GoDaddy loses last Amazon business to Identity Digital
GoDaddy appears to have lost the last remnants of its Amazon back-end registry services deal.
IANA records show that GoDaddy was recently replaced by Identity Digital as the technical contact for all of the remaining 12 gTLDs it was serving.
The gTLDs in question are: .coupon, .song, .zero and the IDNs .ストア, .セール, .家電, .クラウド, .食品, .ファッション, .書籍, .ポイント and .通販, which are generic terms for things like “fashion” and “books”.
Five of the IDNs have actually launched and have been generally available for years, but they’re been phenomenally unsuccessful — the largest zone has just 146 domains in it. The remaining seven are dormant, unlaunched.
Amazon originally used GoDaddy (then Neustar) for all 54 of the gTLDs it successfully applied for back in the 2012 gTLD application round, but it switched all but 12 of them to Nominet back in 2019, where they remain today.
Zoom says GoDaddy took it down for hours
A screwup by MarkMonitor and GoDaddy was responsible for a two-hour outage affecting Zoom’s videoconferencing services yesterday, according to the company.
The widely used services were offline between 1825 and 2012 UTC yesterday because GoDaddy Registry, apparently acting under MarkMonitor’s instructions, shut down the zoom.us domain.
Screenshots posted to social media show zoom.us returning an NXDOMAIN error in web browsers. In-progress conference calls were reportedly shut off mid-stream.
Zoom said in a statement:
On April 16, between 2:25 P.M. ET and 4:12 P.M. ET, the domain zoom.us was not available due to a server block by GoDaddy Registry. This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
Zoom, Markmonitor and GoDaddy worked quickly to identify and remove the block, which restored service to the domain zoom.us. There was no product, security, network failure or Distributed Denial of Service (DDoS) attack at Zoom during the outage. GoDaddy and Markmonitor are working together to prevent this from happening again.
It’s not entirely clear what is meant by “server block”, but it sounds consistent with a serverHold EPP status, where a registry prevents a domain from resolving in the DNS.
GoDaddy is the registry for .us domains. MarkMonitor is a hands-on corporate registrar dealing primarily with high-value brand clients.
Zoom is the incredibly popular conferencing service that grew to such popularity during the pandemic one could almost argue that it could be considered critical infrastructure.
While two hours downtime is hardly the end of the world, it’s still one hell of a screwup.
.co deal worth $77 million up for grabs
The Colombian government has put the contract to run .co out for bidding, and it looks like the successful registry could make as much as $77 million over the lifetime of the deal.
GoDaddy currently runs .co through its subsidiary .CO Internet, which it acquired when in bought Neustar five years ago. The government’s RFP does not rule out the incumbent reapplying despite some friction in the past.
It’s not simply a back-end registry services deal. The successful registry will have to be the public face of .co too, handling front-of-house services and marketing as well.
Extrapolating from some figures and formulas in the RFP, it seems GoDaddy’s share (19% of the total revenue) has worked out to about $7.7 million a year on average over the last five years. The new contract would be a 10-year deal.
But is .co on the decline? According to the RFP, the were 3,217,570 .co domains in January this year, down from 3.4 million in 2022 and 3.3 million in 2023. Numbers for 2024 were not included.
That downward trend may merely be the post-Covid slump experienced by many TLDs. Indeed, when the current contract was signed in 2020, there were just 2.3 million .co domains under management, so GoDaddy’s done a pretty good job of growing the namespace.
Largest back-end switch EVER as GoDaddy loses deal
It’s going to be the largest ever migration of a single TLD between back-end registry service providers, but it was announced without fanfare late last week.
On page four of Tucows CEO Elliot Noss’s prepared fourth-quarter remarks to analysts last week, he revealed the company has beaten GoDaddy to take over the contract to run India’s .in ccTLD:
Tucows Domains was recently selected to be the technical services provider for the .IN country code domain, operated by the National Internet Exchange of India. Our teams are closely collaborating and we are establishing a dedicated team in India to support this initiative
Noss said that the migration involves “approximately 4 million domains” and will take place “later this year”.
While NIXI does not publish its registration numbers, Verisign’s Domain Name industry Brief put .in at 4.1 million names at the end of 2024.
Even accounting for upwards rounding by Noss, 4 million names would make the migration the largest in the history of the DNS.
The current record was set in 2018, when Afilias (now Identity Digital) took over Australia’s .au from Neustar (now GoDaddy. There were 3.1 million names in .au at that time.
When Neustar/GoDaddy took over .in from Afilias/Identity Digital in 2019, it was reportedly because it had bid $0.70 per domain, undercutting the incumbent’s offer of $1.10
But, while the deal is surely worth many millions (maybe $10 million over five years if we guess at a $0.50 bid) to Tucows’ top line, it may not be especially profitable.
Noss said in his remarks to analysts: “The pricing and margin contribution for this piece of business is typical of a large, high volume customer.”
But a demonstrable track record of handling large migrations often comes up in registry RFPs, so the .in deal puts Tucows in a strong position in future contract opportunities.
Super Bowl a bit of a dud for .com?
Having two of its largest registrars advertising during Sunday’s Super Bowl broadcast doesn’t seem to have given Verisign’s declining .com flagship much of a boost.
According to numbers published on the company’s web site, .com has grown by about 30,000 domains in the last two days.
While that’s certainly not to be sniffed it, it’s well within the parameters of a normal day’s operation for .com. The TLD’s zone file shrinks more days than it grows nowadays, but five-figure daily upticks are not uncommon.
GoDaddy and Squarespace both took out 30-second spots during the Super Bowl. Both featured high-profile actors and had high production values, but neither mentioned domain names once.
GoDaddy’s focused on its Airo tool and Squarespace’s… goodness knows what that was all about.
Verisign CEO Jim Bidzos last week told analysts that the two commercials were a sign that its registrar partners are starting to focus more on customer acquisition, which should help .com return to growth.
GoDaddy ordered to stop lying about crappy security
GoDaddy has agreed to roll out some pretty basic security measures and has been told to stop lying about how secure its hosting is, under an agreement with US regulators.
It turns out that the company, while claiming that security “was at the core of everything we do”, was failing to do some pretty basic stuff like installing software patches, retiring end-of-life servers, or securing internet-facing APIs.
Its settlement with the Federal Trade Commission finds that GoDaddy engaged in “false or misleading” advertising and orders that it “must not misrepresent in any manner” its security profile in future.
The FTC complaint (pdf), filed in 2023 after reports of mass hacking incidents, states:
Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.
The complaint says that GoDaddy had a slack patching regime that was left up to individual product teams to execute, with no centralized management.
This meant thousands of boxes in its Shared Hosting environment were subject to critical vulnerabilities that allowed bad guys to get in and steal data such as user credentials and credit card info for months.
The complaint also describes a custom internet-facing API designed to enable customer support staff to access details about managed WordPress users, such as login credentials.
This API was apparently open to the internet, unfirewalled, used plaintext for credentials, and had no multi-factor authentication in place, again enabling hackers to steal data.
One or more “threat actors” abused this lax security to pwn tens of thousands of servers between October 2019 and December 2022, according to the complaint.
The settlement (pdf), in which GoDaddy does not admit or deny any wrongdoing, does not come with an associated fine.
Instead, GoDaddy has agreed to a fairly extensive list of requirements designed to increase the security of its hosting services.
ICANN lawyers want to keep their clients secret
IP lawyers in the ICANN community have come out swinging against proposed rules that would require them to come clean about who they work for, rules that are supported by registrars and governments.
A proposed policy that would force lawyers to disclose the identities of their clients when they participate in policy-making would violate their clients’ human rights, according to the Intellectual Property Constituency.
The criticisms came in response to an ICANN public comment period on a draft Community Participant Code of Conduct Concerning Statements of Interest, which opened in October and closed this week.
The draft would close a loophole that allows ICANN policy makers to keep their potential conflicts of interest secret when “professional ethical obligations” prevent them from disclosing this information.
“When disclosure cannot be made, the participant must not participate in ICANN processes on that issue,” the draft states.
The changes are keenly supported by the Registrar Stakeholder Group as a whole and by GoDaddy and Tucows in particular. As far as the registrars are concerned, the main problem with the draft is the somewhat vague enforcement mechanisms.
GoDaddy, for example, said in its comments:
We recognize that there may be situations in which a party is unable to disclose their client(s), and in those rare cases, GoDaddy agrees with ICANN’s conclusion that the participant forfeits the ability to participate in associated processes.
It added, echoing the RrSG as a whole, that more clarity is needed on enforcement, where the buck seems to stop with the chair of the working group where the disclosure infraction is alleged to have taken place, with no escalation.
On the opposing side are the IPC, the Business Constituency, and the International Trademark Association, which all filed comments criticizing the proposed changes. The IPC said:
The often-argued response of having attorneys not participate if they fail to uphold their ethical duty to their clients effectively vitiates the human right of representation by counsel and is not for the public benefit. ICANN has agreed to uphold human rights and therefore counsel cannot be compelled to disclose client identity.
Two of the concerns from lawyers is that the policy could require their clients to divulge trade secrets, such as whether they intend to apply for a new gTLD in the forthcoming application round.
Perhaps anticipating the Governmental Advisory Committee’s expected support for the policy changes, which was no secret, the IPC also raises the specter of the policy being broad enough to apply to the governments themselves: should they all be compelled to reveal the names of all the lobbyists who knock on their doors?
This forcing of transparency of national interest would significantly inhibit GAC members from fulfilling their role. Imagine a GAC member from one country filing an SOI saying that their government was being lobbied by numerous parties to gain favor in the New gTLD Rounds?
The GAC’s response to the public comment period was in fact cautiously supportive of the rule changes, saying:
Prima facie, the proposal referring to Statements of Interests seems to be in the right direction, and to fulfil the expectations expressed by the GAC. At the same time, the GAC looks forward to the reactions from ICANN org to the views expressed during the public comment period
Like the registrars, the GAC is looking for more clarity on enforcement mechanisms.
The public comments will by summarized for publication mid-December and the ICANN board could take action on the proposals next year.
GoDaddy’s .xxx contract renewed
GoDaddy’s .xxx gTLD will no longer be “sponsored”, following a vote of ICANN’s board of directors last week.
At its ICANN 81 AGM in Istanbul, the board approved the renewal of GoDaddy subsidiary ICM Registry’s Registry Agreement.
The new deal closely follows the text of the standard RA most other gTLDs use, scrapping restrictions that GoDaddy found onerous but which were vital in getting the deal approved in the first place back in 2011.
It means the end of IFFOR, the International Foundation For Online Responsibility, the largely toothless oversight body that had been tasked with creating policies and issuing grants to worth causes but arguably did neither.
It also means less friction for the .xxx registration process, as registrants will no longer have to affirm they are members of the “sponsored community”, which never existed in any real sense anyway.
Some elements of the original sponsorship agreement, such as strict prohibitions on child sexual abuse material and the suggestion thereof, have been moved to Public Interest Commitments that ICANN could in theory enforce.
In its resolution text, ICANN noted that the Governmental Advisory Committee, which almost got .xxx killed off a couple decades ago, had not felt strongly enough about the new deal to publicly comment on it one way or the other.
.xxx makes most of its money from defensive registrations. It had almost 45,000 domains under management at the end of June, but barely 7,000 of those appeared in its zone file of the same date. That does not included domains blocked via the AdultBlock and GlobalBlock services, which are not counted in any public document but which I estimate are measured in five figures.
Senator says domain industry “enables” Russian disinfo attacks
An influential US senator has accused major registries and registrars including GoDaddy and Namecheap of facilitating Russian disinformation campaigns.
Senator Mark Warner, the Democrat chair of the Senate Select Committee on Intelligence, told registrars that “legislative remedies” may be required unless they “take immediate steps to address the continued abuse of your services for foreign covert influence”.
The threat came in letters sent to registrar groups Namecheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo, and .com registry Verisign today.
Warner’s letters seem to have been inspired by Facebook owner Meta, perhaps the domain industry’s most prolific antagonist, and align closely with Meta’s views on issues such as cybersquatting and Whois access.
The criticisms also stem from a recent FBI seizure of 32 domains that were being use to proliferate fake news about the invasion of Ukraine and the upcoming US presidential election.
The Russian campaign, known as Doppelganger, used domains such as fox-news.in and washingtonpost.pm to trick visitor into thinking they were reading news sources they trust.
Warner tells the registrars (pdf) they have “ostensibly facilitated sustained covert influence activity by the Russian Federation and influence networks operating on its behalf”.
The main concern appears to be the lack of access to private information in Whois records. Warner’s list of industry sins includes:
withholding vital domain name registration information from good-faith researchers and digital forensic investigators, ignoring inaccurate registration information submitted by registrants, and failing to identify repeated instances of intentional and malicious domain name squatting used to impersonate legitimate organizations
Warner called for “immediate” action “to address the continued abuse of your services” as the US presidential election looms, and in its aftermath. Voters go to the polls November 5.
Former .co registry defeated in $350 million contract fix case
The Neustar spin-off that once operated the .co TLD reportedly has lost a case against the Colombian government in which it had sought $350 million in damages over the acrimonious renewal of its registry contract.
According to local reports, the International Center for the Settlement of Investment Disputes, part of the World Bank, last week ruled in favor of Colombia on both the merits and on jurisdictional grounds.
The case had been brought in late 2019 by Neustar, which at the time managed some 2.3 million .co domains, under government contract, via a Colombian subsidiary it acquired in 2014.
Neustar has since been acquired by GoDaddy, which continues to run .co, but the ICSID case was inherited by Vercara, the DNS security services arm of the company that GoDaddy didn’t buy.
As .CO Internet, Vercara was hired by Colombia to turn .co into a global alternative to .com with a much-hyped 2010 relaunch. It was very successful, but when it came time to renew the initial 10-year contract, Colombia instead put it out for rebid and started behaving very strangely.
You may recall from coverage here on DI and on The Register that the Colombian tender process seemed to have been specially constructed so that only Afilias, then Neustar’s fiercest rival and now part of Identity Digital, could win.
The government’s RFP had set technical thresholds, such as daily registry transactions, that Afilias could show it met but Neustar could not. It looked naive and arbitrary at best and dodgy at worst.
So Neustar took Colombia to arbitration with ICSID, saying (pdf) the government was in breach of the Trade Promotion Agreement between the US and Colombia.
Neustar ended up winning the contract anyway, albeit on terms that were massively more favorable to the government, and it sold its entire registry services business to GoDaddy days later.
Now, almost five years later, it seems Vercara has lost the case it inherited. While ICSID has not yet published its arbitration panel’s decision, local newspapers have got hold of a copy.
Colombia’s oldest newspaper, El Spectador, reports: “The court, in addition to stating that it does not have jurisdiction to hear Vercara’s claims, rejected all the claims on the merits.”
In unrelated news, Vercara’s recently announced acquisition by DigiCert closed yesterday.
Recent Comments