Latest news of the domain name industry

Recent Posts

UK gov takes its lead from ICANN on DNS abuse

Kevin Murphy, February 23, 2024, Domain Registries

The UK government has set out how it intends to regulate UK-related top-level domain registries, and it’s taken its lead mostly from existing ICANN policies.

The Department for Science, Innovation and Technology said last year that it was to activate the parts of the Digital Economy Act of 2010 that allow it to seize control of TLDs such as .uk, .london, .scot, .wales and .cymru, should those registries fail to tackle abuse in future.

It ran a public consultation that attracted a few dozen responses, but has seemingly decided to stick to its original definitions of abuse and cybersquatting, which were cooked up with .uk registry Nominet and others and closely align to industry norms.

DSIT plans to define abuse in the same five categories as ICANN does — phishing, pharming, botnets, malware and vector spam (spam that is used to serve up the first four types of attack) — in its response to the consultation, published yesterday (pdf).

But it’s stronger on child sexual abuse material than ICANN. While registries and registrars have developed a “Framework to Address Abuse” that says they “should” take down domains publishing CSAM, ICANN itself has no contractual prohibitions on such content.

DSIT said it will require UK-related registries to have “adequate policies and procedures” to combat CSAM in their zones. The definition of CSAM follows existing UK law in being broader than elsewhere in the world, including artworks such as cartoons and manga where no real children are harmed.

DSIT said it will define cybersquatting as “the pre-emptive, bad faith registration of trade marks as domain names by third parties who do not possess rights in such names”. The definition omits the “and is being used in bad faith” terminology used in ICANN’s UDRP. DSIT’s definition includes typosquatting.

In response to the new document, Nominet tweeted:

DSIT said it will draft its regulations “over the coming months”.

Registries and registrars vote ‘Yes’ to new DNS abuse rules

Kevin Murphy, December 14, 2023, Domain Registrars

ICANN’s contracted registries and registrars have voted to accept new rules requiring them to take action on DNS abuse.

The new rules come after a vote lasting a few months with some quite high thresholds for success.

The current Registrar Accreditation Agreement merely requires registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which is pretty vague and barely enforceable.

The amendments, which still need to be rubber-stamped by the ICANN board, make it much clearer what registrars are expected to do in which circumstances. A new paragraph is added that reads:

3.18.2 When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

For registries, the new text for the base gTLD Registry Agreement is similar, but with a little more wiggle-room:

Where a Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i)the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by the Registry Operator, where the Registry Operator deems appropriate. Action(s) may vary depending on the circumstances of each case, taking into account the severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

In both cases, DNS abuse is defined by the now industry standard line: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this Section)”.

There are a few other quality of life updates, such as the requirement for registrars to acknowledge receipt of abuse reports and to have their abuse reporting mechanism “conspicuously and readily accessible from” their home pages.

ICANN needed registrars representing over 90% of registered gTLD domains (adjusted slightly to make GoDaddy’s voice less powerful). That threshold was passed last week, with 94% of domains voting in favor of the amendments.

For registries, ICANN required a simple majority of registries (counted by contract rather than company) and for all registries voting in favor to have been responsible for two thirds of all registry fees paid last year.

Judging by the financial thresholds, .com and .net, which are not on the base RA, were not involved.

ICANN rejects a whole bunch of new gTLD policy stuff

Kevin Murphy, September 14, 2023, Domain Policy

ICANN has delivered some bad news for dot-brands, applicants from poorer countries, and others, at the weekend rejecting several items of new gTLD policy advice that the community spent years cooking up.

The board of directors on Sunday approved a scorecard of determinations, including the rejection (or non-adoption) of seven GNSO recommendations that it deems “would not be in the best interests of the ICANN community or ICANN”.

In reality, it’s the latter that seems to have been foremost in the board’s mind; most of the rejections appear to be geared toward reducing ICANN Org’s legal or financial exposure.

Notably, dot-brands are denied some of the relief from cumbersome or expensive requirements that the GNSO had wanted rid of.

The board rejected a recommendation that would exempt them from the Continued Operations Instrument — a financial bond used to pay an Emergency Back-End Registry Operator should the applicant go out of business.

“[T]he Board is concerned that an exemption from an COI for Spec 9 applications would have financial impact on ICANN since there would be no fund to draw from if such a registry went into EBERO,” the board wrote.

It also rejected a request to exempt dot-brands from rules requiring them to contractually ban and monitor abuse in their TLDs. The GNSO had argued that single-registrant TLDs do not suffer abuse, but the board said this could lead to abuse from compromised domains going unaddressed.

“The Board concludes that Recommendation 9.2, if implemented, could lead to DNS abuse for second-level registrations in a single-registrant TLD going unaddressed, unobserved, and unmitigated,” it said.

Applicants hoping to benefit from the Applicant Support Program — which in 2012 offered heavily discounted application fees to poorer applicants — also got some bad news.

The GNSO wants the support to extend to other costs such as application-writing services and lawyers, which naturally enough put the frighteners on the board, which noted “such expansion of support could raise the possibility of inappropriate use of resources (e.g. inflated expenses, private benefit concerns, and other legal or regulatory concerns)”.

The board also rejected a couple of recommendations that could be seen as weakening its role as ultimate authority over all things gTLD.

It rejected a proposal to remove the controversial covenant not to sue (CNTS) from the application process unless other recommendations related to appeals processes are implemented.

ICANN said that because it has not yet approved these other recommendations, it has rejected this recommendation.

The board also rejected a recommendation that would have limited its ability to reject a gTLD application to only when permitted to do so by the rules set out in the Applicant Guidebook.

The idea was to prevent applications being arbitrarily rejected, but the board said this “may unduly limit ICANN’s discretion to reject an application in yet-to-be-identified future circumstance(s)”.

The rejections invoke part of the ICANN bylaws that now requires the GNSO Council to convene and either affirm or amend its recommendations before discussing them with the board. Presumably this could happen at ICANN 78 next month.

The bylaws process essentially gives the board the ultimately authority to throw out the GNSO recommendations if it can muster up a two-thirds supermajority vote, something it rarely has a problem achieving.

Government to regulate UK-related domain names

Kevin Murphy, July 20, 2023, Domain Policy

The UK government is to trigger a law that would allow it to take control of .uk, .wales, .cymru, .scot and .london if their registries get thoroughly abused and they fail to do anything about it.

The Department for Science, Innovation and Technology said today it is to activate (or “commence”) the parts of the Digital Economy Act of 2010 that give it the power to appoint a new manager for any “UK-related” TLDs.

DSIT would only be able to exercise these powers if the registry in question had let DNS abuse or cybersquatting run amok and failed to follow government orders to fix it. I don’t believe any of the affected registries are currently in such a state.

The government has now launched a consultation, running until the end of August, to get industry and public feedback on its definitions of abuse and what it called “unfair domain use”, meaning cybersquatting.

Nominet, which runs .uk, .wales and .cymru, said in a statement:

The proposed prescribed requirements are consistent with Nominet’s current voluntary procedures, which Government has made clear it believes Nominet operates in a perfectly satisfactory manner. As the Government has had a reserve power to “step in” ever since the DEA was introduced, the purpose of the new provisions is to give Government a formal mechanism to do so, should it ever be required. Our understanding is that Government is enacting these provisions now to ensure the UK meets international best practice on governance of country code top-level domains in line with key global trading partners and future global trading commitments.

Based on my first read, I expect registries and registrars will think it looks generally pretty palatable. It seems DSIT has followed ICANN and the industry’s lead in terms of what qualifies as abuse, and Nominet said in a statement tonight that all three affected registries have been meeting with DSIT to craft the consultation.

Domain investors may take issue with the precise wording of the cybersquatting definition, however.

The definitions of abuse cover the industry standard five bases: malware, phishing, botnets, pharming and spam (insofar as it facilitates any of the other four) and cybersquatting is defined thus:

the pre-emptive, bad faith registration of trade marks as domain names by third parties who do not possess rights in such names. This includes ‘typosquatting’, when an end user takes advantage of common misspellings made by Internet users who are looking for a particular site or a particular provider of goods or services, in order to obtain some benefit.

Domainers will notice the document talks about “bad faith registration”, whereas UDRP talks about bad faith “registration and use”, which is sometimes an important edge-case distinction in cybersquatting disputes. Nominet’s DRS uses bad faith registration “or” use.

Where the consultation gets vague, and the potential for debate arises, is when it talks in general, high-level terms about how dispute resolution procedures should be designed.

Failure to deal with child sexual abuse material, as defined in the Convention on the Rights of the Child, in an affected TLD could also result in the government appointing a new registry.

The four gTLDs affected by the legislation all are considered geographic under ICANN rules and had to secure local government support when they applied for their strings. ICANN has a contractual right to terminate them if that government says so.

After the consultation is complete, DSIT intends to make its definitions law through secondary legislation.

This post was updated shortly after publication to add Nominet comments.

Identity Digital sees abuse up a bit in Q3

Kevin Murphy, January 3, 2023, Domain Registries

Identity Digital has published its second quarterly abuse review, showing abuse reports up slightly overall.

The report, which covers the third quarter 2022, also shows that the registry only released the private Whois information for a single domain during the period.

ID said it closed 3,225 abuse cases in Q3, up from 3,007 in Q2, covering 4,615 domains, up from 3,816. The vast majority — almost 93% — related to phishing. That’s in line with the previous quarter.

In about 1,500 cases, the domains in question where suspended by the registry or registrar in the first 24 hours, the report says. In 630 cases, the registry took action after the registrar failed to act within 72 hours.

The company received five complaints about child sexual abuse material from the Internet Watch Foundation during the period, up a couple on Q2, but all were remediated by the registrars in question.

It received four takedown notices from the Motion Picture Association under the registry’s Trusted Notifier Program, all of which resulted in suspended domains.

There were requests for private Whois information for 20 domains, three of which were intellectual property related, but only one resulted in disclosure. In 12 cases ID took the decision not to disclose.

The company has over 260 gTLDs in its stable and over 5.5 million registered domains.

The full slide deck can be viewed here (pdf).

Abuse crackdown likely in next gTLD registrar contract

Kevin Murphy, December 20, 2022, Domain Policy

ICANN and its accredited registries and registrars have formally kicked off contract renegotiations designed to better tackle DNS abuse.

The aim is to create a “baseline obligation” for contracted parties to “take reasonable and appropriate action to mitigate or disrupt malicious registrations engaged in DNS Abuse”, according to recent correspondence.

This may close the loophole in the contracts identified this year that hinder ICANN Compliance’s ability to take action against registrars that turn a blind eye to abuse.

The current contracts require registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which lacks clarity because there’s no agreement on what an appropriate response is.

The registries and registrars stakeholder groups (RySG and RrSG) note that there won’t be an expansion of the term “DNS abuse” to expand into web site content, nor will the talks cover Whois policy.

As is the norm for contract negotiations, they’ll be bilateral between ICANN and a select group of representative contracted parties, and conducted in private.

Talks are expected to take three to six months and the resulting amendments to the Registrar Accreditation Agreement and base Registry Agreement will be published for 30 days of public comment.

It’s been almost 10 years since the RAA was last updated.

Identity Digital publishes treasure trove of abuse data

Kevin Murphy, October 3, 2022, Domain Registries

Identity Digital, the old Donuts, has started publishing quarterly reports containing a wealth of data on reported abuse and the actions it takes in response.

The data for the second quarter, released (pdf) at the weekend, shows that the registry receives thousands of reports and suspends hundreds of domains for DNS abuse, but the number of domains it takes down for copyright infringement is quite small.

ID said that it received 3,007 reports covering 3,816 unique domains in the quarter, almost 93% of which related to phishing. The company said the complaints amounted to 0.024% of its total registered domains.

Most cases were resolved by third parties such as the registrar, hosting provider, or registrant, but ID said it suspended (put on “protective hold”) 746 domains during the period. In only 11% of cases was no action taken.

The company’s hitherto opaque “Trusted Notifier” program, which allows the Motion Picture Association and Recording Industry Association of America to request takedowns of prolific piracy sites resulted in six domain suspensions, all as a result of MPA requests.

The Internet Watch Foundation, which has similar privileges, resulted in 26 domains being reported for child sexual abuse material. Three of these were suspended, and the remainder were “remediated” by the associated registrar, according to ID.

The report also breaks down how many requests for private Whois data the company received, and how it processed them. Again, the numbers are quite low. Of requests for data on 44 domains, 18 were tossed for incompleteness, 23 were refused, and only three resulted in data being handed over.

Perhaps surprisingly, only two of the requests related to intellectual property. The biggest category was people trying to buy the domain in question.

This is a pretty cool level of transparency from ID and it’ll be interesting to see if its rivals follow suit.

DNSAI to name most-abused registries, registrars

Kevin Murphy, May 31, 2022, Domain Services

The DNS Abuse Institute is to start publishing monthly reports that name the registries and TLDs with the highest level of abuse.

The organization’s Intelligence service is expected to land in September, a little later than was previously expected, according to a blog post from director of policy and programs Rowena Schoo.

DNSAI has partnered with Kor Labs, a project out of the Grenoble Institute of Technology, to supply the data, which will cover phishing and malware domains and differentiate between malicious registrations and compromised sites.

The Institute doesn’t consider spam DNS abuse unless it is used as a delivery mechanism for other types of abuse, in line with ICANN’s definition.

The decision to actually name (and in some cases, we should assume, shame) registries and registrars is an unusual one. Other, similar efforts tend to keep the data anonymous.

“We want to understand abuse persistence and whether it has been appropriately mitigated by registrars,” Schoo wrote.

DNSAI is a project primarily backed by .org manager Public Interest Registry.

DNS Abuse Institute names free tool NetBeacon, promises launch soon

Kevin Murphy, April 5, 2022, Domain Services

NetBeacon has been picked as the name for the DNS Abuse Institute’s forthcoming free abuse-reporting tool.

The tool is expected to launch in early June, after software was donated by CleanDNS accelerated the development cycle, according to Institute director Graeme Bunton.

The system was previously using the working title CART, for Centralized Abuse Reporting Tool, as I blogged in February.

CleanDNS CEO Jeff Bedser is also on the board of Public Interest Registry, which funds DNSAI. Bunton wrote that PIR approved the use of the CleanDNS software under its conflict of interest policy, with Bedser recusing himself.

NetBeacon is expected to provide a way for authenticated abuse reporters to file complaints in a normalized fashion, potentially streamlining the workflow of registrars that subsequently have to deal with them.

Bunton has said that the service will be free at both ends, funded by non-for-profit PIR.

PIR to offer industry FREE domain abuse clearinghouse

Kevin Murphy, February 11, 2022, Domain Registries

The DNS Abuse Institute will soon launch a free service designed to make it easier to report abuse and for registries and registrars to act upon it.

The Institute, which is funded by .org manager Public Interest Registry, is working on a system provisionally called CART, for Centralized Abuse Reporting Tool, an ambitious project that would act as a clearinghouse for abuse reports across the industry.

The plan is to offer the service for free to reporters and registrars alike, with a beta being offered to registrars late next month and a public launch hopefully before ICANN 74 in June.

DNSAI director Graeme Bunton said that CART is meant to solve the “mess” of current abuse reporting systems.

For abuse reporters, the idea is to give them a one-stop shop for their reports, across all gTLDs and registrars. CART would take their complaints, normalize them, furnish them with additional information from sources such as Whois records and domain block-lists, and shunt them off to the registrar of record.

“Registrars get boatloads of abuse reports every day,” Bunton said. “Hundreds to thousands. They’re often duplicative, often unevidenced — almost always. There’s no standardization. So they’re having to spend a lot of time reading and parsing these abuse reports.”

“They’re spending a huge amount of time triaging tickets that don’t make the internet any better,” he said. “It felt like trying to solve this problem across every individual registry and registrar was not going to work, and that a centralizing function that sits in the middle and absorbs a lot of the complexity would make a real difference, and we’ve been working towards that.”

CART reporters would be authenticated, and their reports would be filed through forms that normalized the data to make them easier for registrars to understand. There will be “evidence requirements” to submit a report.

“It’s a common lament that the abuse@ email that registrars have to publish are filled with garbage,” Bunton said. “This is intended to clean that up, as well as make it easier for reporters.”

Registrars will be able to white-label these forms on their own sites, replacing or adding to existing reporting mechanisms, which will hopefully drive adoption of the tool, Bunton said.

Registrars will be able to use an API to pull the abuse feed into their existing ticketing workflows, or simply receive the reports via email.

The plan is to send these enhanced reports to registrars’ publicly listed abuse@ addresses, whether they opt into the CART system or not, Bunton said.

One feature idea — possibly in a version 2 release — is to have a reputation-scoring function in which registrars can flag reporters as reliable, facilitating on-the-fly “trusted notifier” relationships.

While the DNSAI is focusing to the industry definition of “DNS abuse” — phishing, pharming, malware, botnets and a subset of spam — the plan is to not limit reporters to just those categories.

Copyright infringement claims, for example, would be acceptable forms of abuse report, if the registrar enables that option when they embed the CART forms on their own sites.

CART will most likely be renamed to something with “better mass-market appeal” before it launches, Bunton said, but there will be no charge to reporters or registrars.

“This is all free, with no plans to do cost-recovery or anything like that,” he said.

While Bunton didn’t want to comment, I think it’s unlikely that these projects would be going ahead, at least not for free, had PIR been turned into a for-profit company under its proposed acquisition by Ethos Capital, which was blocked by ICANN a couple of years ago.

A second project DNSAI is working on is called Intelligence.

This will be somewhat similar to ICANN’s own Domain Abuse Activity Reporting (DAAR) system, but with greater granularity, such as giving the ability to see abuse trends by registry or registrar.

The current plan is to have a preview of Intelligence available in June, with a launch in July.