GoDaddy could lose out as NIXI brings .in in-house

Indian ccTLD registry NIXI wants to become a back-end registry services provider for its own .in and other TLDs, and seems set to push GoDaddy out of its current role as it looks for a company to build its new infrastructure.

The company is looking to expand its current role as .in overseer and take over day-to-day operational management of the EPP registry, DNS, Whois, etc, from its current back-end. That’s been Neustar, now GoDaddy Registry, since 2019.

By the time the transition takes place, it could be the largest TLD migration in history.

NIXI currently says it has over three million domains under management. The previous biggest move was .au from Neustar to Afilias in 2018, at 3.1 million names. The .org migration from Verisign to PIR in 2003 was for 2.7 million names.

NIXI basically wants a company to come in to design and build a registry system, run it for a year, and then hand over operations, and maybe staff, to NIXI before retreating into a maintenance role for seven years.

The selected provider must be established in India and preference will be given to “companies whose parent / holding company is registered in India having subsidiaries in other developing countries.”

If NIXI already has a preferred provider in mind, it certainly isn’t GoDaddy, judging by this criterion.

“This is as part of future expansion plan / business plan of NIXI,” the tender (pdf), which says several times that NIXI wants to become the back-end for ccTLDs in other developing countries, notes.

After a number of extensions, NIXI’s tender is due to expire next Monday.

New ICANN boss makes encouraging noises on new gTLDs

ICANN’s new interim CEO Sally Costerton addressed the community in her new role for what I believe was the first time last Thursday, in a call with the GNSO Council.

The hour-long call was meant to discuss the outcomes of the Council’s Strategic Planning Session a month ago, but it also served as a Q&A between councilors and Costerton.

The last 15 minutes are of particular interest, especially if you’re one of the people concerned about ICANN’s devolution into a “do-nothing” organization over the last several years.

At that mark, Thomas Rickert of the trade group eco addressed the issue in a lengthy comment in which he pointed out that ICANN has been moving so slowly of late that even lumbering governmental institutions such as the European Union have come to realize that it’s faster to legislate on issues such as Whois than to wait for ICANN to sort it out.

He also pointed to the community’s pain of waiting a year for the recent Operational Design Assessment for the next round of new gTLDs, and its shock that the ODA pointed to an even more-expensive round that could take five years or more to come to fruition.

“I’ve heard many in the community say that the operational design reports come up with a level of complexity and diligence that stands in the way of being efficient,” he said. “So maybe the perfect is the enemy of the good.”

ICANN should be brave, dig its heels in, and get stuff done, he remarked.

Costerton seemed to enjoy the critique, suggesting that the recording of Rickert’s comments should be circulated to other ICANN staff.

She described herself as a “pragmatist rather than an ideologue”.

“I so want to say you’re absolutely right, Thomas, I completely agree with you 100%, we should just get it done,” she said. “Good is good enough. Perfect is the enemy of the good — I like that expression, I think it very often is.”

But.

Costerton said she has to balance getting stuff done with threats from governments and the risk of being “overwhelmed by aggressive litigation”. She said that ICANN needs “a framework around us that protects us”.

Getting that balance right is the tricky bit, she indicated.

Costerton, who took her new role at the end of last year following Göran Marby’s unexpected resignation, did not tip her hand on whether she plans to apply to have the “interim” removed from her job title. It is known that she has applied at least once before.

Verisign loses prestige .gov contract to Cloudflare

Cloudflare is to take over registry services for the US government’s .gov domain, ending Verisign’s 12-year run.

It seems .gov manager CISA, the Cybersecurity and Infrastructure Security Agency, opened the contract up for bidding last August and awarded it to Cloudflare in mid-December.

The deal is worth $7.2 million, Cloudflare said in a press release on Friday, which is more than twice as much as Verisign charged when it took over the .gov back-end in 2011.

But it seems the deal includes Cloudflare providing authoritative DNS for .gov domains, something Verisign does not currently provide the TLD, in addition to managing the zone file, registry, Whois, etc.

It’s not clear who’s running the exclusive .gov registrar, but CISA appears to be building a new one.

.gov domains are only available to US federal, state, tribal and local government organizations, and there was a $400-a-year fee until April 2021, when CISA made them free to register.

There are about 8,600 .gov domains today. Not a lot, but the deal comes with bragging rights.

CISA took over .gov from the General Services Administration in March 2021 and dropped the fees a month later.

It’s not clear whether Verisign had bid for a renewed contract or simply walked away, as it did when it conceded .tv to GoDaddy last year. I’ve asked the company for comment.

The loss of .gov is obviously a drop in the ocean compared to .com, which continues to make Verisign one of world’s most-profitable companies.

While it’s an ICANN-accredited registrar, I believe this is Cloudflare’s first foray into registry services. Might we see the company as an emergent threat to the established players in the next new gTLD round? It’s certainly looking that way.

Identity Digital sees abuse up a bit in Q3

Identity Digital has published its second quarterly abuse review, showing abuse reports up slightly overall.

The report, which covers the third quarter 2022, also shows that the registry only released the private Whois information for a single domain during the period.

ID said it closed 3,225 abuse cases in Q3, up from 3,007 in Q2, covering 4,615 domains, up from 3,816. The vast majority — almost 93% — related to phishing. That’s in line with the previous quarter.

In about 1,500 cases, the domains in question where suspended by the registry or registrar in the first 24 hours, the report says. In 630 cases, the registry took action after the registrar failed to act within 72 hours.

The company received five complaints about child sexual abuse material from the Internet Watch Foundation during the period, up a couple on Q2, but all were remediated by the registrars in question.

It received four takedown notices from the Motion Picture Association under the registry’s Trusted Notifier Program, all of which resulted in suspended domains.

There were requests for private Whois information for 20 domains, three of which were intellectual property related, but only one resulted in disclosure. In 12 cases ID took the decision not to disclose.

The company has over 260 gTLDs in its stable and over 5.5 million registered domains.

The full slide deck can be viewed here (pdf).

Abuse crackdown likely in next gTLD registrar contract

ICANN and its accredited registries and registrars have formally kicked off contract renegotiations designed to better tackle DNS abuse.

The aim is to create a “baseline obligation” for contracted parties to “take reasonable and appropriate action to mitigate or disrupt malicious registrations engaged in DNS Abuse”, according to recent correspondence.

This may close the loophole in the contracts identified this year that hinder ICANN Compliance’s ability to take action against registrars that turn a blind eye to abuse.

The current contracts require registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which lacks clarity because there’s no agreement on what an appropriate response is.

The registries and registrars stakeholder groups (RySG and RrSG) note that there won’t be an expansion of the term “DNS abuse” to expand into web site content, nor will the talks cover Whois policy.

As is the norm for contract negotiations, they’ll be bilateral between ICANN and a select group of representative contracted parties, and conducted in private.

Talks are expected to take three to six months and the resulting amendments to the Registrar Accreditation Agreement and base Registry Agreement will be published for 30 days of public comment.

It’s been almost 10 years since the RAA was last updated.

ICANN expects to approve Whois Disclosure System next month

ICANN could be offering a centralized system for requesting private domain registration data as early as a year from now, a mere five and a half years after GDPR ruined the global Whois system for many.

The Org recently alluded to its “board’s anticipated January 2023 vote to move forward in implementing the new system to streamline the intake and routing of requests for access to nonpublic gTLD registration data” in a blog post.

It has previously stated that it will take nine months to develop and roll out the system, along with a three-month “ramp-up period”, but that preparatory work may have already started.

The system will be based on CZDS, the service that currently allows people to request zone file data from registries, and cost $3.3 million to develop and run for its anticipated two-year trial period.

Don’t expect it to be called the Whois Disclosure System though. Community feedback has been pretty clear that “disclosure” is an inappropriate word because the system merely manages requests and does not actually disclose anything.

It’s also going to be voluntary for both requesters and registrars/registries for now.

The system was previously known as SSAD Lite, a cut-down version of the community-recommended System for Standardized Access and Disclosure, which ICANN estimated would have cost infinity dollars and take a century to implement.

New gTLD applications to cost about $250,000

Getting hold of a new gTLD could cost applicants well north of a quarter million dollars in base application fees alone in the next round, according to ICANN.

Presenting the results of its year-long Operational Design Phase to the GNSO Council via Zoom last night, staffers said application fees are likely to be either around $240,600 or $270,000 next time, higher than the $185,000 it charged in 2012.

Those would be the base fees, not including any additional evaluations or contention-related fees.

The Org next week is set to present its board and the community with a stark choice — one big expensive round along the lines of 2012, with a potential five-year wait for the next application window to open, or a cheaper, staggered four-stage round with maybe only 18 months of development time.

The Operational Design Assessment — a 400-page tome the Org has spent the last 14 months developing — is set to be published early next week, outlining two options for how ICANN should proceed on the next round.

One option is to build a highly automated system that fully implements all of the GNSO’s policy recommendations but costs up to $125 million up-front to build and roll out over five years. Application fees would be about $270,000.

The other would cut some bells and whistles and require more human intervention, but would be cheaper at up to $67 million up-front and could be rolled out within 18 months. Application fees would be about $240,600.

ICANN CFO Xavier Calvez, responding to exclamations of surprise via Zoom chat, said that a decade of inflation alone would lead to a 28% price increase to $237,000 if the next round were opened today, but in two or three years the price could be even higher if current economic trends continue.

While many expected the fact that technical evaluations will be conducted on a registry service provider basis rather than a per-application basis would wipe tens of thousands from the application fee, ICANN pointed out that building and executing this RSP pre-evaluation process will also cost it money.

ICANN wants to operate the program on a “cost-recovery basis”, so it neither makes a profit nor has to dig into its operational budget. It expects “more than three dozen vendors will be required” to help run the round.

It seems that the portion of the fee set aside to deal with “risks” — basically, anticipated litigation — is expected to be around a fifth of the total, compared to about a third in the 2012 round.

ICANN is asking its board and the community to decide between what it calls “Option 1 — One Big Round” and “Option 2 — Four Annual Cycles”.

Option 1 would essentially be a replay of 2012, where there’s a single unlimited application window, maybe a couple thousand applications, and then ICANN processes them all in a highly automated fashion using custom-built software.

Option 2 would allow unlimited applications once a year for four years, but it would cap the number processed per year at 450 and there’d be a greater degree of manual processing, which ICANN, apparently unfamiliar with its own history of software development, thinks poses additional risk.

My hot take is that the Org is presenting a false choice here, much like it did in January with its ODA on Whois reform, where one option was so unpalatably time-consuming and expensive that it had most of the community retching into their soy-based lattes.

There’s also an implicit criticism in both ODAs that the community-driven policy-making process has a tendency to make big asks without adequately considering the resources required to actually get them done.

I might be wrong, but I can’t at this early stage see much support emerging for the “One Big Round” option, except perhaps from the most ardent opponents of the new gTLD program.

ICANN expects to deliver the ODA — 100 pages with 300 pages of appendices — to its board on Monday, with wider publication not long after that. It will hold two webinars for the community to discuss the document on Wednesday.

Registrars CAN charge for Whois, ICANN grudgingly admits

ICANN is powerless to prevent registrars from charging for access to non-public Whois data, the Org has reluctantly admitted.

In a recent advisory, ICANN said it is “concerned” that registrars including Tucows have been charging fees to process requests for data that would otherwise be redacted in the free public Whois.

But it said there’s nothing in the Registrar Accreditation Agreement, specifically the Temporary Specification governing Whois in the post-GDPR world, that bans such services:

While the RAA explicitly requires access to public registration data directory services to be provided free of charge, the Temporary Specification does not specifically address the issue of whether or not a registrar may charge a fee for considering requests for access to redacted registration data.

So basic Whois results, with all the juicy info redacted, has to be free, but registrars can bill organizations who ask for the veil to be lifted. ICANN wrote:

ICANN org is concerned that registrars’ imposition of fees for consideration of requests for access to nonpublic gTLD registration data may pose an access barrier. Access to registration data serves the public interest and contributes to the security and stability of the Internet

The advisory calls out Tucows’ Tiered Access Compliance and Operations system, TACO, as the primary example of a registrar charging for data, but notes that others are too.

Not long after the advisory was published, Tucows posted an article in which it explained that the fees are necessary to cover the cost of the “thousands” of automated requests it has received in the last four years.

Charging fees for compliance with other forms of legal process is not uncommon in the industry, and the vast majority of requests for registration data (approximately 90%) continue to come from commercial litigation interests and relate to suspected intellectual property infringement.

Facebook, now Meta, was at first, and may still well be, a frequent bulk filer.

Tucows said that it “frequently” waives its fees upon request for “single-use requestors and private parties”.

Identity Digital publishes treasure trove of abuse data

Identity Digital, the old Donuts, has started publishing quarterly reports containing a wealth of data on reported abuse and the actions it takes in response.

The data for the second quarter, released (pdf) at the weekend, shows that the registry receives thousands of reports and suspends hundreds of domains for DNS abuse, but the number of domains it takes down for copyright infringement is quite small.

ID said that it received 3,007 reports covering 3,816 unique domains in the quarter, almost 93% of which related to phishing. The company said the complaints amounted to 0.024% of its total registered domains.

Most cases were resolved by third parties such as the registrar, hosting provider, or registrant, but ID said it suspended (put on “protective hold”) 746 domains during the period. In only 11% of cases was no action taken.

The company’s hitherto opaque “Trusted Notifier” program, which allows the Motion Picture Association and Recording Industry Association of America to request takedowns of prolific piracy sites resulted in six domain suspensions, all as a result of MPA requests.

The Internet Watch Foundation, which has similar privileges, resulted in 26 domains being reported for child sexual abuse material. Three of these were suspended, and the remainder were “remediated” by the associated registrar, according to ID.

The report also breaks down how many requests for private Whois data the company received, and how it processed them. Again, the numbers are quite low. Of requests for data on 44 domains, 18 were tossed for incompleteness, 23 were refused, and only three resulted in data being handed over.

Perhaps surprisingly, only two of the requests related to intellectual property. The biggest category was people trying to buy the domain in question.

This is a pretty cool level of transparency from ID and it’ll be interesting to see if its rivals follow suit.

Whois Disclosure System to cost up to $3.3 million, run for one year

ICANN has published its game plan for rolling out a Whois Disclosure System ahead of next week’s ICANN 75 public meeting in Kuala Lumpur.

The Org reckons the system will take nine months to build and will cost up to $3.3 million to develop and run for two years, although it might wind up getting shut down after just one year.

The Whois Disclosure System, previously known as SSAD Light, is a mechanism whereby anyone with an ICANN account — probably mainly IP lawyers in practice — can request unredacted private Whois data from registrars.

The system is to be built using retooled software from the current Centralized Zone Data Service, which acts as a hub for researchers who want to request zone files from gTLD registry operators.

ICANN’s design paper (pdf), which contains many mock-ups of the likely user interface, describes the new system like this:

Just as in CZDS, a requestor navigates to the WHOIS Disclosure System web page, logs into their ICANN Account, and is presented with a user experience much like the current CZDS. In this experience, requestors can see pending and past requests as well as metadata (timestamps, status, etc.) associated with those requests. For a requestor’s pending requests, they can see all the information related to that request.

Requests filed with the system will be routed to the relevant registrar via the Naming Services Portal, whereupon the registrar can choose how to deal with it. The system doesn’t change the fact that registrars have this discretion.

But the system will be voluntary for not only the requesters — who can still contact the registrar directly if they wish — but also the registrars. One can imagine smaller and frequently abused registrars won’t want the hassle.

The cost of this system will be $2.7 million in staffing costs, with $90,000 in external licensing costs and another $500,000 in contingency costs. Because ICANN has not budgeted for this, it will come from the Supplemental Fund for Implementation of Community Recommendations, which I believe currently has about $20 million in it.

This is far and away cheaper than the full-fat SSAD originally proposed by the GNSO, which ICANN in January estimated could cost up to $27 million to build over five years.

While cheaper, there are still substantial questions remaining about whether it will be popularly used, and whether it will be useful in getting private Whois data into the hands of the people who say they need it.

ICANN is saying that the Whois Disclosure System will run for one year “at which point the data sets collected will be analyzed and presented for further discussion between the GNSO Council and Board”.

The design paper will be discussed at multiple ICANN 75 sessions, starting this weekend.