Alibaba, Name.com among new RDRS opt-ins

Eleven registrars representing millions of domain names signed up to support ICANN’s Registration Data Request Service last month. One registrar dropped out.

One of Chinese tech giant Alibaba’s registrars was among the additions. Alibaba Cloud Computing (Beijing), which has 2.6 million names under management, is a notable addition given that one of its sister registrars was recently hit with an ICANN Compliance action due to alleged abuse inaction.

Also opting in to the Whois band-aid service were Identity Digital’s Name.com (2.2 million names), three of its sister companies, and Newfold Digital’s Register.com (1.5 million names). Nominalia, P.A Vietnam, and Ubilibet also signed up.

Realtime Register dropped out of the voluntary service, the third registrar to opt out since RDRS launched in Novemeber.

ICANN says its coverage is now 57% of the total gTLD domains out there, up from 55% in February. It has 86 registrars on-board in total, including most of the largest.

RDRS is a two-year pilot that offers people who want access to private Whois records, largely intellectual property interests and law enforcement, a simpler way to connect with the registrars holding that data.

Some registrars have already quit ICANN’s Whois experiment

ICANN’s two-year experiment in helping connect Whois users with registrars has grown its pool of participating registrars over the last few months, but it has lost a couple of not-insignificant companies along the way.

The Registration Data Request Service launched in November, promising to provide a hub for people to request the private data in Whois records, which is usually redacted. Monthly usage reports, first published in January, showed 72 registrars had joined the scheme at launch.

That number was up to 77, covering about 55% of all registered gTLD domain names, at the end of February, the latest report shows. Seven more registrars have signed up and two have dropped out.

The newbies include WordPress creator Automattic, which has 1.1 million names, PublicDomainRegistry, which has 4.4 million, Register.it, which has 666,000, and Turkiye’s METUnic, which has 235,000.

The two registrars quitting the project, apparently in January, are Combell (formerly Register.eu), which has 1.3 million domains, and Hong Kong’s Kouming.com, which has 57,000.

The latest data shows that RDRS returns a “registrar not supported” error 32.7% of the time.

The running total of requesters was up by 607 to 2937 in February, ICANN’s data shows. They filed 246 requests in the month for an RDRS total of 754 so far. Intellectual property owners were the main users, followed by law enforcement and security researchers.

There were 64 approved requests — where the registrar handed over the Whois data — to make a to-date total of 133. On 50 occasions requests were turned down because the registrar decided it could not turn over the data due to privacy law. These stats break down to 20% approval and 70% denial.

It took an average of 6.92 days to approve a given request — a steep incline from the 3.89 days in January — and 2.92 to deny one.

The full report, containing much more data, can be read as a PDF here.

.ai registry fights deadbeats with tweaked auction rules

With too many auction winners failing to hand over the loot, the .ai registry has changed its auction terms to make being a deadbeat more expensive.

The registry has increased its deposit requirement from 2% to 5% for bidders considered “high risk”, which basically means new customers, or $100, whichever is higher. The deposit is forfeit if the buyer fails to pay.

The move comes because too many winners are currently failing to pay. On Twitter, registry manager Vince Cate wrote yesterday:

On http://auction.whois.ai we have had too many cases of people not paying for domains they bid for so we are increasing the deposit requirement to 5% and the non-payment fee to 5% effective immediately.

The registry conducts monthly auctions of expired inventory on its own platform using park.io software and is mirrored at Dynadot. The highest-interest names regularly attract five-figure bids, due to the increasing popularity of artificial intelligence.

Sometimes, the same names show up in consecutive auctions because the previous winner didn’t pay up. In January, for example, dog.ai and insure.ai, which had both attracted bids over $20,000, returned to auction.

.ai registry advises buyers not to use GoDaddy

The manager of the increasingly popular .ai ccTLD has seemingly escalated his beef with GoDaddy, now advising registrants to not transfer their .ai domains to the market-leading registrar due to technical and operational issues.

The list of approved registrars on the .ai registry web site has contained a warning about problems transferring domains into GoDaddy for many months, but now it explicitly advises against such transfers. The site reads:

We have had several problems with transfers into GoDaddy. First, you have to use auth codes of 32 characters or less. Second they can take weeks and many email and phone calls to actually do the transfer. Anyplace else the transfer is nearly instant once the receiving party does the transfer with the auth code and the domain is unlocked. With GoDaddy the auth code is just the start of a long process. For years GoDaddy could not transer .ai domains at all. We do not advise transfering to go GoDaddy and if you do don’t ask us for help, the problem is all GoDaddy.

GoDaddy has also been removed from .ai’s list of supported registrars, but registry manager Vince Cate tells me he did this at the request of GoDaddy, which he said is a reseller of Team Internet’s 1API. He declined to comment further.

I asked GoDaddy for comment a few weeks ago but did not receive one.

An earlier version of Cate’s warning, from about a year ago as .ai domains started to fly off the shelf, read:

The company Godaddy will say “domains with this extension are not transferable” when someone tries to transfer a “.ai” domain to them when a more correct error message would be “Godaddy does not know how to transfer .ai domains even though it is done using the industry standard EPP transfer command”.

It was later updated to read:

The company Godaddy will say “domains with this extension are not transferable” when someone tries to transfer a “.ai” domain to them when a more correct error message would be “Godaddy does not know how to transfer .ai domains even though it is done using the industry standard EPP transfer command”. They will also say, “Technically .ai domains are not transferable between most registrars, but we have a dedicated team that transfers them manually.” This is so wrong. All other registrars have no trouble doing them automatically. The only technical failure is at Godaddy. Because of they way Godaddy is doing this, I get many people asking me, “Vince, why don’t you let people transfer .ai domains?”, as if I was doing something wrong and not Godaddy. I do let people transfer .ai domains. All of the above registrars can do it automatically without any trouble. Really.

While the .ai domain is managed by the Government of Anguilla, Cate seems to have substantial autonomy over the registry. Much of its bare-bones web site is written in the first person.

Whois policy published without life-saving disclosure rule

ICANN has updated its Registration Data Policy, the rules that govern what data registries and registrars need to collect from registrants and when to publish or supply it through Whois lookups or disclosure requests.

When it becomes enforceable in August next year, the new RDP will make full-fat ICANN Whois policy compliant with EU privacy law for the first time since the General Data Protection Regulation came into effect in May 2018.

But the new policy, which replaces a functionally very similar temporary policy, is notable not only for the extraordinary amount of time it took to produce, but also for not containing a disputed requirement for registrars and registries to quickly turn over private Whois data when human life is at risk.

The policy dictates what contact information registrars must collect from their customers, what they must share with their registries, escrow agents and others, and what they must redact in the public Whois (or Registration Data Directory Services, as it will become known when Whois is retired next January).

It also says that registries and registrars must acknowledge private data disclosure requests no more than two business days after receipt and respond to the requests in full less than 30 calendar days after that, barring delays caused by “exceptional circumstances”.

But, due purely to ICANN community politicking, the policy for now omits previously considered language on “urgent” disclosure requests for use in “circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation”.

I’d like to think such circumstances are incredibly rare, but if there’s a situation where a Whois disclosure could help prevent a bomb going off at a major internet exchange, a trans rights activist being hounded into suicide, or a little kid getting raped on a livestream, the new ICANN policy does not account for that.

The version of the policy published in July last year (pdf) did include an urgent requests provision, requiring contracted parties to either turn over the data or tell the requester to get lost within 24 hours of receipt.

But it also contained a bunch of exceptions that could allow registrars to extend that deadline by up to three business days. When weekends and public holidays are taken into account, this could mean as much as a full calendar week to process an “urgent”, potentially life-saving request.

For that reason, the Governmental Advisory Committee wrote to ICANN (pdf) last August to ask it to revisit the policy language, chuck out the reference to “business” days, and stick to a 24-hour response window

The original Expedited Policy Development Process Working Group that came up with the policy recommendations had not specified how long registrars and registries should have to respond to urgent disclosure requests, punting that decision to the Implementation Review Team that drafted the final language.

An August 2022 draft (pdf) put out for public comment made the response window two business days, with a possible one-day extension, but this was reduced to 24 hours last year in what registrars describe as a “significant compromise” given the operational reality of responding to disclosure requests.

In August last year, the Registrars Stakeholder Group told ICANN (pdf) that its members “are committed to responding to Urgent requests in the most swift and expeditious manner possible” but said it objected to the GAC’s last-minute demands for the urgent disclosures policy to be rewritten.

From the registrars’ perspective, handling disclosure requests for personal data is not a simple ask. It’s a legal decision, balancing the privacy rights of the registrant with the rights of others to access that information.

Get it wrong, and you’re open to litigation and fines substantial enough to be expressed as a percentage of your revenue. And, money aside, who wants to be the guy who, for example, accidentally helps the Iranian morality police murder a bunch of schoolgirls for wearing the wrong type of hat?

But the argument between the registrars and the governments comes down to issues of ICANN process. Both the GAC and the RrSG claimed the urgent disclosures bunfight highlights deficiencies in ICANN multistakeholderism, but for different reasons.

ICANN’s response to this disagreement was to remove the urgent requests clauses from the policy altogether, in the hope that further talks can find a solution. Chair Tripti Sinha wrote to the RrSG and GAC a couple weeks ago to tell them:

the Board concluded that it is necessary to revisit Policy Recommendation 18 concerning urgent requests in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation, and the manner in which such emergencies are currently handled. For this, we believe that consultation with the GNSO Council is required.

ICANN has essentially kicked the can, which was what the GAC had asked for. The RrSG wanted the July 2023 language (one-plus-three days) or August 2022 language (two-plus-one days) published in the final policy.

It’s stuff like this that makes one scratch one’s head, stroke one’s chin, and wonder whether ICANN really is fit for purpose.

There were 2,312 days between the day the European Commission first proposed the GDPR to the day it became effective in all EU member states.

But 2,590 days will have passed between the day the GNSO Council initiated the EPDP and the day the new Registration Data Policy will become effective on all contracted parties, next August.

The lumbering, then-28-state European Union was faster at passing policy than ICANN, even when ICANN was using an “expedited” process.

And what ICANN eventually came up with couldn’t even agree on ways to help tackle murder, economic catastrophes, and the rape of kids.

Nominet to overhaul .uk registry, turn off some services

Nominet has opened a public consultation on its plans to modernize the .uk domain registry, which will involve increased standardization around international norms and turning off some older services.

It’s an extensive consultation — 37 proposals and 92 questions spread over more than 50 pages — aimed mainly at the registrars that will have to update their systems to integrate with the new registry. But registrants will also be affected.

The plans would see changes to Nominet’s underlying registry platform that would alter how renewals, proxy registrations, grace periods and transfers between registrants and registrars are handled, and the retirement of the current Whois system, among many other items.

Nominet reckons its proposals will help it save money on ongoing maintenance and software licensing as well as eventually simplifying things for its member registrars.

The company currently runs two registry platforms in parallel: the old UK registry and the newer EPP registry, which is based on the latest technical standards and compliant with ICANN requirements.

It runs its gTLDs, such as .wales and .cymru, as well as its dozens of back-end clients, on the newer system. The plan is to shift .uk over to the newer RSP platform too.

The proposal also calls for Nominet to align with ICANN’s plans to stop requiring registrars to operate Whois services a year from now, replacing them with the newer RDAP standard, which provides the same functionality.

Other older, less-used services, such as the Domain Availability Checker, would either be retired or replaced with EPP-based equivalents.

There’s a lot to absorb in the consultation documents, but at first glance it strikes me that large international registrars that already integrate with dozens of registries probably don’t have much to worry about; smaller, .uk-focused registrars with fewer resources may show some resistance due to the amount of development work likely to be required.

But Nominet says that it is taking this into account with its timetable, saying: “If the changes go ahead, we will give considerable advance notice to Registrars to allow time for development activities”.

The consultation is open for the next three months, punctuated by five explanatory webinars.

Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction

The Government of Anguilla has put its latest batch of expired .ai domains up for auction, including a handful of single-word names and a great many three-character strings. There are 1,878 domains on the list.

At least two of the domains being auctioned off were reported sold earlier this month at the last .ai expired names auction — insure.ai, which fetched a winning bid of $24,700, and dog.ai, which reached $21,311.

They were the third and fourth most-expensive domains in the earlier auction. The domains’ Whois show the registry is still the current registrant, so the winning bidder(s) presumably didn’t pay up.

Other English dictionary-word domains that caught my eye include technological.ai, bucharest.ai, fulfilled.ai, annotated.ai, sponsorship.ai, forged.ai, crowded.ai, springboard.ai and queer.ai.

The list is notable for the number of times the word “meta” appears — well over 100 times. This is presumably due to these three facts: 1) .ai has a two-year minimum registration term, 2) it takes 90 days for expired names to make it to auction, and 3) Facebook rebranded itself as Meta in October 2021.

For any masochists among you, some obvious cybersquats are also listed for sale, including facebookmeta.ai, facebookmetaverse.ai and facebook-metaverse.ai. Remember, .ai uses the UDRP too.

The auction ends February 5.

Weak demand for private Whois data, ICANN data shows

There were fewer than six requests for private Whois data per day in December, and most of those were denied, according to newly published ICANN data.

The disappointing numbers, which also show that only about 2.5% of accredited registrars are participating, show that ICANN’s new Registration Data Request Service is certainly off to a slow start.

RDRS launched in November. It’s a ticketing system that enables people to request unredacted private Whois data, with no guarantee the requests will be granted, from registrars via an ICANN portal.

As it’s a two-year trial, ICANN promised to publish usage data every month. The first such report was published today (pdf).

The report shows that 1,481 requester accounts have been created so far, but that just 174 requests were made in December — about 5.6 per day on average.

Almost a third of requesters were intellectual property interests, with domain investors at 4.5% and law enforcement at 8%. Security researchers accounted for 15% of requests.

The data shows that most requests — 80.47% — were marked as “Denied” by registrars, largely because the registrar needed more information from the requester before it could process their request. ICANN said RDRS has no visibility into whether data was ultimately handed over outside of the system.

The supply-side data isn’t particularly encouraging either. Only 72 registrars were participating in RDRS at the end of the year.

That’s 2.5% of the 2,814 registrar entities ICANN contracts with, but if we exclude the 2,000+ drop-catching shell registrars owned by the likes of TurnCommerce, Newfold Digital and Gname, participation might be more fairly said to be closer to 10%.

ICANN said that the 72 registrars, which include many of the largest, account for 53% of all registered gTLD domain names, so you might think requesters have a better-than-even chance of being able to use the system for any given domain.

That’s not the case. RDRS data requesters are finding that the domain they are querying belongs to a non-participating registrar far more often than not — 80% of queries through the system were for domains not in the system, the report shows.

And when the registrar is participating, chances are that the data request will be denied — 80% were denied versus just 11.72% approved and 1.56% partially approved.

It takes on average two days for a request to be denied and four days for a request to be approved, the report shows.

While the results to date are arguably disappointing, given the years of effort the ICANN community and staff put in to build this thing, it’s still early days.

I also think it quite likely some of the numbers have been skewed by both the Christmas and New Year holiday period and early-adopter requesters kicking the tires with spurious requests.

Dev releases free open-source TLD registry platform

A Ukrainian developer has released a free, open-source domain registry management platform that he says is compliant with ICANN standards and should be suitable for organizations that want to self-host ccTLDs or new gTLDs they apply for in the next round.

Named Namingo, lead dev Taras Kondratyuk says the software incorporates EPP, Whois and RDAP and can interface with the popular DNS servers and database management systems.

The software has been released under a standard MIT open-source license, which basically means you can do whatever you want with it with very few limitations. Kondratyuk describes the current release as a beta but said he hopes a stable version will emerge before the end of the month.

“So far, no registry or registrar has used Namingo. However, there’s interest from one ccTLD and two regional second-level domains, which plan to conduct tests soon,” he said in an email interview.

“ccTLDs can currently run Namingo without any issue, with all components being complete,” he said. “We’re just ironing out a few details for the first stable release, like making parts of panel more ‘beautiful’ or easier to work with.”

It sounds like a labor of love. Kondratyuk said he has no background in the domain industry, no plans to commercialize the software or offer paid support services. The software was scratch-built in PHP with the help of ChatGPT.

“Having worked with small hosting providers, I noticed a gap in free and open tools for managing registries or ICANN accredited registrars,” he said. “Existing solutions were either complex, infrastructure-specific, not fully supportive of gTLDs, or not genuinely free. Namingo aims to address these gaps.”

“It was developed as a community contribution,” he said. “If a company wishes to adopt it for registry services, they’re welcome to, thanks to the permissive MIT license. My role is more in line with offering guidance rather than fully engaging in a commercial venture.”

“While I’m open to providing installation support, my capacity for hosting or round-the-clock support is limited. I just hope that a company might show interest in the future and offer this service,” he said.

After the registry platform is finished, Namingo will finish off its platform for ICANN-accredited registrars too, he said.

ICANN begs people to use its new Whois service

ICANN’s CEO has published an open letter encouraging the community to spread the word about its new Registration Data Request Service.

Sally Costerton explained (pdf) that RDRS is a “free, global, one-stop shop ticketing system” that hooks up people seeking private Whois data with the relevant registrar.

“I appreciate your attention to this new service and ask that you share this information with the relevant stakeholders in your organization,” she concludes.

The plea comes after the late-November launch of the system and the revelation that the system currently has far from blanket coverage from registrars.

“Use of the RDRS is voluntary, but I’m pleased to let you know that we have strong participation from registrars already,” Costerton wrote.

Since I published a blog post three weeks ago naming 25 large registrars not participating in RDRS, only Markmonitor has chosen to sign up, adding another one million domains to RDRS’s footprint.

But it turns out Chinese registrar Alibaba, which I was unable to check due to a bug or downtime somewhere, definitely is not participating, so there are still 25 out of the 40 registrars with over a million domains that are not participating.

Usage on the demand side is not known, but ICANN says it will publish regular monthly progress reports.

The RDRS is considered a pilot. It will run for at least two years before ICANN figures out whether it’s worth keeping.