Dirty tricks claimed in .music fight

A .music hopeful has tried to add over 300 pages of documents to its new gTLD application, apparently in an effort to leapfrog competitors, and its rival community applicant is far from happy.
DotMusic Limited submitted the change request (pdf) in order to add some Public Interest Commitments to its .music bid.
Rival .Music LLC now claims that it is “outrageous and unfair for ICANN to allow this applicant to abuse the PIC process in this way” and has filed a Request for Reconsideration.
Of the eight .music bidders, these two companies are the only formal “community” applicants.
Under the rules of the new gTLD program, community applicants can avoid having to fight an auction if they win a strict Community Priority Evaluation.
To avoid confusion: DotMusic Limited is the applicant led by Constantine Roussos; .Music LLC (aka Far Further) is led by John Styll.
Far Further fought a CPE last year but lost in spectacular fashion, scoring just 3 out of the 16 available points, a long way shy of the 14 points required for a pass.
The Roussos applicant has now submitted eight new proposed Public Interest Commitments — things it promises to do to protect registrants and rights holders — as an addendum to its application.
That’s pretty standard stuff.
What’s unusual are the 308 pages of additional “clarifications” that seek to explain how the proposed PICs relate to its original application.
They’re not changes to the application, technically speaking, but they are a way to get hundreds of extra pages of content into the public record ahead of DotMusic’s own CPE.
According to Styll, this latest gambit is nothing more than an attempt to score more CPE points. He told ICANN:

the 308 additional pages of “clarifications” contain wording that clearly utilizes learnings from previous CPE results (including our own), in violation of ICANN policy

Complicating matters, it turns out that Far Further tried to make some substantive changes to its application back in May 2014, but had the request declined by ICANN “in order to be fair to other applicants”.
That was prior to ICANN’s publication of guidelines governing change request, Styll says.
Because of this alleged discrepancy between how the two competing change requests were handled, Far Further wants a second crack at the CPE for its own application.
Its RfR (pdf) asks ICANN to reverse its May 2014 decision, allow its change request, throw out the original results of its CPE and refer the CPE to a new Economist Intelligence Unit panel for a full reevaluation.
Failing that, it wants ICANN to throw out the 308 pages of “clarifications” submitted by DotMusic.
Both applicants have the written support of dozens of music industry groups.
There’s some crossover, but Far Further’s backers appear to me to be a little more “establishment” than DotMusic’s, including the likes of the Recording Industry Association of America.
The other, non-community applicants are Amazon, Google, Donuts, Radix, Famous Four Media and Entertainment Names.
With Google and Amazon in the mix, if it goes to auction, .music could easily be an eight-figure auction along the lines of .app, which sold to Google for $25 million.
In my view, winning a CPE is the only way DotMusic has a chance of getting its hands on .music, short of combining with another applicant.

Site names and shames shoddy TLD support

A self-professed geek from Australia is running a campaign to raise awareness of new gTLDs by naming and shaming big companies that don’t provide comprehensive TLD support on their web sites.
SupportTheNew.domains, run by university coder Stuart Ryan, has been around since last June and currently indexes support problems at dozens of web sites.
The likes of Facebook, Amazon, Adobe and Apple are among those whose sites are said to offer incomplete support for new gTLDs.
It’s the first attempt I’m aware of to list “universal acceptance” failures in any kind of structured way.
Ryan says on the site that he set up the campaign after running into problems signing up for services using his new .email email address.
The site relies on submissions from users and seems to be updated whenever named companies respond to support tickets.
Universal acceptance is a hot topic in the new gTLD space, with ICANN recently creating a steering group to promote blanket TLD support across the internet.
Often, sites rely on outdated lists of TLDs or regular expressions that think TLDs are limited to three characters when they attempt to verify domains in email addresses or URLs.

All eyes on Donuts as first new gTLD renewal figures roll in

Donuts is about to give the world the clearest picture yet of the ongoing demand for new gTLD domain names.
The company has taken the unprecedented decision to disclose its renewal figures on a pretty much live basis.
COO Richard Tindal has been blogging renewal stats for .bike, .clothing, .guru, .ventures, .holdings, .plumbing and .singles for the last few days.
Those were the first seven of its gTLDs to hit general availability.
To Saturday, the renewal status of 6,352 names in these gTLDs was known and the renewal rate was 85.3%.
However, that rate is boosted by the relatively high proportion of the names that were registered during sunrise periods.
Donuts said that “two thirds” of the 6,352 reported domains were registered after sunrise.
That doesn’t make a whole lot of sense to me, given that Donuts has previously put the total number of sunrise regs across the seven TLDs at just 1,404, which would work out at about 22%, not 33%.
On Friday, the company had said that the status of 4,534 names was known and the renewal rate was 91.6%.
If you deduct the Friday numbers from the Saturday numbers, you get to 1,265 renewals and 553 drops, a renewal rate of almost 69.6% for that particular day.
That number, which is a few percentage points off what a gTLD such as .com regularly reports, could of course fluctuate.
The full-year renewal rate, which would factor out much of the domainer activity, of course won’t be known for another year.
Donuts said it expects its renewal rate to drop to the mid-70s in its next daily report, expected today, which will cover an additional 22,910 domains.
The company’s decision to blog its numbers comes a day or two after we reported that ICANN is only budgeting for renewals of 50%.
The 14.6% of names not renewed works out to about 933 domains.
“We believe most of those names will be re-registered by another party within the next 35 days,” Tindal wrote.
As they were all registered in the early days of GA, one might expect them to be of a reasonably high quality.
While GA began at the end of January 2014, renewal rates are not known until the Auto-Renew Grace Period, which can be as long as 45 days, has expired.

Group forms to stop new gTLDs breaking stuff

A little over a year into the live phase of the new gTLD program, a group of domain industry companies are getting together to make sure the expansion is supported across the whole internet.
A new Universal Acceptance Steering Group has formed, with the support of ICANN and the Domain Name Association, to help fix many of the compatibility problems facing new gTLD registrants today.
“The basic problem is that these new types of domains and email addresses just break stuff,” Google’s Brent London said during a UASG meeting at the ICANN meeting in Singapore last week.
“You try to use an internationalized domain or a long new gTLD, or even a short new gTLD, or certainly an internationalized email address and you’re likely to run into problems,” he said. “What we’re doing is going around asking developers to make their products work.”
Universal acceptance is a long-understood problem. Even 15 years after the approval of .info there are still web sites that validate email addresses by ensuring the TLD is no longer than three characters in length.
But the 2012 new gTLD round has brought the issue into sharper focus, particularly given the introduction of internationalized domain names, IDNs, which use non-Latin scripts.
Over the last year we’ve seen scattered examples of popular software — including browsers, instant messaging and social media apps — not recognizing new gTLD domains as domains. The problems I’ve seen are usually fixed quite quickly.
While I’ve not seen any deal-breakers that would prevent me registering a new gTLD domain, I gather that IDN email addresses are often basically unusable, due to the chain of dependencies involved in sending an email.
In my experience as a programmer, supporting all TLDs is not a particularly challenging problem when you’re coding something afresh.
However, when bad practices have been coded in to large, sprawling, interdependent systems over decades, it could be likened to the Y2K problem — the so-called Millennium Bug that caused developer headaches worldwide at the end of the last century.
There’s also a tonne of bad advice on the web, with coders telling other coders to validate domains in ways that do not support an expanding root.
UASG members think the problem is large-scale and that it’s a long-term project — 10 years or more — to fix it satisfactorily.
Members include Donuts, Google, Microsoft, Go Daddy and Afilias.
The DNA has started creating a repository of information for developers, with the aim of describing the problem in plain English and providing code samples. Along with other UASG members, there’s a plan to conduct outreach to make more people aware of the acceptance issue.
You can check out the repository in its unfinished state here.
ICANN is getting involved in a coordination role. After the UASG’s inaugural meeting in Washington DC a few weeks ago, ICANN hosted a session during ICANN 52.
It’s also hosting a mailing list and the group’s first conference call, which will take place tomorrow at 1600 UTC.

Dot Vegas sells $2m of premiums

New gTLD registry operator Dot Vegas says it has sold over $2 million worth of “premium” .vegas domain names to date.
The registry, which went to general availability in September, has also registered 1,000 additional premiums to itself in an effort to drum up more sales.
The list is available at the registry’s web site (pdf).
As you might expect, gambling and tourism related keywords feature heavily, but there are also names geared towards locals.
The names don’t appear to have buy-now prices. Rather, Dot Vegas is soliciting interested potential buyers via the reserved sites.
.vegas zone files show just over 12,000 names currently. That number will include the registry-reserved ones. According to DomainTools, Dot Vegas owns about 2,200 names across all TLDs.

Domain hijacking bug found in Go Daddy

Go Daddy has rushed out a fix to a security bug in its web site that could have allowed attackers to steal valuable domain names.
Security engineer Dylan Saccomanni found several “cross site request forgery” holes January 17, which he said could be used to “edit nameservers, change auto-renew settings and edit the zone file entirely”.
He reported it to Go Daddy (evidently with some difficulty) and blogged it up, with attack code samples, January 18. Go Daddy reportedly patched its site the following day.
A CSRF vulnerability is where a web site fails to adequately validate data submitted via HTTP POST. Basically, in this case Go Daddy apparently wasn’t checking whether commands to edit name servers, for example, were being submitted via the correct web site.
Mitigating the risk substantially, attackers would have to trick the would-be victim domain owner into filling out a web form on a different site, while they were simultaneously logged into their Go Daddy accounts, in order to exploit the vulnerability, however.
In my experience, Go Daddy times out logged-in sessions after a period, reducing the potential attack window.
Being phishing-aware would also reduce your chance of being a victim.
I’m not aware of any reports of domains being lost to this attack.

.uk suspension problems worse than I thought

Problems validating the addresses of .uk domain registrants, which caused one registrar to dump the TLD entirely, are broader than I reported yesterday.
Cronon, which does business as Strato, announced last week that it has stopped selling .uk domain names because in more than a third of cases Nominet, the registry, is unable to validate the Whois data.
In many cases the domain is subsequently suspended, causing customer support headaches.
It now transpires that the problems are not limited to .uk second-level names, are not limited to UK registrants, and are not caused primarily by mailing address validation failures.
Michael Shohat, head of registrar services at Cronon, got in touch last night to clarify that most of its affected customers are in fact from its native Germany or from the Netherlands.
All of the affected names are .co.uk names, not .uk SLDs, he added.
And the validation is failing in the large majority of cases not due to Nominet’s inability to validate a mailing address, but rather its inability to validate the identity of the registrant.
“This is where the verification is failing. The database they are using can’t find many of our registrants’ company names,” Shohat said.
“So 30% of our registrations were being put on hold, almost all of them from [Germany] and [the Netherlands], and 90% of them because of the company name. We checked lots of them and in every single case the name of the company was correct, and the address as well,” he said.
Michele Neylon of the ICANN Registrar Stakeholders Group said that Cronon is not the only registrar to have been affected by these issues. Blacknight Solutions, the registrar Neylon runs, has been complaining about the problem since May.
According to Neylon, the Nominet policy causing the issue is its data quality policy, which covers all .uk and .co.uk (etc) names.
The policy itself is pretty vague — Nominet basically says it will work with each individual registrar to determine a baseline of what can be considered a “minimum proportion of valid data”, given the geographic makeup of the registrar’s customer base.
Domains that fail to meet these criteria have a “Data Quality Lock” imposed — essentially a suspension of the domain’s ability to resolve.
Earlier this year, Nominet did backtrack on plans to implement an automatic cancellation of the names after 30 days of non-compliance, following feedback from its registrars.
“It’s disappointing that Cronon have taken this step; we hope they will consider working with us to find a way to move forward,” a Nominet spokesperson added.
She said that the registry has over recent years moved to “more proactive enforcement” of Whois accuracy. She pointed out that Nominet takes on the “lion’s share of the work”, reducing the burden on registrars.
“However, our solution does not include non-UK data sets to cross-reference with, so it is possible that some false positives occur,” she said. “Registrars with a large non-UK registrant bases, who are not accredited channel partners, would be affected more than others.”
An Accredited Channel Partner is the top tier of the three Nominet offers to registrars. It has additional data validation requirements but additional benefits.
While .co.uk domains are not limited to UK-based registrants, all .uk SLD registrants do need to have a UK mailing address in their Whois for legal service.
The company’s inability to validate many non-UK business identities seems to mean .co.uk could also slowly become a UK-only space by the back door.

Big registrar dumps .uk — a glimpse of Christmas future?

German registrar Cronon, which retails domains under the Strato brand, has stopped carrying .uk domains due to what it says are onerous Whois validation rules.
In a blog post, company spokesperson Christina Witt said that over one third of all .uk sales the registrar has been making are failing Nominet’s registry-end validation checks, which she said are “buggy”.
With the introduction of direct second-level registration under .uk, Nominet introduced a new requirement that all new domains must have a UK address in the Whois for legal service, even if the registrant is based overseas.
According to its web site, Nominet checks registrant addresses against the Royal Mail Postcode Address file, which contains over 29 million UK addresses, and does a confidence-based match.
If attempts to match the supplied address with a UK address in this file prove fruitless, and after outreach to the registrant, Nominet suspends the domain 30 days after registration and eventually deletes it.
It’s this policy of terminating domains that has caused Strato to despair and stop accepting new .uk registrations.
“Databases of street directories or company registers are often inaccurate and out of date,” Witt wrote (translated from the original German). “The result: addresses that are not wrong, in fact, are be found to be invalid.”
Nominet is throwing back over a third of all .uk names registered via Strato, according to the blog post, creating a customer support nightmare.
Its affected registrants are also confused about the verification emails they receive from Nominet, a foreign company of which they have often never heard, Witt wrote.
I don’t know how many .uk names the registrar has under management, but it’s reasonably large in the gTLD space, with roughly 650,000 domains under management at the last count.
If Strato’s claim that Nominet is rejecting a third of valid addresses (and how Strato could know they’re valid is open to question), that’s quite a scary statistic.
Nominet seems to be using an address database, from the Royal Mail, which is about as close to definitive as it gets. And it’s only verifying addresses from a single country.
I shudder to imagine what the false negative rate would be like for a gTLD registrar compelled to validate addresses across 200-odd countries and territories.
The latest version of the ICANN Registrar Accreditation Agreement requires registrars to partially validate addresses, such as checking whether the street and postal code exist in the given city, but there’s no requirement for domains to be suspended if these checks fail.
[UPDATE: Thanks to Michele Neylon of the Registrars Stakeholder Group for the reminder that this RAA requirement hasn’t actually come into force yet, and won’t until the RrSG and ICANN come to terms on its technical and commercial feasibility.]
Where the 2013 RAA does require suspension is when the registrant fails to verify their email address (or, less commonly, phone number), which as we’ve seen over the last year leads to hundreds of thousands of names being yanked for no good reason.
If Strato’s story about .uk is correct and its experience shared by other registrars, I expect that will become and important data point the next time law enforcement or other interests push for even stricter Whois rules in the ICANN world.

Community proposes way to replace US oversight of ICANN

The process of removing the US government from management of the DNS root system took a significant step forward today, with the publication of a community proposal for a transition.
The Cross Community Working Group, which convened itself earlier this year, has published a proposal to replace the US with a new contracting company and a bunch of committees.
The DNS community has been tasked with coming up with a way to transition stewardship of the IANA functions from the US National Telecommunications and Information administration, which said in March this year that it intends to relinquish its historic, but largely symbolic, Damoclean role.
After discussions which by any measure of ICANN policy-making have been forcibly swift, the 119-member CWG has now presented two broad options.
The first, a description of which forms the bulk of its report, would see ICANN overseen by a new, lightweight non-profit company managed by multi-stakeholder committees.
The other, which doesn’t get much airplay in the document, would see ICANN simply take over the NTIA’s responsibilities entirely. Accountability would be provided by enhanced accountability processes within the existing ICANN structure.
Under the primary proposal, the CWG was keen to avoid creating something ICANN-like to oversee ICANN, due to the complexity and cost, but it also decided that ICANN remains the best place to house the IANA function for the foreseeable future.
It’s proposed a new company, known currently as “Contract Co”, that would be replace the NTIA as the party that contracts with ICANN to run IANA. It would have “little or no staff”.
The contract itself would be developed and overseen by a Multistakeholder Review Team, comprising people drawn from each area of the ICANN community.
The precise make-up of this MRT is still open to discussion and will be, I suspect, the subject of some pretty fierce debate as the various competing interest groups wrestle to have themselves with the strongest possible representation.
Like the NTIA, the MRT would have the power to pick another entity to run IANA in future, should ICANN screw up.
A new Customer Standing Panel would comprise executives from gTLD and ccTLD registries — the “customers” of IANA’s naming functions — and would have the job of relaying the concerns of registries to the MRT, keeping ICANN accountable to its primary users.
Finally, there’d be an Independent Appeals Panel. Any IANA decision — presumably including the delegation or redelegation of a TLD — could be appealed to this IAP. This function would very probably be outsourced on a case-by-case basis to an existing arbitration body.
Is this worrying? Arbitration panels handling new gTLD disputes haven’t exactly inspired confidence in their ability to provide consistent — or even rational — decisions over the last year or so. Should the last word on what goes into or stays out of the DNS root really go to the same folk who think .通販 and .shop are too confusingly similar to coexist on the internet?
There doesn’t appear to be anything massively surprising in the proposal. When ICANN or its community try to solve a problem the answer is usually a new committee, and the ideas of MRTs, CSPs and IAPs do seem to mirror existing structures to an extent.
The whole thing can be downloaded and read over here.
There’s a December 22 deadline for comment. It will be submitted to the IANA Stewardship Transition Coordination Group by the end of January, with a view to getting a final proposal to the US government next summer in time for the hoped-for September 30 handover date.

“Cyberflight” rules coming to UDRP next July

It will soon be much harder for cybersquatters to take flight to another registrar when they’re hit with a UDRP complaint.
From July 31 next year, all ICANN-accredited registrars will be contractually obliged to lock domain names that are subject to a UDRP and trademark owners will no longer have to tip off the registrant they’re targeting.
Many major registrars lock domain names under UDRP review already, but there’s no uniformity across the industry, either in terms of what a lock entails or when it is implemented. Under the amended UDRP policy, a “lock” is now defined as:

a set of measures that a registrar applies to a domain name, which prevents at a minimum any modification to the registrant and registrar information by the Respondent, but does not affect the resolution of the domain name or the renewal of the domain name.

Registrars will have two business days from the time they’re notified about the UDRP to put the lock in place.
Before the lock is active, the registrants themselves will not be aware they’ve been targeted by a complaint — registrars are banned from telling them and complainants no longer have to send them a copy of the complaint.
If the complaint is dismissed or withdrawn, registrars have one business day to remove the lock.
Because these change reduce the 20-day response window, registrants will be able to request an additional four calendar days (to account for weekends, I assume) to file their responses and the request will be automatically granted by the UDRP provider.
The new policy was brought in to stop “cyberflight”, a relatively rare tactic whereby cybersquatters transfer their domains to a new registrar to avoid losing their domains.
The policy was approved by the Generic Names Supporting Organization in August last year and approved by the ICANN board a month later. Since then, ICANN staff has been working on implementation.
The time from the first GNSO preliminary issue report (May 27, 2011) to full implementation of the policy (July 31, 2015) will be 1,526 days.
You can read a redlined version of the UDRP rules here (pdf).