Hacking claims resurface as .hotel losers force ICANN to lawyer up again
The fight over .hotel has been escalated, with four unsuccessful applicants for the gTLD whacking ICANN with a second Independent Review Process appeal.
The complaint resurrects old claims that a former lead on the successful application, now belonging to Afilias, stole trade secrets from competing applicants via a glitched ICANN web site.
It also revives allegations that ICANN improperly colluded with the consultant hired to carry out reviews of “community” applications and then whitewashed an “independent” investigation into the same.
The four companies filing the complaint are new gTLD portfolio applicants MMX (Minds + Machines), Radix, Fegistry, and Domain Venture Partners (what we used to call Famous Four).
The IRP was filed November 18 and published by ICANN December 16, but I did not spot it until more recently. Sorry.
There’s a lot of back-story to the complaint, and it’s been a few years since I got into any depth on this topic, so I’m going to get into a loooong, repetitive, soporific, borderline unreadable recap here.
This post could quite easily be subtitled “How ICANN takes a decade to decide a gTLD’s fate”.
There were seven applicants for .hotel back in 2012, but only one of them purported to represent the “hotel community”. That applicant, HOTEL Top Level Domain, was mostly owned by Afilias.
HTLD had managed to get letters of support from a large number of hotel chains and trade groups, to create a semblance of a community that could help it win a Community Priority Evaluation, enabling it to skip to the finish line and avoid a potentially costly auction against its rival applicants.
CPEs were carried out by the Economist Intelligence Unit, an independent ICANN contractor.
Surprisingly to some (including yours truly), back in 2014 it actually managed to win its CPE, scoring 15 out of the 16 available points, surpassing the 14-point winning threshold and consigning its competing bidders’ applications to the scrap heap.
There would be no auction, and no redistribution of wealth between applicants that customarily follows a new gTLD auction.
Naturally, the remaining applicants were not happy about this, and started to fight back.
The first port of call was a Request for Reconsideration, which all six losers filed jointly in June 2014. It accused the EIU of failing to follow proper procedure when it evaluated the HTLD community application.
That RfR was rejected by ICANN, so a request for information under ICANN’s Documentary Information Disclosure Policy followed. The losing applicants reckoned the EIU evaluator had screwed up, perhaps due to poor training, and they wanted to see all the communications between ICANN and the EIU panel.
The DIDP was also rejected by ICANN on commercial confidentiality grounds, so the group of six filed another RfR, asking for the DIDP to be reconsidered.
Guess what? That got rejected too.
So the applicants then filed an IRP case, known as Despegar v ICANN, in March 2015. Despegar is one of the .hotel applicants, and the only one that directly plays in the hotel reservation space already.
The IRP claimed that ICANN shirked its duties by failing to properly oversee and verify the work of the EIU, failing to ensure the CPE criteria were being consistently applied between contention sets, and failing in its transparency obligations by failing to hand over information related to the CPE process.
While this IRP was in its very early stages, it emerged that one of HTLD’s principals and owners, Dirk Krischenowski, had accessed confidential information about the other applicants via an ICANN web site.
ICANN had misconfigured its applicant portal in such a way that any user could very access any attachment on any application belonging to any applicant. This meant sensitive corporate information, such as worst-case-scenario financial planning, was easily viewable via a simple search for over a year.
Krischenowski appears to have been the only person to have noticed this glitch and used it in earnest. ICANN told applicants in May 2015 that he had carried out 60 searches and accessed 200 records using the glitch.
Krischenowski has always denied any wrongdoing and told DI in 2016 that he had always “relied on the proper functioning of ICANN’s technical infrastructure while working with ICANN’s CSC portal.”
The applicants filed another DIDP, but no additional information about the data glitch was forthcoming.
When the first IRP concluded, in February 2016, ICANN prevailed, but the three-person IRP panel expressed concern that neither the EIU nor ICANN had any process in place to ensure that community evaluations carried out by different evaluators were consistently applying the CPE rules.
The IRP panel also expressed concern about the “very serious issues” raised by the ICANN portal glitch and Krischenowski’s data access.
But the loss of the IRP did not stop the six losing applicants from ploughing on. Their lawyer wrote to ICANN in March 2016 to denounce Krischenowski’s actions as “criminal acts” amounting to “HTLD stealing trade secrets of competing applicants”, and as such HTLD’s application for .hotel should be thrown out.
Again, to the best of my knowledge, Krischenowski has never been charged with, let alone convicted of, any criminal act.
Afilias wrote to ICANN not many weeks later, April 2016, to say that it had bought out Krischenowski’s 48.8% stake in HTLD and that he was no longer involved in the company or its .hotel application.
And ICANN’s board of directors decided in August 2016 that Krischenowski may well have accessed documents he was not supposed to, but that it would have happened after the .hotel CPE had been concluded, so there was no real advantage to HTLD.
A second, parallel battle against ICANN by an unrelated new gTLD applicant had been unfolding over the same period.
A company called Dot Registry had failed in its CPE efforts for the strings .llc, .llp and .inc, and in 2014 had filed its own IRP against ICANN, claiming that the EIU had “bungled” the community evaluations, applying “inconsistent” scoring criteria and “harassing” its supporters.
In July 2016, almost two years later, the IRP panel in that case ruled that Dot Registry had prevailed, and launched a withering attack on the transparency and fairness of the ICANN process.
The panel found that, far from being independent, the EIU had actually incorporated notes from ICANN staff into its CPE evaluations during drafting.
It was as a result of this IRP decision, and the ICANN board’s decision that Krischenowski’s actions could not have benefited HTLD, that the losing .hotel applicants filed yet another RfR.
This one lasted two and a half years before being resolved, because in the meantime ICANN launched a review of the CPE process.
It hired a company called FTI Consulting to dig through EIU and ICANN documentation, including thousands of emails that passed between the two, to see if there was any evidence of impropriety. It covered .hotel, .music, .gay and other gTLD contention sets, all of which were put on hold while FTI did its work.
FTI eventually concluded, at the end of 2017, that there was “no evidence that ICANN organization had any undue influence on the CPE reports or engaged in any impropriety in the CPE process”, which affected applicants promptly dismissed as a “whitewash”.
They began lobbying for more information, unsuccessfully, and hit ICANN with yet another RfR in April 2018. Guess what? That one was rejected too.
The .hotel applicants then entered into a Cooperative Engagement Process — basically pre-IRP talks — from October 2018 to November 2019, before this latest IRP was filed.
It’s tempting to characterize it as a bit of a fishing expedition, albeit not a baseless one — any allegations of ICANN’s wrongdoing pertaining the .hotel CPE are dwarfed by the applicants’ outraged claims that ICANN appears to be covering up both its interactions with the EIU and its probe of the Krischenowski incident, partly out of embarrassment.
The claimants want ICANN to be forced to hand over documentation refused them on previous occasions, relating to: “ICANN subversion of the .HOTEL CPE and first IRP (Despegar), ICANN subversion of FTI’s CPE Process Review, ICANN subversion of investigation into HTLD theft of trade secrets, and ICANN allowing a domain registry conglomerate to takeover the ‘community-based’ applicant HTLD.”
“The falsely ‘independent’ CPE processes were in fact subverted by ICANN in violation of Bylaws, HTLD stole trade secrets from at least one competing applicant, and Afilias is not a representative of the purported community,” the IRP states.
“HTLD’s application should be denied, or at least its purported Community Priority relinquished, as a consequence not only for HTLD’s spying on its competitors’ secret information, but also because HTLD is no longer the same company that applied for the .HOTEL TLD. It is now just a registry conglomerate with no ties to the purported, contrived ‘Community’ that it claims entitled to serve,” it goes on.
ICANN is yet to file its response to the complaint.
Whether the IRP will be successful is anyone’s guess, but what’s beyond doubt is that if it runs its course it’s going to add at least a year, probably closer to two, to the delay that .hotel has been languishing under since the applications were filed in 2012.
Potentially lengthening the duration of the case is the claimants’ demand that ICANN “appoint and train” a “Standing Panel” of at least seven IRP panelists from which each three-person IRP panel would be selected.
The standing panel is something that’s been talked about in ICANN’s bylaws for at least six or seven years, but ICANN has never quite got around to creating it.
ICANN pinged the community for comments on how it should go about creating this panel last year, but doesn’t seemed to have provided a progress report for the last nine months.
The .hotel applicants do not appear to be in any hurry to get this issue resolved. The goal is clearly to force the contention set to auction, which presumably could happen at Afilias’ unilateral whim. Time-to-market is only a relevant consideration for the winner.
With .hotel, and Afilias’ lawsuit attempting to block the .web sale to Verisign, the last round of new gTLD program, it seems, is going to take at least a decade from beginning to end.
Is the .co rebid biased toward Afilias? Yeah, kinda
The Colombian government has come under fire for opening up the .co registry contract for rebid in a way that seems predetermined to pick Afilias as the winner, displacing its fierce rival Neustar.
As I blogged in November, Colombia thinks it might be able to secure a better registry deal, so it plans to shortly open .co up to competitive proposals.
A company called .CO Internet, acquired by Neustar for $109 million in 2014, has been running the ccTLD for the last decade. There are currently around 2.3 million .co domains under management, according to Colombia.
With the renewal deadline looming, the government’s technology ministry, MinTIC, published an eyebrow-raising request for proposals last month.
What’s surprising about the RFP is that some of the four main technical performance criteria listed are so stringent that probably only two companies in the industry qualify — Verisign and Afilias, and so far Verisign has not been involved in the RFP process.
The companies that have been engaging with the government to date are Afilias, Neustar/.CO, Nominet, CentralNic and Donuts.
First, MinTIC wants a registry that’s had at least two million domains under management across its portfolio continuously for two years. All five registries qualify there.
Second, it wants a registry that’s been involved in the migration of a TLD of at least one million names, either as the gaining or losing back-end.
That immediately narrows the pack to just two of the five aforementioned registries — Neustar and Afilias.
Verisign would also qualify, if it’s in the bidding, but I suspect it’s not. Taking over .co would look like a “buy it to kill it” strategy, which would be horrible optics for the Colombian government.
There have only ever been three migrations over one million names, to my knowledge: the Verisign->Afilias .org transition of 2003, the Neustar->Afilias .au move of 2018, and last year’s Afilias->Neustar .in handover.
CentralNic, Nominet and Donuts have all moved numerous TLDs between back-ends, but with much smaller per-TLD domain volumes.
Third — and here’s the kicker — the successful .co bidder will have to show that it processes on average 25 million registry transactions — defined as “billable EPP (write) transactions, as well as all EPP search (read) transactions” — per day. (All of the RFP quotes in this post have been machine-translated from Spanish by Google and run by a few generous Spanish speakers for verification.)
The RFP is not entirely clear on what exact data points it’s looking at here, but my take is that qualifying transactions include, at an absolute minimum, attempts to create a domain, renew a domain, transfer a domain and check whether a domain is registered.
The vast majority of such transactions are in the check and create functions, and I believe a great deal of that activity relates to drop-catching, where registries are flooded with add requests for just-deleted domains.
Whichever way you split it, 25 million a day is a ludicrously high number. Literally only .com, which sees 2.3 billion checks and 1.5 billion adds per month, sees that kind of action.
According to Neustar, which actually runs .co, it only sees 6.4 million transactions per day on average. The requirement to handle 25 million a day is “exaggerated, unjustified and discriminatory” against Neustar, Neustar told MinTIC.
But the RFP allows for the bidding registries to spread their 25-million-a-day quota across all of the TLDs they manage, and this MAY sneak Afilias over the line.
I say MAY in big letters because I don’t believe the numbers that Afilias (and probably other registries too) reports to ICANN every month are reliable.
If you add up the reported, qualifying EPP transactions for September in Afilias’ top four legacy gTLDs — .org, .info, .mobi and .pro — you get to over 25 million per day.
But those same records show that, for example, .mobi, .pro and .info had exactly the same number of EPP availability checks that month — 215,988,497 each.
This is clearly bad data.
I reported on this issue last May, when ICANN’s Security and Stability Advisory Committee informed ICANN that major registries were providing “not reliable” or possibly “fabricated” data about port 43 Whois queries.
Afilias, which was one of the apparent offenders, told me at the time that it was addressing the issue with ICANN, but it does not yet appear to have fully fixed its reporting to enable TLD-by-TLD breakdowns of its registry activity.
It is of course quite possible, even very likely, that Afilias has on average more than 25 million qualifying EPP transactions per day, but how’s it going to prove that to the Colombian government when the numbers it reports under contract to ICANN are clearly unreliable?
It’s a little harder to determine whether Neustar would qualify under the 25-million transaction rule, because some of its largest zones are ccTLDs — .co, .in and .us — that do not publicly report this kind of data. Its comments to the RFP suggest it would not.
Numbers aside, I’ll note that there’s very probably an inherent bias towards legacy gTLD operators like Afilias and against relative newcomers such as CentralNic if you’re counting EPP transactions. As I noted above, a lot of these transactions are coming from drop-catch activity, which is more prevalent on larger, older TLDs where there are more dropping domains that are more likely to have existing backlinks and traffic.
The fourth technical requirement in the Colombian RFP that looks a bit fishy is the requirement that the new registry must have channel relationships with at least 10 of the largest 25 registrars, as listed by a web site called domainstate.com.
I can’t say I’ve looked at domainstate.com very often, if at all, but a quick look at its numbers for September strongly suggests to me that it does not count post-2012 new gTLD registrations in its registrar league table. One registrar with almost four million domains under management doesn’t even show up on the list. This arguably could give an advantage to a registry that plays strongly in legacy gTLDs.
That said, it’s probably an academic point — I don’t think any of the bidders for the .co contract would have difficulty showing that they have 10 of the top 25 registrars on board, whichever way you calculate that league table.
Cumulatively, these four technical hurdles have led some to suggest that Afilias has somehow steered MinTIC towards creating an RFP only it could win.
Apart from what I’ve discussed here, I’ve no evidence that is the case, and Afilias has not yet responded to my request for comment today.
Luckily for the bidding registries, the Columbian RFP has not yet been finalized. Comments submitted by the bidders and others are apparently going to be taken on board, so the barriers to entry for respondents could be lowered before bids are finally accepted.
MinTIC posted an update last night that extends the period that the RFP could run, and the transition period should Neustar lose the contract. A handover, should one happen at all, could now happen as late as February next year.
Now PIR rubbishes .org “downtime” claims
Two of Public Interest Registry’s top geeks have come out swinging against recent claims that .org will suffer days of downtime if PIR is acquired by Ethos Capital.
Chief technology officer Joe Abley and Susanne Woolf, senior director of technology community engagement, have penned a blog post calling the recent assertions by subcontractor Packet Clearing House “baffling” and “wrong”.
PCH claimed earlier this month that should PIR fall into for-profit hands, donations made to PCH would dry up, giving Ethos no choice but to either significantly increase .org prices or risk over three days of downtime per year.
PCH is a not-for-profit provider of DNS resolution services that contracts with Afilias to support .org and a couple hundred other Afilias-managed TLDs.
But PIR’s technologists today wrote:
PCH is a contractor to Afilias and has no business relationship with PIR; consequently PCH has no access to non-public financial information. We’re more concerned with the assertions that the current costs of maintaining DNS services are only sustainable if PIR remains a non-profit, and that a for-profit PIR will need to make deep cuts to funding for operations. These inferences are at odds with our knowledge and experience regarding the costs of providing solid DNS service. To be clear – they are wrong.
They go on to say “we find that PCH’s claims about their operational costs and funding models are baffling” and to suggest that if PCH is unhappy with .org’s forthcoming for-profit status, Afilias has plenty of competitors to choose from, writing:
If PCH is unable or unwilling to continue to provide service to Afilias at current pricing, Afilias has many options to ensure that .ORG continues to function at the high levels the technical community expects.
Afilias has already rubbished PCH’s claims in a letter to ICANN.
The $1.135 billion acquisition of PIR from the Internet Society is expected to close in the first quarter, but it’s currently undergoing some scrutiny by ICANN, which has to first approve the change of control.
Afilias denies .org will go down post-acquisition
.org domains will not suffer downtime as a result of Ethos Capital’s acquisition of Public Interest Registry, according to Afilias.
Afilias, which provides PIR’s back-end registry services, wrote to ICANN (pdf) last week to reject claims by DNS resolution subcontractor Packet Clearing House that .org could suffer more than three days a year of downtime if .org moves into commercial hands.
Chief technology officer Ram Mohan wrote:
Afilias — not PCH — is responsible for ensuring that .org names remain available 100% of the time. The Afilias global DNS network is diverse and robust; PCH is a contracted secondary DNS provider. Since Afilias began supporting .org in 2003, we have maintained an exemplary record of uptime, and will continue performing at world-standard levels.
Afilias states for the record that, for .org and PIR’s other TLDs, we will continue our exemplary performance at pricing consistent with our current contract with PIR.
Not-for-profit PCH had claimed that US tax law would see almost $30 million of annual donations dry up if .org became a for-profit enterprise again.
Ethos would be forced to increase .org prices dramatically or under-invest in DNS and see days of downtime, the organization claimed.
Mediocre .vote gTLD drops restrictions
The .vote and .voto gTLDs have had their registration restrictions removed in a bid to increase numbers.
Both domains were previously technically restricted to those who could show they had a legitimate connection to democratic proceedings, and were sometimes used by political campaigns.
But it appears those post-registration restrictions were lightly enforced, and now they’ve been dropped entirely.
Neither gTLD has been particularly successful — .vote has been wobbling around the 3,000-domain mark for a while, while .voto (the Spanish version) has about a tenth of that figure.
Both renew at retail for about $60 a year, but first-year regs can currently be obtained for about half that amount.
They’re both managed by Afilias.
The highest-profile .vote domain I’m aware of to date was used in the spectacularly successful Hollywood-backed campaign to keep Donald Trump out of the White House in 2016.
MMX switches porn TLDs from Afilias to Uniregistry
Minds + Machines is moving its four porn-themed gTLDs to a new back-end provider.
MMX CEO Toby Hall confirmed to DI today that the company is ditching Afilias, which had been providing registry services for .xxx since 2011.
“We’re in the process of switching the back-ends from Afilias to Uni for the ICM portfolio,” he said.
This portfolio, which MMX acquired last year, also includes .porn, .adult and .sex. There are roughly 170,000 domains under management in total, but about half of these are sunrise-period blocks in .xxx, which could add a wrinkle to the transition.
It appears that Afilias is still providing DNS for the TLDs, but Uniregistry has been named the official tech contact.
It’s not currently clear when the handover will be complete. Hall was not immediately available for further comment.
It’s also not currently clear why Uniregistry was selected. All of MMX’s 27 other gTLDs — the likes of .vip, .work and .law — have been running on Nominet’s platform since MMX dropped its own self-hosted infrastructure a few years back.
During the same restructuring, Uniregistry took on MMX’s registrar business.
Uniregistry has also been working closely with MMX on its recently launched AdultBlock trademark blocking services, which could wind up accounting for a big chunk of MMX’s porn-related revenue.
These latest four gTLDs to switch providers are merely the latest in a game of musical chairs that has been playing out for the last several months, five years after the first new gTLDs started going live and registries shop around for better back-end deals.
Nominet picked up most of Amazon’s portfolio, replacing Neustar, earlier this year.
But Nominet has lost high-profile .blog to CentralNic, and Afilias lost a Brazilian dot-brand to Nic.br
Cloudflare “bug” reveals hundreds of secret domain prices
The secret wholesale prices for hundreds of TLDs have been leaked, due to an alleged “bug” at a registrar.
The registry fees for some 259 TLDs, including those managed by Donuts, Verisign and Afilias, are currently publicly available online, after a programmer used what they called a “bug” in Cloudflare’s API to scrape together price lists without actually buying anything.
Cloudflare famously busted into the domain registrar market last September by announcing that it would sell domains at cost, thumbing its nose at other registrars by suggesting that all they’re doing is “pinging an API”.
But because most TLD registries have confidentiality clauses in their Registry-Registrar Agreements, accredited registrars are not actually allowed to reveal the wholesale prices.
That’s kind of a problem if you’re a registrar that has announced that you will never charge a markup, ever.
Cloudflare has tried to get around this by not listing its prices publicly.
Currently, it does not sell new registrations, instead only accepting inbound transfers from other registrars. Registry transaction reports reveal that it has had tens of thousands of names transferred in, but has not created a significant number of new domains.
(As an aside, it’s difficult to see how it could ever sell a new reg without first revealing its price and therefore breaking its NDAs.).
It appears that the only way to manually ascertain the wholesale prices of all of the TLDs it supports would be to buy one of each at a different registrar, then transfer them to Cloudflare, thereby revealing the “at cost” price.
This would cost over $9,500, at Cloudflare’s prices, and it’s difficult to see what the ROI would be.
However, one enterprising individual discovered via the Cloudflare API that the registrar was not actually checking whether they owned a domain before revealing its price.
They were therefore able to compile a list of Cloudflare’s prices and therefore the wholesale prices registries charge.
The list, and the script used to compile it, are both currently available on code repository Github.
The bulk of the list comprises Donuts’ vast portfolio, but most TLDs belonging to Afilias (including the ccTLD .io), XYZ.com and Radix are also on there.
It’s not possible for me to verify that all of the prices are correct, but the ones that are comparable to already public information (such as .com and .net) match, and the rest are all in the ballpark of what I’ve always assumed or have been privately told they were.
The data was last refreshed in April, so without updates its shelf life is likely limited. Donuts, for example, is introducing price increases across most of its portfolio this year.
Afilias buys the other half of .global
Afilias has acquired one of its new gTLD back-end customers, Dot Global Domain Registry Limited, the registry for .global.
It immediately makes .global Afilias’ best-performing 2012-round new gTLD.
The price of the deal, between two private companies, was undisclosed.
As DI reported last November, Afilias already owned 45% of the company, which had 2017 revenue of $1.9 million and a $320,000 loss.
.global is a relatively good new gTLD business, as new gTLDs go.
We’re looking at a business with probably still low-seven-digit annual revenue, with annual adds and renewals trending upwards.
It had over 48,000 domain under management at the last count, with about about 22,500 annual renews.
The names renew at $100 at GoDaddy, which with 30% of .global regs is the largest .global registrar.
NameCheap, the second-largest registrar (with 11%), renews at about $65.
Anecdotally, it’s a new gTLD that I regularly come across in the wild, which is still relatively noteworthy. It’s often used by multinational companies for global gateway sites.
Afilias said that because .global already runs on its back-end, there won’t be any burdensome migration work for registrars, just some “paperwork will need to be updated”.
In terms of domains under management, .global immediately becomes Afilias’ highest-volume new gTLD (excluding pre-2012 .info, .pro and .mobi).
Its biggest 2012-round TLD, from the about 20 it owns, was .red, with around 34,000 DUM.
Nic.br wins dot-brand from Afilias
Brazilian registry Nic.br has won its sixth gTLD client.
It’s taking on the dot-brand back-end business of Natura, a cosmetics company based in its home town of Sao Paulo.
The .natura gTLD was previously managed by Afilias.
I can’t imagine it’s a hugely valuable deal.
Natura has only a few domains in its zone. It’s using global.natura as a portal to its various national ccTLD sites and app.natura as a gateway to app stores where its mobile app can be obtained.
It’s the latest gTLD to change back-ends in the current wave of new gTLD rejiggering to come about as contracts negotiated during the 2012 application round start to expire.
Nic.br also runs the dot-brands .uol and .globo, the small city TLD .rio, the unlaunched generics .bom (means “good” in Portuguese) and .final, and of course its original ccTLD, .br.
Major registries posting “fabricated” Whois data
One or more of the major gTLD registries are publishing Whois query data that may be “fabricated”, according to some of ICANN’s top security minds.
The Security and Stability Advisory Committee recently wrote to ICANN’s top brass to complain about inconsistent and possibly outright bogus reporting of Whois port 43 query volumes.
SSAC said (pdf):
it appears that the WHOIS query statistics provided to ICANN by registry operators as part of their monthly reporting obligations are generally not reliable. Some operators are using different methods to count queries, some are interpreting the registry contract differently, and some may be reporting numbers that are fabricated or otherwise not reflective of reality. Reliable reporting is essential to the ICANN community, especially to inform policy-making.
SSAC says that the inconsistency of the data makes it very difficult to make informed decisions about the future of Whois access and to determine the impact of GPDR.
While the letter does not name names, I’ve replicated some of SSAC’s research and I think I’m in a position to point fingers.
In my opinion, Google, Verisign, Afilias and Donuts appear to be the causes of the greatest concern for SSAC, but several others exhibit behavior SSAC is not happy about.
I reached out to these four registries on Wednesday and have published their responses, if I received any, below.
SSAC’s concerns relate to the monthly data dumps that gTLD registries new and old are contractually obliged to provide ICANN, which publishes the data three months later.
Some of these stats concern billable transactions such as registrations and renewals. Others are used to measure uptime obligations. Others are largely of academic interest.
One such stat is “Whois port 43 queries”, defined in gTLD contracts as “number of WHOIS (port-43) queries responded during the reporting period”.
According to SSAC, and confirmed by my look at the data, there appears to be a wide divergence in how registries and back-end registry services providers calculate this number.
The most obvious example of bogosity is that some registries are reporting identical numbers for each of their TLDs. SSAC chair Rod Rasmussen told DI:
The largest issue we saw at various registries was the reporting of the exact or near exact same number of queries for many or all of their supported TLDs, regardless of how many registered domain names are in those zones. That result is a statistical improbability so vanishingly small that it seems clear that they were reporting some sort of aggregate number for all their TLDs, either as a whole or divided amongst them.
While Rasmussen would not name the registries concerned, my research shows that the main culprit here appears to be Google.
In its December data dumps, it reported exactly 68,031,882 port 43 queries for each of its 45 gTLDs.
If these numbers are to be believed, .app with its 385,000 domains received precisely the same amount of port 43 interest as .gbiz, which has no registrations.
As SSAC points out, this is simply not plausible.
A Google spokesperson has not yet responded to DI’s request for comment.
Similarly, Afilias appears to have reported identical data for a subset of its dot-brand clients’ gTLDs, 16 of which purportedly had exactly 1,071,939 port 43 lookups in December.
Afilias has many more TLDs that did not report identical data.
An Afilias spokesperson told DI: “Afilias has submitted data to ICANN that addresses the anomaly and the update should be posted shortly.”
SSAC’s second beef is that one particular operator may have reported numbers that “were altered or synthesized”. SSAC said in its letter:
In a given month, the number of reported WHOIS queries for each of the operator’s TLDs is different. While some of the TLDs are much larger than others, the WHOIS query totals for them are close to each other. Further statistical analysis on the number of WHOIS queries per TLD revealed that an abnormal distribution. For one month of data for one of the registries, the WHOIS query counts per TLD differed from the mean by about +/- 1%, nearly linearly. This appeared to be highly unusual, especially with TLDs that have different usage patterns and domain counts. There is a chance that the numbers were altered or synthesized.
I think SSAC could be either referring here to Donuts or Verisign
Looking again at December’s data, all but one of Donuts’ gTLDs reported port 43 queries between 99.3% and 100.7% of the mean average of 458,658,327 queries.
Is it plausible that .gripe, with 1,200 registrations, is getting almost as much Whois traffic as .live, with 343,000? Seems unlikely.
Donuts has yet to provide DI with its comments on the SSAC letter. I’ll update this post and tweet the link if I receive any new information.
All of the gTLDs Verisign manages on behalf of dot-brand clients, and some of its own non-.com gTLDs, exhibit the same pattern as Donuts in terms of all queries falling within +/- 1% of the mean, which is around 431 million per month.
So, as I put to Verisign, .realtor (~40k regs) purportedly has roughly the same number of port 43 queries as .comsec (which hasn’t launched).
Verisign explained this by saying that almost all of the port 43 queries it reports come from its own systems. A spokesperson told DI:
The .realtor and .comsec query responses are almost all responses to our own monitoring tools. After explaining to SSAC how Verisign continuously monitors its systems and services (which may be active in tens or even hundreds of locations at any given time) we are confident that the accuracy of the data Verisign reports is not in question. The reporting requirement calls for all query responses to be counted and does not draw a distinction between responses to monitoring and non-monitoring queries. If ICANN would prefer that all registries distinguish between the two, then it is up to ICANN to discuss that with registry operators.
It appears from the reported numbers that Verisign polls its own Whois servers more than 160 times per second. Donuts’ numbers are even larger.
I would guess, based on the huge volumes of queries being reported by other registries, that this is common (but not universal) practice.
SSAC said that it approves of the practice of monitoring port 43 responses, but it does not think that registries should aggregate their own internal queries with those that come from real Whois consumers when reporting traffic to ICANN.
Either way, it thinks that all registries should calculate their totals in the same way, to make apples-to-apples comparisons possible.
Afilias’ spokesperson said: “Afilias agrees that everyone should report the data the same way.”
As far as ICANN goes, its standard registry contract is open to interpretation. It doesn’t really say why registries are expected to collect and supply this data, merely that they are obliged to do so.
The contracts do not specify whether registries are supposed to report these numbers to show off the load their servers are bearing, or to quantify demand for Whois services.
SSAC thinks it should be the latter.
You may be thinking that the fact that it’s taken a decade or more for anyone to notice that the data is basically useless means that it’s probably not all that important.
But SSAC thinks the poor data quality interferes with research on important policy and practical issues.
It’s rendered SSAC’s attempt to figure out whether GDPR and ICANN’s Temp Spec have had an effect on Whois queries pretty much futile, for example.
The meaningful research in question also includes work leading to the replacement of Whois with RDAP, the Registration Data Access Protocol.
Finally, there’s the looming possibility that ICANN may before long start acting as a clearinghouse for access to unredacted Whois records. If it has no idea how often Whois is actually used, that’s going to make planning its infrastructure very difficult, which in turn could lead to downtime.
Rasmussen told DI: “Our impression is that all involved want to get the numbers right, but there are inconsistent approaches to reporting between registry operators that lead to data that cannot be utilized for meaningful research.”
Recent Comments