon said that it would no longer sell Uniregistry TLDs, at least temporarily.
But yesterday Uniregistry announced a change of heart, providing an unusually detailed account of the thought process leading to the price increases that’s worth quoting at length.
“The registration providers we consulted reported that differentiating prices based on the time of the registration was technically difficult and confusing for customers,” said Bret Fausett, head of the Registry Services Team. “Based on that feedback, and considering the small number of registrants affected, we made the difficult decision to raise prices for all registrants.”
“After the announcement, however, we, and our registration partners, have heard clearly from our end users that the ability to register ten-years at the existing price does not ameliorate the pain of subsequent price increases for registrants facing substantial price increases,” said Mr. Fausett. “So, for the names in our highest-priced tiers, the price changes will affect only new registrations. We are asking our registration partners to do whatever is necessary to enable this approach.”
“Creating a legacy tier of prices for inaugural registrants in our niche, premium top-level domains is technically more difficult,” said Frank Schilling, Managing Director of Uniregistry, “but it’s the right thing to do for those pioneering individuals and companies who have staked their claims in the new Internet real estate.”
In other words, if you register a name in the affected gTLDs before September 8, your renewal fee will be at the current lower level.
Whether this will be enough to mitigate Uniregistry’s reputational damage in the domainer community remains to be seen.
But the company also said it plans to overhaul its premium names pricing by the end of the second quarter, scrapping the multi-tier pricing approach in favor of a one-size-fits-all menu.
Schilling said that price reductions will affect “millions” of reserved names and mean “hundreds of millions” of dollars of hypothetical value have been wiped from the portfolio.
In rare public session, ICANN approves sexual harassment policy
ICANN’s board of directors this afternoon approved an anti-harassment policy designed to protect community members from unwanted sexual attention.
It’s the policy inspired by the now infamous Cheesesandwichgate incident at the Marrakech meeting a year ago.
But general counsel John Jeffrey noted that there have been multiple similar complaints to the Ombudsman over the last year or so, possibly as a result of increased awareness that such complaints are possible.
While the text of the resolution has not yet been published, I believe it’s approving a lightly modified version of the policy draft outlined here.
That draft sought to ban activities such as “sexually suggestive touching” and “lewd jokes” at ICANN meetings. A laundry list of characteristics (such as race, gender, disability) were also given special protection.
What’s possibly more interesting than the new policy itself is the manner in which the policy was approved.
It was the first time in goodness knows how many years — definitely over 10, and I’m tempted to say over 15, but nobody seems to know for sure — that the ICANN board has deliberated on a resolution in public.
By “in public” I mean the 30-minute session was live-streamed via Adobe Connect from an undisclosed location somewhere at ICANN 58, here in Copenhagen. An in-person live audience was not possible for logistical reasons, I’m told.
Apart from the first few years of ICANN’s existence, its public board meetings have usually been rubber-stamping sessions at the end of the week-long meeting, based on discussions that had gone on behind closed doors days earlier.
So today’s session was a significant attempt to increase transparency that is likely to be welcomed by many.
Unfortunately, its existence could have been communicated better.
For the first 15 minutes, there were no more than 19 people in the Adobe room, and I believe I may have been the only one who was not ICANN staff or board.
After I tweeted about it, another 10 or so people showed up to listen.
The ICANN board is deliberating in public on a resolution and nobody is listening. https://t.co/N59BLW4n20 #icann58 #icann
— Kevin Murphy (@DomainIncite) March 11, 2017
Given that increased board transparency is something many sections of the community have been clamoring for for years, one might have expected a bigger turnout.
While the meeting had been prominently announced, it was not listed on the official ICANN 58 schedule, so had failed to make it onto the to-do lists of any of the iCal slaves pottering around the venue.
The session itself came across to me as a genuine discussion — not stage-managed or rehearsed as some had feared.
Directors raised issues such as the possible increased workload on the Ombudsman, the fact that the current Ombudsman (or Ombudsperson, as some directors referred to him) is male, and the availability of female staff members to receive “sensitive” complaints.
Today’s open session is part of a “pilot” and is due to be followed up on Sunday with another, which will discuss ICANN’s fiscal 2018 operating plan and budget.
Again, turning up to watch in person will not be possible, but the 90-minute session will be streamed live at 0745 UTC here.
The first in the pilot program, which even I missed, was in Brussels in September.
Thick Whois policy for .com is now live
The domain name industry is kicking off one of its most fundamental shifts in its plumbing this week.
Over the next two years, Verisign and every registrar that sells .com domains will have to rejigger their systems to convert .com from a “thin” to “thick” Whois.
This means that by February 1, 2019, Verisign will for the first time control the master database of all Whois records for .com domains, rather than it being spread piecemeal across all registrars.
The switch comes as a result of a years-in-the-making ICANN policy that officially came into force yesterday. It also applies to .com stablemates .net and .jobs.
The first big change will come August 1 this year, the deadline by which Verisign has to give all of its registrars the ability to submit thick Whois records both live (for new regs) and in bulk (for existing ones).
May 1, 2018 is the deadline for all registrars to start submitting thick Whois for new regs to Verisign, but they can start doing so as early as August this year if they want to.
Registrars have until February 1, 2019 to supply Verisign with thick Whois for all their existing registrations.
There’s a process for registrars who believe they would be violating local privacy laws by transferring this data to US-based Verisign to request an exemption, which may prevent the transition going perfectly uniformly.
Some say that the implementation of this policy may allow Verisign to ask for the ability to ask a for an increase in .com registry fees — currently frozen at the command of the US government — due to its inevitably increased costs.
Personally, I think the added costs will likely be chickenfeed compared to the cash-printing machine that is .com, so I think it’s far from a slam-dunk that such fee increases would be approved.
Recent Comments