Recent Posts
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
Dotless domains are dead
ICANN has banned dotless gTLDs, putting a halt to Google’s plans to run .search as a dotless search service and confounding the hopes of some portfolio applicants.
ICANN’s New gTLD Program Committee, acting with the powers of its board of directors passed the resolution on Tuesday. It was published this morning. Here’s the important bit (links added):
Resolved (2013.08.13.NG02), in light of the current security and stability risks identified in SAC053, the IAB statement and the Carve Report, and the impracticality of mitigating these risks, the NGPC affirms that the use of dotless domains is prohibited.
The current version of the Applicant Guidebook bans dotless domains (technically, it bans apex A, AAAA and MX records) but leaves the door open for registries to request an exception via Extended Evaluation.
This new decision closes that door.
The decision comes a week after the publication of Carve Systems’ study of the dotless domain issue, which concluded that the idea was potentially “dangerous” and that if ICANN intended to allow them it should do substantial outreach to hardware and software makers, essentially asking them to change their products.
The Internet Architecture Board said earlier that “dotless domains are inherently harmful to Internet security.”
Microsoft, no doubt motivated in part at least by competitive concerns in the search market, had repeatedly implored ICANN to implement a ban on security grounds.
Google had planned to run .search as a browser service that would allow users to specify preferred search engines. I doubt the dotless ban will impact its application’s chances of approval.
Donuts and Uniregistry, which together have applied for almost 400 gTLDs, had also pushed for ICANN to allow dotless domains, although I do not believe their applications explicitly mentioned such services.
Dotless domains “dangerous”, security study says
An independent security study has given ICANN a couple dozen very good reasons to continue outlaw “dotless” domain names, but stopped short of recommending an outright ban.
The study, conducted by boutique security outfit Carve Systems and published by ICANN this morning, confirms that dotless domains — as it sounds, a single TLD label with no second-level domain and no dot — are potentially “dangerous”.
If dotless domains were to be allowed by ICANN, internet users may unwittingly send their private data across the internet instead of a local network, Carve found.
That’s basically the same “internal name collision” problem outlined in a separate paper, also published today, by Interisle Consulting (more on that later).
But dotless domains would also open up networks to serious vulnerabilities such as cookie leakage and cross-site scripting attacks, according to the report.
“A bug in a dotless website could be used to target any website a user frequents,” it says.
Internet Explorer, one of the many applications tested by Carve, automatically assumes dotless domains are local network resources and gives them a higher degree of trust, it says.
Such domains also pose risks to users of standard local networking software and residential internet routers, the study found. It’s not just Windows boxes either — MacOS and Unix could also be affected.
These are just a few of the 25 distinct security risks Carve identified, 10 of which are considered serious.
ICANN has a default prohibition on dotless gTLDs in the new gTLD Applicant Guidebook, but it’s allowed would-be registries to specially request the ability to go dotless via Extended Evaluation and the Registry Services Evaluation Process (with no guarantee of success, of course).
So far, Google is the only high-profile new gTLD applicant to say it wants a dotless domain. It wants to turn .search into such a service and expects to make a request for it via RSEP.
Other portfolio applicants, such as Donuts and Uniregistry, have also said they’re in favor of dotless gTLDs.
Given the breadth of the potential problems identified by Carve, you might expect a recommendation that dotless domains should be banned outright. But that didn’t happen.
Instead, the company has recommended that only certain strings likely to have a huge impact on many internet users — such as “mail” and “local” — be permanently prohibited as dotless TLDs.
It also recommends lots of ways ICANN could allow dotless domains and mitigate the risk. For example, it suggests massive educational outreach to hardware and software vendors and to end users.
Establish guidelines for software and hardware manufacturers to follow when selecting default dotless names for use on private networks. These organizations should use names from a restricted set of dotless domain names that will never be allowed on the public Internet.
Given that most people have never heard of ICANN, that internet standards generally take a long time to adopt, and allowing for regular hardware upgrade cycles, I couldn’t see ICANN pulling off such a feat for at least five to 10 years.
I can’t see ICANN approving any dotless domains any time soon, but it does appear to have wiggle-room in future. ICANN said:
The ICANN Board New gTLD Program Committee (NGPC) will consider dotless domain names and an appropriate risk mitigation approach at its upcoming meeting in August.
IAB gives dotless domains the thumbs down
The Internet Architecture Board believes dotless domain names would be “inherently harmful to Internet security.”
The IAB, the oversight committee which is to internet technical standards what ICANN is to domain names, weighed into the debate with an article apparently published yesterday.
In it, the committee states that over time dotless domains have evolved to be used only on local networks, rather than the internet, and that to start delegating them at the top level of the DNS would be dangerous:
most users entering single-label names want them to be resolved in a local context, and they do not expect a single name to refer to a TLD. The behavior is specified within a succession of standards track documents developed over several decades, and is now implemented by hundreds of millions of Internet hosts.
…
By attempting to change expected behavior, dotless domains introduce potential security vulnerabilities. These include causing traffic intended for local services to be directed onto the global Internet (and vice-versa), which can enable a number of attacks, including theft of credentials and cookies, cross-site scripting attacks, etc. As a result, the deployment of dotless domains has the potential to cause significant harm to the security of the Internet
The article also says (if I understand correctly) that it’s okay for browsers to interpret words entered into address bars without dots as local resources and/or search terms rather than domain names.
It’s pretty unequivocal that dotless domains would be Bad.
The article was written because there’s currently a lot of talk about new gTLD applicants — such as Google, Donuts and Uniregistry — asking ICANN to allow them to run their TLDs without dots.
There’s a ban in the Applicant Guidebook on the “apex A records” that would be required to make dotless TLDs work, but it’s been suggested that applicants could apply to have the ban lifted on a case by case basis.
More recently, ICANN’s Security and Stability Advisory Committee has stated almost as unequivocally as the IAB that dotless domains should not be allowed.
But for some reason ICANN recently commissioned a security company to look into the issue.
This seems to have made some people, such as the At Large Advisory Committee, worried that ICANN is looking for some wiggle room to give its new gTLD paymasters what they want.
Alternatively, ICANN may just be looking for a second opinion to wave in the faces of new gTLD registries when it tells them to take a hike. It was quite vague about its motives.
It’s not just a technical issue, of course. Dotless TLDs would shake up the web search market in a big way, and not necessarily for the better.
Donuts CEO Paul Stahura today published an article on CircleID that makes the case that it is the browser makers, specifically Microsoft, that are implementing DNS all wrong, and that they’re objecting to dotless domains for competitive reasons. The IAB apparently disagrees, but it’s an interesting counterpoint nevertheless.
Microsoft objects to Google’s dotless domains plan
Microsoft has strongly urged ICANN to reject Google’s plan for a “dotless” .search gTLD.
In a letter sent a couple of weeks ago and published last night, the company says that Google risks putting the security and stability of the internet at risk if its .search idea goes ahead.
David Tennenhouse, corporate vice president of technology policy, wrote:
Dotless domains are currently used as intranet addresses controlled by private networks for internal use. Google’s proposed amendment would interfere with that private space, creating security vulnerabilities and impacting enterprise network and systems infrastructure around the globe.
It’s a parallel argument to the one going on between Verisign and everyone else with regards to gTLD strings that may conflict with naming schemes on internal corporate networks.
While they’re subtly different problems, ICANN recently commissioned a security study into dotless domains (announced 11 days after Microsoft’s letter was sent) that links the two.
As Tennenhouse says in his letter, ICANN’s Security and Stability Advisory Committee, which has Google employees on it, has already warned about the dotless name problem in SAC053 (pdf).
He also claims that Google had submitted follow-up comments to SAC053 saying dotless domains would be “actively harmful”, but this is slightly misleading.
One Google engineer did submit such a comment, but it limited itself to talking about clashes with internal name certificates, a slightly different issue, and it’s not clear it was an official Google Inc comment.
The new gTLD Applicant Guidebook currently outlaws dotless domains through its ban on “apex A records”, but that ban can be circumvented if applicants can convince a registry services evaluation panel that their dotless domain plans don’t pose a stability risk.
While Google’s original .search application envisaged a single-registrant “closed generic”, it later amended the proposal to make it “open” and include the dotless domain proposal.
This is the relevant bit of the amended application:
Charleston Road Registry will operate a service that allows users to easily perform searches using the search functionality of their choice. This service will operate on the “dotless” search domain name (http://search/) and provide a simple web interface. This interface operates in two modes:
1) When the user has not set a preference for a search engine, they will be prompted to select one. The user will be provided with a simple web form that will allow them to designate a search engine by entering the second level label for any second level domain registered with in the TLD (e.g., if “foo.search” was a valid second level domain name, the user could indicated that their preferred search engine was “foo”). The user can also elect to save this preference, in which case a cookie will be set in the userʹs browser. This cookie will be used in the second mode, as described below. If the user enters an invalid name, they will be prompted again to provide a valid response.
2) If the user has already set a preferred search engine, the redirect service will redirect the initial query to the second level domain name indicated by the userʹs preference, including any query string provided by the user. For example, if the user had previously selected the “foo” search engine and had issued a query for http://search/?q=bar, the server would issue a redirect to http://foo.search/?q=bar. In this manner, the userʹs query will be consistently redirected to the search engine of their choice.
While Google seems to have preempted some concerns about monopolistic practices in the search engine market, approval of its dotless search feature would nevertheless have huge implications.
Make no mistake, dotless domains are a Big Deal and it would be a huge mistake for ICANN to treat them only as a security and stability issue.
What’s weird about Google’s proposal is that by asking ICANN to open up the floodgates for dotless domains, it risks inviting the domain name industry to eat its breakfast, lunch and dinner.
If ICANN lets registries offer TLDs domains without dots, the new gTLD program will no longer be about delegating domain names, it will be about auctioning exclusive rights to search terms.
Today, if you type “beer” into your browser’s address bar (which in all the cases I’m aware of are also search bars) you’ll be directed to a page of search results for the term “beer”.
In future, if “beer” is a domain name, what happens? Do you get search or do you get a web page, owned by the .beer registry? Would that page have value, or would it be little better than a parking page?
If browser makers decided to implement dotless domains — and of course there are plenty of reasons why they wouldn’t — every borderline useful dictionary word gTLD would be sold off in a single round.
Would that be good for the internet? I’d lean toward “no”.
Why domain names need punctuation
ICANN wants to know whether it should formally ban “dotless” domain names in the gTLDs for which it oversees policy.
While the Applicant Guidebook essentially prohibits registries using their new gTLDs without dots, there’s not yet a hard ban in the template Registry Agreement.
But that could change following a new ICANN public comment period.
A dotless domain might appear in a browser address bar as http://tld or, with more modern browsers, more likely just tld. A small number of ccTLDs already have this functionality.
To make it work, TLDs need to place an A record (or AAAA record for IPv6) in the root zone. This is known as an apex A record, which the Applicant Guidebook says ICANN will not permit.
The result, IANA root zone manager Kim Davies told us in July 2011, is a “default prohibition on dotless domains”.
Davies could not rule out apex A/AAAA records entirely, however. Specific requests for such functionality might be entertained, but would likely trigger an Extended Evaluation.
ICANN’s Security and Stability Advisory Committee is of the opinion that dotless gTLDs should not be permitted on various security grounds, including the fact that lots of software out there currently assumes a domain without a dot is a trusted host on the local network.
You can read the SSAC report here.
Dotless domains would also mess up browsers such as Chrome, which have integrated address/search bars; when you type “loreal” do you intend to search for the brand or visit its TLD’s web site?
But a far more intuitive, non-technical argument against dotless domains, as CentralNic’s Joe Alagna noted in his blog over the weekend, is that they do not pass the cocktail party test.
It’s hard enough trying to communicate the address “domainincite.com” across a noisy cocktail party as it is, but at least the dot immediately informs the listener that it’s a domain name.
Without dots, are we even talking about domain names any more?
The first phase of the new comment period runs until September 23. We understand that, depending on responses, a new ban on dotless domains could be introduced to the standard new gTLD registry agreement and possibly even added to legacy registry agreements in future.
Why we won’t see dotless domain names
Will http://google ever work?
Will any of the hundreds of .brand gTLDs expected to be approved by ICANN in its first round of new top-level domains resolve without dots?
Will users be able to simply type in the name of the brand they’re looking for into their browser’s address bar and have it resolve to the company’s official site?
Probably not, according to the experts.
ICANN’s Applicant Guidebook answers this question, but you need to know where to look, and to know a little about DNS records, to figure it out what it actually says.
Section 2.2.3.3 of the Guidebook (page 75 of the May 30 PDF) provides a list of the permissible contents of a new gTLD zone.
Specifically not allowed are A and AAAA records, which browsers need in order to find web sites using IPv4 and IPv6 respectively.
“To facilitate a dotless domain, you would need to place an A or a AAAA record in the zone, and these are not on the list of permitted record types,” said Kim Davies, root zone manager at IANA. “The net result is a default prohibition on dotless domains.”
Applicants may be able to obtain A/AAAA records if they specifically ask for them, but this is very likely to trigger an Extended Evaluation and a Registry Services Review, according to Davies and the Guidebook.
There’s an additional $50,000 fee for a Registry Services Review, with no guarantee of success. It will also add potentially months to the application’s processing time.
(Incidentally, ICANN has also banned DNS “wildcards”. You cannot have an infinite SiteFinder-style catch-all at the second level, you need to allocate domain names individually.)
Applicants that successfully obtain A/AAAA records, enabling dotless domains, would face a far greater problem than ICANN’s rules – endpoint software probably won’t support them.
“As it stands, most common software does not support the concept,” Davies said. “There is a common assumption that fully qualified domain names will have at least one dot in them.”
You can type IP addresses, host names, domain names or search terms into browser address bars, and dots are one of the ways the software figures out you’re looking for a domain.
You can test this today. There are already a handful of top-level domains, probably fewer than 20 and all ccTLDs, that have implemented an A record at the TLD level.
On some platforms, you may be able to get URLs such as http://io and http://ac to work.
They don’t revolve on any Windows 7 browser I’ve tested (Firefox/IE/Chrome), but I’d be interested in hearing your experiences, if you’d be so good as to leave a comment below.
Given the lack of software support, it may be a poor use of time and resources to fight ICANN for a dotless gTLD that most internet users won’t even be able to resolve.
According to a recent CircleID article by Paul Vixie, chairman of the Internet Systems Consortium, many browsers treat domains without dots as local resources.
Only if the browser’s “DNS search list” cannot find a local resource matching the dotless TLD will it then go out to the internet to look for it.
In some organizations, a local resource may have been configured which matches a new gTLD. There may be a local server called “mail” for example, which could clash with a .mail gTLD.
A recent article in The Register quoted security people fretting about what would happen if a malicious hacker somehow persuaded ICANN to approve a string such as .localhost or .lan.
These worries appear to be largely reliant on an erroneous belief that getting your hands on a gTLD is going to be as simple as registering a domain name.
In reality, there’s going to be months of technical evaluation – conducted in a fish-bowl, subject to public comment, applicant background checks and, in the case of a request for A records, the aforementioned Registry Services Review – before a gTLD is approved.
If everything works according to plan, security problems will be highlighted by this process and any gTLDs that would break the internet will be caught and rejected.
So it seems very unlikely that we’re going to see domains without dots hitting the web any time soon.
Domain names are designed to help people find you. Dotless domains today will not do that, even if ICANN does approve them.
Recent Comments