Recent Posts
- “No timeline” to retire Soviet Union from the DNS
- ICANN to kill off 60-day domain transfer lock
- Lancaster bags up its dot-brand
- Google readying its next batch of gTLD launches?
- NomCom confirms Americans rejected from ICANN board
- Nova announces $45 million of new gTLD applications
- Registry makes .ai an option for Koreans
- it.com now bigger than Guatemala
- ICANN turns to AI and crowdsourcing for new gTLD program
- Amazon lawyer DiBiase elected to ICANN board
- Is .io safe now? Identity Digital now running Mauritian ccTLD
- Tucows quits ICANN’s Whois disclosure pilot
- Toshiba goes all-in on its dot-brand
- Google scuppers Team Internet acquisition after profit warning
- .ai channel doubles under new management
- Trump inclined to back deal that threatens .io
- As .com shrinks, China adds another 1.2 million domains
- Second new gTLD contention set revealed
- UK intros global domain takedown law
- No more Americans as Holland wins ICANN board seat
- Registries have started shutting down Whois
- ICANN wins IRP because complainant literally doesn’t exist
- .com could return to growth this quarter
- Could Musk’s DOGE kill off D3’s .doge?
- $2 million Christmas bonus for ICANN
- Another VW car dot-brand crashes out
- Largest back-end switch EVER as GoDaddy loses deal
- Yeah, we got phished, ICANN admits after crypto hack
- ICANN hacked to promote crypto scam
- Super Bowl a bit of a dud for .com?
- More gloom predicted for .com
- These are the .gov domains Trump has deleted so far
- Did Trump just create the world’s next ccTLD?
- $3,000 to do a Whois lookup?
- PIR to join GlobalBlock, but its crown jewel won’t
- LA wildfire victims get domain deletes delay
- .free domains to finally arrive as Amazon reveals three gTLD launches
- Six more gTLDs shown the door, five may be auctioned
- Registrar terminated after ignoring Whois transition
- $10 million ICANN giveaway winners picked
- Whois officially died today
- Typo left MasterCard open to hackers for years
- Could ICANN approve an R-word gTLD?
- These are the TLD growers and shrinkers of 2024 (part two)
- GoDaddy ordered to stop lying about crappy security
- These are the TLD growers and shrinkers of 2024 (part one)
- Dead terrorist domains for sale, just without the hyphens
- ICANN eyes more price hikes as it predicts dismal year for industry
- Meet the six people battling to join ICANN’s board
- New gTLD use cases not much use
- Defensive dot-brands are renewing, making ICANN millions
- Identity Digital offers free domain trials through LinkedIn
- Antisemitic remarks cost registrar dearly
- ICANN lawyers want to keep their clients secret
- Facebook cybersquatter asks ICANN to overturn UDRP ruling
- .xxx founder Stuart Lawley has died
- The new gTLD Next Round is really happening as two ICANN programs go live
- Verisign has much to be thankful for as .com contract renewed
- Another 40,000 .ai domains registered
- RDRS usage hits new low
- A dot-brand that was actually used is shutting down
- .id joins the million-domain club
- GoDaddy’s .xxx contract renewed
- Twitter clone Bluesky has one feature domain people should like
- ICANN confirms two bans on new gTLD gaming
- eBay slogan domain no longer has a BIN price
- Will Donald Trump be .io’s white knight?
- As customers flee legacy gTLDs, .org tops 11 million names
- Company accidentally puts porn domain on kids’ toys
- eBay’s new slogan looks like a $75,000 domain it doesn’t own
- Americans are deserting .com
- Weak Q3 for the domain universe, Verisign reports
- ICANN says it WILL raise its domain taxes soon
- Senator says domain industry “enables” Russian disinfo attacks
- bit.ليبيا? Libya to get its Arabic ccTLD
- Verisign gets eight more years running the root
- Two-horse race for open ICANN board seat
- Chinese say internet not ready for single-letter gTLDs
- Unloved INTA slams ICANN over new gTLDs
- Namecheap scores win in .org price-cap lawsuit
- Some Guy wants to take over .com and .net
- Second-shot gTLD bid rules revealed
- Nominet names directors after tight election
- Lawyer ban coming to ICANN
- Identity Digital to take over .ai
- ICA teams up with WIPO on UDRP reform
- Response to sex harassment lawsuit “inadequate”, say ICANN vets
- Unstoppable tops four million names
- Amazon readying fashion and book gTLDs
- Five times ICANN deleted a ccTLD, and what it means for .io
- Future of .io domains uncertain as UK hands over Chagos islands
- .ai now has over half a million names
- UK and Israel cut ICANN funding
- Twitter now up-to-date on linkification
- Moment of truth as .music domains finally go on sale
- ICANN fixes embarrassing “What is a Domain Name?” mistake
- Another ccTLD opens up its second level
- Reporter gains first access to .io island for decades
- .io sells $40 million of domains after massive uptick
- After five years, “useless” TLD has two web sites
- Verisign agrees to .com takedown rules
- New .com contract could see ALL domain prices go up
- Investing in .ad domains may be risky
- Plurals ban policy handed to ICANN board
- Three .now domains sell at premium EAP prices
- ICANN confirms new gTLD application fee
- New gTLD application fee rises by thousands after collision call
- Former .co registry defeated in $350 million contract fix case
- Is this the first Next Round new gTLD contention battle?
- ICANN names its Supreme Court judges
- Who uses Sunrise nowadays? You might be surprised
- ICANN gunning for Tencent over abuse claims
- All the one-character .sk domains to be auctioned
- Straggler gTLD signs first ICANN contract for years
- GoDaddy likely to win relaxed .xxx deal
- Tonkin promoted to CEO at auDA
- ICANN hires new Ombuds from WIPO
- Big twist as ICANN bans new gTLD auctions
- ICANN to “strengthen” harassment rules as it picks another homophobic meeting host
- .my global relaunch starts slowly despite cheapo prices
- Hackers break .mobi after Whois domain expires
- The new gTLD next, next and next round
- Squarespace gets sweetened $7.2 billion takeover offer
- ICANN hit by DDoS attack
- Russia calls for ICANN to split from US
Largest back-end switch EVER as GoDaddy loses deal
It’s going to be the largest ever migration of a single TLD between back-end registry service providers, but it was announced without fanfare late last week.
On page four of Tucows CEO Elliot Noss’s prepared fourth-quarter remarks to analysts last week, he revealed the company has beaten GoDaddy to take over the contract to run India’s .in ccTLD:
Tucows Domains was recently selected to be the technical services provider for the .IN country code domain, operated by the National Internet Exchange of India. Our teams are closely collaborating and we are establishing a dedicated team in India to support this initiative
Noss said that the migration involves “approximately 4 million domains” and will take place “later this year”.
While NIXI does not publish its registration numbers, Verisign’s Domain Name industry Brief put .in at 4.1 million names at the end of 2024.
Even accounting for upwards rounding by Noss, 4 million names would make the migration the largest in the history of the DNS.
The current record was set in 2018, when Afilias (now Identity Digital) took over Australia’s .au from Neustar (now GoDaddy. There were 3.1 million names in .au at that time.
When Neustar/GoDaddy took over .in from Afilias/Identity Digital in 2019, it was reportedly because it had bid $0.70 per domain, undercutting the incumbent’s offer of $1.10
But, while the deal is surely worth many millions (maybe $10 million over five years if we guess at a $0.50 bid) to Tucows’ top line, it may not be especially profitable.
Noss said in his remarks to analysts: “The pricing and margin contribution for this piece of business is typical of a large, high volume customer.”
But a demonstrable track record of handling large migrations often comes up in registry RFPs, so the .in deal puts Tucows in a strong position in future contract opportunities.
Super Bowl a bit of a dud for .com?
Having two of its largest registrars advertising during Sunday’s Super Bowl broadcast doesn’t seem to have given Verisign’s declining .com flagship much of a boost.
According to numbers published on the company’s web site, .com has grown by about 30,000 domains in the last two days.
While that’s certainly not to be sniffed it, it’s well within the parameters of a normal day’s operation for .com. The TLD’s zone file shrinks more days than it grows nowadays, but five-figure daily upticks are not uncommon.
GoDaddy and Squarespace both took out 30-second spots during the Super Bowl. Both featured high-profile actors and had high production values, but neither mentioned domain names once.
GoDaddy’s focused on its Airo tool and Squarespace’s… goodness knows what that was all about.
Verisign CEO Jim Bidzos last week told analysts that the two commercials were a sign that its registrar partners are starting to focus more on customer acquisition, which should help .com return to growth.
GoDaddy ordered to stop lying about crappy security
GoDaddy has agreed to roll out some pretty basic security measures and has been told to stop lying about how secure its hosting is, under an agreement with US regulators.
It turns out that the company, while claiming that security “was at the core of everything we do”, was failing to do some pretty basic stuff like installing software patches, retiring end-of-life servers, or securing internet-facing APIs.
Its settlement with the Federal Trade Commission finds that GoDaddy engaged in “false or misleading” advertising and orders that it “must not misrepresent in any manner” its security profile in future.
The FTC complaint (pdf), filed in 2023 after reports of mass hacking incidents, states:
Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.
The complaint says that GoDaddy had a slack patching regime that was left up to individual product teams to execute, with no centralized management.
This meant thousands of boxes in its Shared Hosting environment were subject to critical vulnerabilities that allowed bad guys to get in and steal data such as user credentials and credit card info for months.
The complaint also describes a custom internet-facing API designed to enable customer support staff to access details about managed WordPress users, such as login credentials.
This API was apparently open to the internet, unfirewalled, used plaintext for credentials, and had no multi-factor authentication in place, again enabling hackers to steal data.
One or more “threat actors” abused this lax security to pwn tens of thousands of servers between October 2019 and December 2022, according to the complaint.
The settlement (pdf), in which GoDaddy does not admit or deny any wrongdoing, does not come with an associated fine.
Instead, GoDaddy has agreed to a fairly extensive list of requirements designed to increase the security of its hosting services.
ICANN lawyers want to keep their clients secret
IP lawyers in the ICANN community have come out swinging against proposed rules that would require them to come clean about who they work for, rules that are supported by registrars and governments.
A proposed policy that would force lawyers to disclose the identities of their clients when they participate in policy-making would violate their clients’ human rights, according to the Intellectual Property Constituency.
The criticisms came in response to an ICANN public comment period on a draft Community Participant Code of Conduct Concerning Statements of Interest, which opened in October and closed this week.
The draft would close a loophole that allows ICANN policy makers to keep their potential conflicts of interest secret when “professional ethical obligations” prevent them from disclosing this information.
“When disclosure cannot be made, the participant must not participate in ICANN processes on that issue,” the draft states.
The changes are keenly supported by the Registrar Stakeholder Group as a whole and by GoDaddy and Tucows in particular. As far as the registrars are concerned, the main problem with the draft is the somewhat vague enforcement mechanisms.
GoDaddy, for example, said in its comments:
We recognize that there may be situations in which a party is unable to disclose their client(s), and in those rare cases, GoDaddy agrees with ICANN’s conclusion that the participant forfeits the ability to participate in associated processes.
It added, echoing the RrSG as a whole, that more clarity is needed on enforcement, where the buck seems to stop with the chair of the working group where the disclosure infraction is alleged to have taken place, with no escalation.
On the opposing side are the IPC, the Business Constituency, and the International Trademark Association, which all filed comments criticizing the proposed changes. The IPC said:
The often-argued response of having attorneys not participate if they fail to uphold their ethical duty to their clients effectively vitiates the human right of representation by counsel and is not for the public benefit. ICANN has agreed to uphold human rights and therefore counsel cannot be compelled to disclose client identity.
Two of the concerns from lawyers is that the policy could require their clients to divulge trade secrets, such as whether they intend to apply for a new gTLD in the forthcoming application round.
Perhaps anticipating the Governmental Advisory Committee’s expected support for the policy changes, which was no secret, the IPC also raises the specter of the policy being broad enough to apply to the governments themselves: should they all be compelled to reveal the names of all the lobbyists who knock on their doors?
This forcing of transparency of national interest would significantly inhibit GAC members from fulfilling their role. Imagine a GAC member from one country filing an SOI saying that their government was being lobbied by numerous parties to gain favor in the New gTLD Rounds?
The GAC’s response to the public comment period was in fact cautiously supportive of the rule changes, saying:
Prima facie, the proposal referring to Statements of Interests seems to be in the right direction, and to fulfil the expectations expressed by the GAC. At the same time, the GAC looks forward to the reactions from ICANN org to the views expressed during the public comment period
Like the registrars, the GAC is looking for more clarity on enforcement mechanisms.
The public comments will by summarized for publication mid-December and the ICANN board could take action on the proposals next year.
GoDaddy’s .xxx contract renewed
GoDaddy’s .xxx gTLD will no longer be “sponsored”, following a vote of ICANN’s board of directors last week.
At its ICANN 81 AGM in Istanbul, the board approved the renewal of GoDaddy subsidiary ICM Registry’s Registry Agreement.
The new deal closely follows the text of the standard RA most other gTLDs use, scrapping restrictions that GoDaddy found onerous but which were vital in getting the deal approved in the first place back in 2011.
It means the end of IFFOR, the International Foundation For Online Responsibility, the largely toothless oversight body that had been tasked with creating policies and issuing grants to worth causes but arguably did neither.
It also means less friction for the .xxx registration process, as registrants will no longer have to affirm they are members of the “sponsored community”, which never existed in any real sense anyway.
Some elements of the original sponsorship agreement, such as strict prohibitions on child sexual abuse material and the suggestion thereof, have been moved to Public Interest Commitments that ICANN could in theory enforce.
In its resolution text, ICANN noted that the Governmental Advisory Committee, which almost got .xxx killed off a couple decades ago, had not felt strongly enough about the new deal to publicly comment on it one way or the other.
.xxx makes most of its money from defensive registrations. It had almost 45,000 domains under management at the end of June, but barely 7,000 of those appeared in its zone file of the same date. That does not included domains blocked via the AdultBlock and GlobalBlock services, which are not counted in any public document but which I estimate are measured in five figures.
Senator says domain industry “enables” Russian disinfo attacks
An influential US senator has accused major registries and registrars including GoDaddy and Namecheap of facilitating Russian disinformation campaigns.
Senator Mark Warner, the Democrat chair of the Senate Select Committee on Intelligence, told registrars that “legislative remedies” may be required unless they “take immediate steps to address the continued abuse of your services for foreign covert influence”.
The threat came in letters sent to registrar groups Namecheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo, and .com registry Verisign today.
Warner’s letters seem to have been inspired by Facebook owner Meta, perhaps the domain industry’s most prolific antagonist, and align closely with Meta’s views on issues such as cybersquatting and Whois access.
The criticisms also stem from a recent FBI seizure of 32 domains that were being use to proliferate fake news about the invasion of Ukraine and the upcoming US presidential election.
The Russian campaign, known as Doppelganger, used domains such as fox-news.in and washingtonpost.pm to trick visitor into thinking they were reading news sources they trust.
Warner tells the registrars (pdf) they have “ostensibly facilitated sustained covert influence activity by the Russian Federation and influence networks operating on its behalf”.
The main concern appears to be the lack of access to private information in Whois records. Warner’s list of industry sins includes:
withholding vital domain name registration information from good-faith researchers and digital forensic investigators, ignoring inaccurate registration information submitted by registrants, and failing to identify repeated instances of intentional and malicious domain name squatting used to impersonate legitimate organizations
Warner called for “immediate” action “to address the continued abuse of your services” as the US presidential election looms, and in its aftermath. Voters go to the polls November 5.
Former .co registry defeated in $350 million contract fix case
The Neustar spin-off that once operated the .co TLD reportedly has lost a case against the Colombian government in which it had sought $350 million in damages over the acrimonious renewal of its registry contract.
According to local reports, the International Center for the Settlement of Investment Disputes, part of the World Bank, last week ruled in favor of Colombia on both the merits and on jurisdictional grounds.
The case had been brought in late 2019 by Neustar, which at the time managed some 2.3 million .co domains, under government contract, via a Colombian subsidiary it acquired in 2014.
Neustar has since been acquired by GoDaddy, which continues to run .co, but the ICSID case was inherited by Vercara, the DNS security services arm of the company that GoDaddy didn’t buy.
As .CO Internet, Vercara was hired by Colombia to turn .co into a global alternative to .com with a much-hyped 2010 relaunch. It was very successful, but when it came time to renew the initial 10-year contract, Colombia instead put it out for rebid and started behaving very strangely.
You may recall from coverage here on DI and on The Register that the Colombian tender process seemed to have been specially constructed so that only Afilias, then Neustar’s fiercest rival and now part of Identity Digital, could win.
The government’s RFP had set technical thresholds, such as daily registry transactions, that Afilias could show it met but Neustar could not. It looked naive and arbitrary at best and dodgy at worst.
So Neustar took Colombia to arbitration with ICSID, saying (pdf) the government was in breach of the Trade Promotion Agreement between the US and Colombia.
Neustar ended up winning the contract anyway, albeit on terms that were massively more favorable to the government, and it sold its entire registry services business to GoDaddy days later.
Now, almost five years later, it seems Vercara has lost the case it inherited. While ICSID has not yet published its arbitration panel’s decision, local newspapers have got hold of a copy.
Colombia’s oldest newspaper, El Spectador, reports: “The court, in addition to stating that it does not have jurisdiction to hear Vercara’s claims, rejected all the claims on the merits.”
In unrelated news, Vercara’s recently announced acquisition by DigiCert closed yesterday.
GoDaddy likely to win relaxed .xxx deal
GoDaddy seems set to get a renewed and relaxed .xxx registry contract, after ICANN dismissed the concerns of critics of the deal.
In a much-delayed analysis of submissions to a recent public comment period, Org indicated that it is in favor of GoDaddy, via subsidiary ICM Registry, migrating to a Registry Agreement much more in line with sister gTLDs .porn, .adult and .sex.
That would mean an end to the “sponsored” status of .xxx, removing the largely pointless restrictions and streamlining the registration process, and the dissolution of IFFOR, the nominal sponsor, which was criticized by one commenter as a toothless “gravy train”.
Only nine comments were received, and views were mixed, but where commenters were critical of the proposed deal ICANN has stood firm.
Notably, Org dismissed the idea that a public comment period on a Registry Agreement renewal is an appropriate forum to question whether a signatory to that Registry Agreement has historically complied with its terms.
At least two commenters had raised issues, some of which I have reported, about whether ICM had stuck to promises related to funding IFFOR and whether IFFOR had stuck to promises to issue cash grants to worthy causes.
Commenters also said that ICM has already stopped verifying the identities of registrants in its made-up “sponsored community”, which would have enabled it to more easily tackle repeatedly abusive registrants.
But ICANN doesn’t think that kind of thing — which it files under “Misconceptions, assumptions, and allegations and claims” — is suitable for discussion in Public Comments.
“If there are concerns regarding ICM’s compliance with the .XXX RA, such concerns (if any) should be raised with ICANN Compliance for investigation and are considered outside of the scope of this Public Comment proceeding,” the analysis reads.
There’s also no need to replace ICM’s sponsorship commitments with Public Interest Commitments along the lines of those found in most post-2012 gTLDs, according to the Org analysis.
“ICANN has not identified a need to add further, new obligations for the operation of .XXX or to treat .XXX differently than other adult-themed gTLDs, particularly in light of the similar PICs that the .ADULT, .PORN, and .SEX gTLDs have utilized for approximately the last decade,” it reads.
The .xxx agreement was due to expire in early 2021, but its term has been repeatedly extended as negotiations continued behind the scenes. Likewise, the public comment analysis was originally due to be published in late May but was repeatedly delayed.
It’s now up to ICANN’s board of directors, which has already been briefed on the analysis contents, to approve the renegotiated deal.
Hackers break .mobi after Whois domain expires
It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.
White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.
Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.
WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.
Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.
GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.
Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.
More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.
WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.
“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.
They said they would have also been able to send malicious code payloads to vulnerable Whois clients.
While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.
As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.
The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.
Microsoft switches two gTLDs from GoDaddy to Nominet
Microsoft has moved two of its branded gTLDs from GoDaddy’s registry back-end to Nominet’s.
Records show that .skype and .office both recently made the switch.
Microsoft had already moved six TLDs — .azure, .bing, .hotmail, .microsoft, .windows and .xbox — from Verisign to Nominet about a year ago, and .skype and .office mean its whole collection is now on Nominet’s service.
While .office isn’t technically a dot-brand because it does not have a Spec13 exemption in its ICANN contract, it is in use — you can log in to your email and other services, at least for now, via www.office.
.skype, meanwhile, has a handful of domains that work as redirects to skype.com.
Recent Comments