Latest news of the domain name industry

Recent Posts

.org back-end deal will come up for re-bid, PIR says as it acquires four new gTLDs

Kevin Murphy, December 8, 2021, Domain Registries

The industry’s most lucrative back-end registry services contract will be rebid, Public Interest Registry said today.

The deal, which sees PIR pay Afilias $18.3 million a year to run .org, according to tax records, will see a request for proposals issued in the back half of 2023, according to PIR.

Given that’s two years away, it’s strange timing for the announcement, which came at the bottom of a press release and blog post announcing that the company is acquiring four new gTLDs, three of which belong to Afilias’ new owner, Donuts.

PIR said Donuts is to transfer control of .charity, .foundation and .gives, which will be “reintroduced” to the market. .foundation currently has about 20,000 registered domains; the other two have a few thousand each.

It’s also acquiring the unlaunched gTLD .giving from a company called Giving Ltd.

All four are on-message for PIR’s not-for-profit portfolio, which also includes the barely-used .ngo and .ong for non-governmental organizations.

Those two gTLDs are getting decoupled, allowing registrants to register one without having to buy the other, PIR also said today.

The last time the PIR back-end contract came up for renewal, in 2015, Afilias was also the incumbent but increased competition — it was up against 20 rivals — meant that its slice of .org revenue was cut in half.

Comment Tagged: , , , , , , , , , ,

ICANN budget: staff bloat making a comeback

Kevin Murphy, December 8, 2021, Domain Policy

ICANN plans to ramp up its headcount starting next year to support the development of the new gTLD program.

Newly published budgeting documents show that average headcount is expected to rise to 406 for the year ending June 30, 2022, from 395 at the end of this June, with an even steeper increase to 448 a year later.

That’s after several years in which staffing levels have been fairly stable, even sometimes declining a little.

The main culprit is the Operational Design Phase for the next new gTLD round(s), which is expected to kick off soon.

ICANN expects to hire or assign nine people to manage the ODP before the end of June 2022, ramping that up to an average of 22 over the following year. The amount of non-ODP operational staff is expected to rise by 28 over the same period.

ICANN currently advertises 31 open positions on its web site, having added eight listings just this week.

This chart shows the expected growth:

ICANN headcount chart

At the time of the last new gTLD application round, in 2012, ICANN had 152 staffers, nine of whom were assigned to new gTLD project — and that was after the programs rules had already been developed, implemented and the application window opened and closed.

Comment Tagged: , , , ,

ICANN budget: no more new gTLDs before 2028

Kevin Murphy, December 8, 2021, Domain Policy

ICANN is not accounting for any revenue from a future round of new gTLDs in its just-published budget, which plots out the Org’s finances all the way through 2028.

The budget, which I gave a high-level summary of here, even predicts that dozens of 2012-round new gTLDs will disappear over the next six years.

The Org is predicting that there will be 1,091 gTLDs on the internet by the end of its fiscal 2027 (that is, June 30, 2028) down by 58 or 5% from July 2022.

Given that it’s only expecting to lose four gTLDs in FY23, this projection implies a speeding up of the rate at which gTLDs start cancelling their contracts or going out of business in the later part of the five-year budget.

The forecast comes with a big asterisk, however. A footnote reads:

These scenarios do not assume any further TLD delegations arising from the resumption of the New gTLD Program. While there is ongoing work and an intent to launch a subsequent round, the timing of its release remains unclear and potential impact(s) on funding indeterminate. Given this, ICANN org has deemed it prudent not to assume any prospective impacts from a subsequent round across the described scenarios.

In other words, ICANN is not yet ready to commit to a runway for the next application round, subsequent delegations and eventual revenue.

As I reported Monday, the next round is unlikely to be approved until the fourth quarter of next year at the earliest, and my view is that 2024 is the soonest the next application window could open.

I don’t think we can read too much into the fact that ICANN isn’t budgeting for any next-round impact on funding until after 2027.

If you’re pessimistic, you could infer that ICANN believes it’s at least a possibility that the next round could take that long, or not be approved at all, but the safer bet is probably that it merely lacks visibility and is acting in its usual risk-averse manner.

Comment Tagged: , , , ,

ICANN budget: mild optimism amid maturing industry

Kevin Murphy, December 8, 2021, Domain Policy

ICANN thinks the domain industry, including the new gTLD industry, is maturing and will continue to grow, in its just-published draft budget for fiscal 2023.

The Org is predicting growing transactions across the board, as well as an increase in the number of accredited registrars and a slowing decline in the number of contracted gTLDs.

ICANN is expecting funding of $152 million for FY23, which includes the $4 million bung it negotiated with Verisign as part of the deal to allow the company to raise .com prices.

That’s up from the $149.1 million is expects to receive in the current fiscal year.

As usual, the bulk of the funding comes from gTLD transaction fees — the taxes registrants pay through their registrars and registries whenever they register, renew or transfer a domain name.

Legacy gTLD transaction fees are expected to amount to $93.1 million, up 3% on a forecast of $90.1 million in the current year, while new gTLD transaction fees are expected to rise modestly from $9.5 million to $9.9 million, a 4% increase.

Transactions in legacy gTLDs are expected to be 201.2 million, versus 193.6 million in the current year.

New, post-2012 gTLDs are expected to process 25.8 million transactions, up from 24.8 million, of which 21.1 million will be billable, up from 20.3 million. New gTLDs only pay transaction fees after 50,000 domains under management.

ICANN is expecting to lose four registries in FY23 — this almost always means dot-brands that cancel their contracts — with the total declining from a June 2022 total of 1,149 to 1,145 a year later. This will have a modest impact on fixed registry fees.

But the Org is once again expecting to see an increase in the number of registrars paying fixed accreditation fees, up by 28 to 2,447 at the end of FY23.

Accompanying the budget, ICANN has published some industry trend analysis (pdf) outlining some of the assumptions behind the budget forecasts.

Basically, the document describes what regular readers already know — many domain companies benefited from pandemic-related lockdowns driving small businesses online, but overall industry volumes were driven down by low-cost new gTLDs experiencing huge junk drops.

For ICANN’s purposes, factors such as customer quality and pricing are irrelevant. A spammer registering 1,000 domains in bulk pays ICANN the same amount in fees as 1,000 small businesses building their first web sites.

The document reads:

Taken as a whole, DUMs failed to expand in the past twelve months ending in mid-2021. While this decline is at least partly attributable to lower promotional activity among some of the largest new gTLDs which could be reinitiated in the future, it nonetheless points to an industry that has shifted from a period of rapid expansion to one that is now witnessing steady maturation.

The draft ICANN budget covers the 12 months beginning July 1, 2023, and is now open for public comment before possible revisions and final approval.

Comment Tagged: , , , , ,

ICANN says ODP will speed up new gTLDs in the long run

Kevin Murphy, December 6, 2021, Domain Policy

A time-consuming process to spec-out the next new gTLD application round before it is even formally approved will actually speed up the program over the long run, an ICANN veep has said.

The so-called Operational Design Phase is a bunch of planning, or issues such as cost and feasibility, that ICANN says it needs to do before the community’s policy recommendations can be put before the board of directors.

The board approved the ODP in September, giving the Org a $9 million budget and a 10-month deadline to complete the project, but the clock doesn’t start ticking until CEO Göran Marby formally starts the process.

Three months later, that still hasn’t happened. ICANN is still “organizing the resources needed and developing the roadmap for the work ahead”, according to a blog post from Karen Lentz, VP of policy research and stakeholder programs.

The Org is doing the preparation for the preparation for the preparation for the next round, in other words.

But Lentz says this will speed up the new gTLD program over the longer term.

We believe the ODP will actually streamline future work. It will have a positive impact on the duration of the implementation process by making the assumptions explicit, answering key questions, and considering how the recommendations on different topics work together in addition to providing a detailed timeline and visibility to the timing of implementation activities. If the Board approves the recommendations, the org and the Implementation Review team would be able to leverage a good amount of work already completed during the ODP. Future rounds would not be possible without the foundational work of an ODP. It’s important to note that without an ODP, this work would still be taking place, but without the structure and transparency that the ODP provides.

Another important consideration to note here is that we are not simply organizing only the next round. We are building a foundational structure for all of the work that the org, the community, and the Board will do over the coming years to continue to evolve the namespace along with the necessary procedures and tools. So the work from this ODP is not only for a single round — this is targeting a long-term plan and for multiple rounds.

If Marby were to start the ODP tomorrow, and ICANN managed to hit its deadline, October 2022 would be the absolute earliest the ICANN board would get the chance to approve the next round.

It’s possible, though not very likely given how intrinsic to ICANN’s mission the opening up of gTLD competition is, that the board could instead decide not to approve the next round.

After the next round gets the thumbs-up, there’s still a whole lot of extra work to do — the aforementioned Implementation Review, hiring contractors, a months-long marketing campaign — before companies would actually get to file their applications.

We’re still looking at 2024 at the earliest for that, in my view, but if there’s one thing we can rely on from ICANN, it’d delay.

Comment Tagged: , , ,

Be the next “face” of dot-brands

Kevin Murphy, December 6, 2021, Domain Policy

The Brand Registry Group is seeking a new executive director, after incumbent Martin Sutton decided he’s to leave the group next year.

Sutton, who’s been in the role since 2015, said the BRG is looking for somebody to be the new “face of the dotBrand community”.

Arguably the group’s biggest issue right now is the next new gTLD application round, which still appears to be years away after a decade’s worth for navel-gazing by ICANN.

If BRG members are to be believed, a whole lot of companies that missed out on the 2012 round or have been founded since then are champing at the bit for the chance to get their own dot-brands.

It’s pretty clear from Sutton’s job posting that a long-time ICANN community member is being sought, and I can think of maybe two or three people who would make perfect candidates.

The BRG is not a formal ICANN structure, but it gets time on the agenda at ICANN meetings and has some political clout. Its members include the likes of Apple, Amazon, Fox, Honda and JP Morgan & Chase.

The executive director is its only full-time employee role.

Comment Tagged: , ,

CentralNic makes another registrar acquisition

Kevin Murphy, December 6, 2021, Domain Registrars

CentralNic said today it has bought another registrar, Chile-based NameAction, in a $1 million deal.

NameAction has been around since the late 1990s and specializes in ccTLDs in the Latin American region, including offering local presence services for foreign registrants.

It sells gTLD domains too, acting primarily in the brand protection space, but does not appear to be ICANN-accredited in its own right.

CentralNic said the deal will immediately add $2 million to its top line and $200,000 to profits.

CEO Ben Crawford said in a press release that the deal is small but of strategic importance, giving the company a beachhead from which to expand into Latin America.

It’s the fourth acquisition announcement from CentralNic, which describes itself as an industry consolidator, this year.

Comment Tagged: , ,

ICANN takes the lamest swipe at Namecheap et al over blockchain domains

Kevin Murphy, November 24, 2021, Domain Tech

ICANN has come out swinging against blockchain domains and the registrars that sell them. And by “come out” I mean it’s published a blog post. And by “swinging” I mean “offered the weakest criticism imaginable”.

The post starts off well enough, observing that services marketed as “domain names” that are not automatically compatible with the global DNS are probably not a great purchase, because they don’t work like regular domains.

Using these alternatives requires something like a browser plug-in or to reconfigure your device to use a specialist DNS resolver network, the post notes, before concluding with a brief caveat emptor message.

All good stuff. ICANN has been opposed to alt-root domain efforts for at least 20 years, and the policy is even enshrined in so-called ICP-3, which nobody really talks about any more but appears to still be the law of ICANN Land.

So, which domain-alternatives is ICANN referring to here, and which registrars are selling them? The post states:

Name resolution systems outside the DNS have existed for a long time. One could mention the Sun Microsystem Network Information Service (NIS), the Digital Object Architecture (DOA), or even the Ethereum Name Service (ENS)…

With some ICANN-accredited registrars now selling NIS, DOA, or other similar domains alongside standard domain names, the potential for confusion among unsuspecting customers seems high.

You may be asking: what the heck (or, if you’re like me, fuck) are NIS and DOA domains, and which registrars are selling them?

Great questions.

NIS is an authentication protocol (a bit like LDAP) for Unix networks developed in 1985 (the same year the original DNS standard was finalized) by Sun Microsystems, a company that hasn’t existed in over a decade.

To the best of my knowledge they’ve never been marketed as an alternative to regular domain names. Nobody’s ever used them to address a publicly available web site. Nobody sells them.

DOA, also known as the Handle System, is a more recent idea, first implemented in 1994, before some of you were born. Handles are mostly numeric strings used to address digital objects such as documents. Libraries use them.

The main thing to know about Handles for the purposes of this article is that they’re specifically designed to convey no semantic information whatsoever. They’re not designed to look like domain names and they’re not used that way.

So how many registrars are selling NIS/DOA domains? I haven’t checked them all, but I’m going to go out on a pretty sturdy limb and guess the answer is “none”, which is a lot less than the “some” that ICANN asserts.

But ICANN also mentions the Ethereum Name Service, a much newer and sexier way of cybersquatting, based on the Ethereum cryptocurrency blockchain.

ENS allows people to buy .eth domain names (which do not function in the consensus DNS) for the Ethereum equivalent of about $5. As far as I can tell, you can only buy them through ens.domains, and no ICANN-accredited registrar is functionally capable of selling them.

The ICANN post also contains a brief mention of “Handshake”, and this appears to be what ICANN is actually worried about.

Handshake domains, also known as HNS, look like regular domain names and a handful of ICANN-accredited registrars are actually selling them.

Handshake is also based on blockchain technology, but unlike ENS it also allows people to create their own TLDs (which, again, do not function without special adaptations). Registrars including Namecheap, 101domain and EnCirca sell them.

It’s Namecheap’s storefront hover text, warning that HNS domains don’t work in the regular DNS, that ICANN appears to be paraphrasing in its blog post.

The registrar has a lengthy support article explaining some of the ways you can try to make a Handshake domain work, including an interactive comment thread in which a Namecheap employee suggests that DNS resolvers may choose to resolve HNS TLDs instead of conflicting TLDs that ICANN approves in future.

That’s the kind of thing that should worry ICANN, but it’s got a funny way of expressing that concern. Sun Microsystems? Digital Object Architecture? What’s the message here?

Twenty years ago, I interviewed an ICANN bigwig about New.net, one of the companies attempting to sell alt-root domains at the time. He told me bluntly the company was “breaking the internet” and “selling snake oil”, earning ICANN a snotty lawyer’s letter.

Today’s ICANN post was ostensibly authored by principal technologist Alain Durand, but I’m going to give him the benefit of the doubt and assume comms and legal took their knives to it before it was published.

While some things haven’t changed in the last two decades, others have.

19 Comments Tagged: , , , , , , , , , ,

GoDaddy hack exposed a million customer passwords

Kevin Murphy, November 24, 2021, Domain Registrars

GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.

The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.

The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.

In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.

GoDaddy discovered the hack November 17 and disclosed it November 22.

It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.

Comes wrote in his blog post:

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection

You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.

About 500 staff reportedly failed the test.

Comment Tagged: , , , ,

EURid to drop 48,000 Brexit domains in one day

Kevin Murphy, November 23, 2021, Domain Registries

All the .eu domain names formerly belonging to Brits and UK residents will be released for registration on a first-come, first-served basis in one day, EURid announced today.

There are about 48,000 of them, and they’ll be released in batches starting at 0900 UTC on January 3, two days later than the previously announced date, the registry said.

The names all belonged to UK registrants that lost their eligibility when the country left the EU in January last year.

There were almost 300,000 .eu domains registered in the UK at the time of the Brexit referendum in 2016. Most have since dropped or been transferred to EU-based entities or EU citizens that still qualify.

Comment Tagged: , ,