Glitch redux: ICANN screws up new gTLD security again

No lessons learned from 2012? ICANN admitted this morning that a glitch in its Registry Service Provider Evaluation Program exposed the identities of more than a dozen companies to their rivals.

The Org fessed up that some companies looking to get pre-approved as RSPs were able to see “identifiable organizational information” belonging to another user when using ICANN’s technical testing system.

“A total of 14 of 26 organizations using RST OT&E were affected. All affected organizations have been notified,” ICANN said. “No personal data was exposed, with the exception of a single minor and limited instance.”

It doesn’t sound like any gTLD application intentions were revealed — that part of the program doesn’t open until next year.

There were probably not too many surprises among the leaks. The landscape of the RSP market is well understood.

The only exceptions that spring to mind would be ccTLD registries that have not yet revealed their plans for the gTLD space, and completely new market entrants that have not yet tipped their hand.

The glitch sounds remarkably familiar for ICANN watchers with long memories. A bug discovered in 2015 exposed much more data, and about applicants themselves, but it was only exploited by one person on a handful of occasions.

That “glitch” led to allegations of hacking and trade secret theft and a long-running Independent Review Process case that wasn’t resolved until October 2023.

ICANN said it has taken down its testing environment to fix the bug and has hired an outside consultant to kick the tires.

This delay means testing will be offline for around two weeks, coming back November 12 at the earliest, and the reveal date for the list of participating RSPs has been pushed back from December 9 to an unspecified future date we realistically have to assume will be in the new year.

It’s not expected to delay the April 2026 opening of the next application round.

Comment Tagged: glitch, ICANN, new gTLDs, next round, rsp evaluation program, rsps, security

CentralNic claims second-largest TLD migration ever

CentralNic today boasted that it successfully completed the migration of the .co TLD from GoDaddy to its own servers earlier this month, claiming the number two spot in the record books.

The company, part of Team Internet, said it moved more than 3.3 million .co domains to its registry back-end on October 4. The process took 29 hours, it said in a press release.

The 3.3 million number confirms .co’s place as the second-largest TLD migration, ahead of the 3.1 million .au names moved from Neustar to Afilias in 2018, but behind the four million .in names moved from GoDaddy to Tucows completed this May.

2 Comments Tagged: .co, centralnic, migration, team internet

DNS issue at Amazon takes out major apps and sites

Amazon’s AWS cloud platform has been suffering major outages for the last few hours, taking huge chunks of the internet with it, and DNS resolution is being blamed.

Affected products and services reportedly include Snapchat, Roblox, Fortnite, Delta Air Lines, Duolingo, Signal, Reddit, Amazon’s own Ring doorbell cam service, as well as the UK tax authority and various UK banks.

Amazon first reported problems on its status page at 0711 UTC this morning. By 0901 UTC, the company had narrowed the problem down, saying it “appears to be related to DNS resolution of the DynamoDB API endpoint in US-EAST-1.”

DynamoDB is a cloud-based database service Amazon offers on AWS. US-EAST-1 is an Amazon regional data center cluster.

Twenty minutes later, Amazon began to report “early signs of recovery for some impacted AWS Services”. Not long after, it said the recovery signs were “significant”.

At 1035 UTC Amazon said: “The underlying DNS issue has been fully mitigated, and most AWS Service operations are succeeding normally now. Some requests may be throttled while we work toward full resolution.”

AWS underpins hundreds of top-level domains — notably, Identity Digital built its registry platform there — but there’s no word yet on any DNS or EPP issues from any registries.

Comment Tagged: amazon, aws, identity digital, outage

.io sales almost double over three years

The .io ccTLD continues to be a cash cow, with sales up 6.70% in 2024, according to the registry’s latest financial filing.

The company also faced its largest-ever UK tax bill last year, at a time when the future of .io came under sharp focus due to the imminent dissolution of the British Indian Ocean Territory to which .io is assigned.

UK-based Internet Computer Bureau last month reported revenue for 2024 of £31.6 million ($42.4 million), up from £29.6 million ($39.7 million) in 2023. Revenue has grown 93% since 2021, mostly due to a spike in 2022.

While ICB, an Identity Digital subsidiary, also runs .ac and .sh, the vast majority of its business is certainly in .io, a popular ccTLD with tech start-ups.

The company is essentially a single-employee shell, structured to pass the vast majority of its revenue to US-based parent Identity Digital. Its gross margins are barely 4%, an implausibly low number for a .com-comparable, high-volume registry business.

ICB reported operating profit for 2024 of £1.6 million ($2.1 million), reversing a loss of £1.7 million in 2023. But its bottom line was bolstered by £2 million of unspecified investment income, leading to profit after tax of £2.8 million ($3.7 million).

The UK tax bill was almost three times as large as any previous year at £807,000 ($1 million) seemingly due to this investment income.

The future of .io is still ambiguous, after the UK and Mauritius signed a treaty to transfer sovereignty over BIOT, which is also known as the Chagos Archipelago. Implementation of the treaty is currently being enacted by both countries’ legislatures.

A UK diplomatic team recently met with Mauritius’ prime minister to discuss the transfer of power, and the discussions reportedly touched on the “domaine Internet”.

A Mauritian newspaper reported that the discussions covered “l’avenir du domaine Internet, qui représente un enjeu économique intéressant pour Maurice”, which could translate as “the future of the Internet domain — which represents an interesting economic opportunity for Mauritius”.

The industry trend at the moment is for the governments of countries with popular ccTLDs to put the squeeze on their registry operators, but neither the UK nor Mauritius has a direct governance or contractual relationship with .io.

Comment Tagged: chagos, earnings, financials, icb, identity digital, internet computer bureau, io

Amazon delays book and fashion gTLDs

Two gTLD launches pencilled in for next month seem to have been delayed a year.

Amazon Registry has filed updated launch dates for two Japanese-language TLDs: .書籍 (.xn--rovu88b), meaning “book”, and .ファッション (.xn--bck1b9a5dre4c), meaning “fashion”.

Both had been previously scheduled to go to general availability in early November, but new dates published by ICANN have pushed both back to the same dates in 2026.

Both have already completed their mandatory sunrise periods, back in late 2016. If they do go GA next year, it will have been a full decade between trademark protection and free-for-all.

Amazon has been slowly releasing its long-dormant stockpile of gTLDs recently. Three — .you, .talk and .fast — went GA earlier this month. Three others — .free, .hot and .spot — launched in the first half of the year.

Comment Tagged: .xn--bck1b9a5dre4c, .xn--rovu88b, .ファッション, .書籍, amazon, new gTLDs

Lindqvist shuffles the exec deck

I’ve never really understood the logic of ICANN having contractual compliance and government relations under the same roof, but it’s an organizational strategy it’s doubled down on in its latest rejigger.

CEO Kurt Lindqvist said that he’s given Jamie Hedlund a new title and new department. He’s now senior VP of global government engagement and contractual compliance, which expands on his previous US-only remit.

The Org has hired long-time community participant Janis Karklins as head of government engagement, replacing interim head Veni Markovski. He will report to Hedlund.

Karklins’ biggest contribution in recent years was arguably chairing the group that advanced post-GDRP Whois policy, but he has also acted in multiple ambassadorial roles for Latvia.

Separately, Andre Abed has been promoted to CIO, a role he held on an interim basis since Ashwin Rangan quit almost two years ago. He will report to CTO John Crain.

1 Comment Tagged: ICANN

GoDaddy launches “ultra-premium” domain marketplace

If you’re going to launch a marketplace for “ultra-premium” domain names, you couldn’t pick a better domain to launch it on than DomainNames.com, and that’s what GoDaddy has done.

Via its Afternic secondary market business, the site was officially announced today. GoDaddy is reaching out to investors who own a “category-defining .com, a rare two-letter gem, a single-word .com or .ai, or a numeric masterpiece”.

While the company says it’s invitation-only, it it’s also asking investors to submit their names for consideration via a form on the new site, so that’s probably only half-accurate.

It’s looking for names it reckons could fetch six-figure asking prices and above.

If you want to know what GoDaddy thinks is “ultra-premium”, consider that the 110 domain names listed at launch are almost exclusively one–English-word or two-character .com names, with a handful of one-word .ai domains thrown in.

Domains will be actively marketed by the service and sellers have to sign an exclusivity agreement with GoDaddy.

That said, the domains don’t seem to have custom landers. Visitors to the listed names are greeted with a variety of Afternic/GoDaddy parking pages, some of which even have buy-it-now prices listed.

1 Comment Tagged: domainnames.com, godaddy

.mobi to get a new rival in .mobile

There’s a new registry player in town. Dish DBS is preparing to launch the .mobile gTLD, which has been dormant for almost a decade, according to notes on its web site.

The first phase of the launch — sunrise — has been pencilled in for 30 days from November 10. If ICANN’s been informed of the launch dates, it has not yet officially published them on its own web site.

The launch plan would see a limited registration period targeting mobile phone operators running until early February. That would be followed by a 12-day Early Access Period and a February 19 general availability launch.

The plan is to have .mobile a fully open unrestricted space positioned as a “modern, mobile-first domain extension designed for life in motion – perfect for creators, startups, professionals, and forward-thinking brands.”

I’m expecting this to be the first of several launches from Dish, which has been sitting on a portfolio of a dozen gTLDs — the others are .sling, .dish, .latino, .dot, .ott, .ollo, .blockbuster, .dtv, .dvr, .phone, and .data — from the 2012 round.

Dish seems to be deep in bed with Tucows, its back-end registry services partner, on the revitalized portfolio.

The launch of .mobile of course will be viewed in the context of .mobi almost two decades ago, which was hyped at a time of gTLD scarcity and heavily speculated.

Now under Identity Digital, .mobi peaked at over 1.2 million registered domains in 2013 but has been in a death spiral ever since as investors cut their losses. It now sits at around 265,000 domains.

The original plan for .mobi, which was applied for four years before the launch of the first iPhone, was to provide a namespace where phone users could be assured that a site would be compatible with their phones. It looks incredibly naive in hindsight.

Dish did not have the same idea for .mobile. It wanted .mobile as a single-registrant space where only itself and its affiliates could register names, but that plan was scuppered when ICANN retroactively banned such models.

3 Comments Tagged: .mobi, .mobile, dish dbs, launch, new gTLDs, sunrise, tucows

Bye-bye .boomer! Blockchain players abandon new gTLD plans

A dozen organizations that were planning to apply to ICANN for a new gTLD next year have abandoned their ambitions.

Unstoppable Domains said recently that 12 partners offering blockchain-based alt-TLDs have confirmed they no longer expect to apply for a matching gTLD when the Next Round opens next year.

The affected blockchain extensions are: .bald, .basenji (formerly .benji), .bay, .boomer, .calicoin, .caw, .cgai, .donut, .mery, .mumu, .nibi and .pendle.

Because some buyers may have hoped to grab the matching DNS domain if and when the matching gTLD got delegated, Unstoppable said it will offer refunds to anyone who registered a name in any of these extensions.

It’s also added “Applying to ICANN 2026” and “Not applying to ICANN 2026” tags to search results on its storefront.

The refunds don’t apply to alt-TLDs that could never have applied to ICANN because the string breaks the rules in some way (for example being numeric or too short).

Comment Tagged: blockchain, ICANN, new gTLDs, unstoppable

Decades-old US registrar gets a spanking

ICANN Compliance has filed a wide-ranging breach notice against an American registrar that’s been accredited for over 20 years.

Cincinnati-based Netdorm, which does business as DnsExit.com, has been handed a long list of alleged contract violations and an October 16 deadline to fix things or risk termination.

As we’ve seen regularly recently, the registrar’s apparent failures to carry out the technical migrations from Whois to RDAP and from NCC Group to DENIC for escrow services are the biggest of ICANN’s concerns.

Netdorm is also past-due on its fees and has a long checklist of administrative and transparency failures, according to the Compliance breach notice.

Despite being accredited since 2004, the company has been chugging along with fewer than 6,000 gTLD domains under management for many years. It gives away third-level subdomains for free and claims to run over a million of them.

Comment Tagged: breach, compliance, dnsexit, ICANN, netdorm