presidenttrump.xxx among thousands of dead .xxx domains suddenly springing to life

Celebrities, politicians, tech bros, and hundreds of household brands are among the registrants of roughly 30,000 dormant .xxx domains that have suddenly awoke and found themselves live on the internet.

The sudden explosion of newly live domains happened around May 20, when .xxx registry GoDaddy made some technical changes to its .xxx database as a result of the TLD’s move from “sponsored” to open.

The move means names such as presidenttrump.xxx, presidentobama.xxx, elonmusk.xxx, kanye.xxx, jeffbezos.xxx, adele.xxx and scarlettjohansson.xxx are all suddenly real, resolving domains that could be configured to host web sites for the first time in a decade or more.

If they are defensive registrations, that’s arguably no big deal. If they are registered to third parties, the registrants are now free to throw up any AI-generated Rule 34 mischief they wish.

The .xxx zone file popped from around 6,500 domains to almost 36,000 by May 22, as GoDaddy lifted serverHold status from each affected domain. In the vast majority of cases, these will be domains defensively registered by brand owners, some as far back as 2011, or attempted cybersquats.

From launch until this year, .xxx was considered a sponsored gTLD. Anyone could register a domain, but the registry would keep the names dormant, non-resolving, and out of the zone file until the registrant applied for “Membership” of the porn community and obtained a special software token that their registrar could use to activate the domain.

Because .xxx is no longer a sponsored gTLD, the registry is sunsetting the token system. The current phase of this process has seen GoDaddy remove the serverHold status for domains where the registrant never bothered to obtain their token.

This means that the defensive domains are now discoverable via the zone file for the first time, revealing which brands considered themselves particularly vulnerable to cybersquatting.

Spare a thought for the registrant, presumably Big Three management consultancy Bain, which seems to have been spending north of four grand a year since 2012 sitting on this stash of domains:

bain-blows.xxx, bain-stinks.xxx, bain-sucks.xxx, bainbaingoaway.xxx, bainblows.xxx, baincapital-blows.xxx, baincapital-stinks.xxx, baincapital-sucks.xxx, baincapitalblows.xxx, baincapitaldestroysjobs.xxx, baincapitalfiredme.xxx, baincapitalhypocrisy.xxx, baincapitalkillsjobs.xxx, baincapitallies.xxx, baincapitalliesaboutjobs.xxx, baincapitallootsjobs.xxx, baincapitalscam.xxx, baincapitalscrewspeople.xxx, baincapitalscrewspoorpeople.xxx, baincapitalscrewsthepoor.xxx, baincapitalsteals.xxx, baincapitalstealsfrompoorpeople.xxx, baincapitalstealsfromtaxpayers.xxx, baincapitalstealsfromthepoor.xxx, baincapitalstealspensions.xxx, baincapitalstinks.xxx, baincapitalsucks.xxx, baincapitalventures.xxx, baincapitalvultures.xxx, baincausespain.xxx, baincrapital.xxx, baincrematesjobs.xxx, baindestroysjobs.xxx, bainfiredme.xxx, bainhypocrisy.xxx, bainkillsjobs.xxx, bainlies.xxx, bainliesaboutjobs.xxx, bainlootsjobs.xxx, bainscam.xxx, bainscrewedme.xxx, bainscrewspeople.xxx, bainscrewspoorpeople.xxx, bainscrewsthepoor.xxx, bainsteals.xxx, bainstealsfrompoorpeople.xxx, bainstealsfromtaxpayers.xxx, bainstealsfromthepoor.xxx, bainstealspensions.xxx, bainstinks.xxx, bainsucks.xxx, bainthepredator.xxx, bainvultures.xxx, bewareofbain.xxx, blamebain.xxx, boycotbain.xxx, boycotbaincapital.xxx, fuckbain.xxx, fuckbaincapital.xxx, gotohellbain.xxx, occupybain.xxx, occupybaincapital.xxx, puttheblameonbain.xxx, saynotobain.xxx, thehypocrisyofbain.xxx, thehypocrisyofbaincapital.xxx, therealbain.xxx, therealbaincapital.xxx

(In 2012, Bain was closely associated with Republican US Presidential candidate Mitt Romney, its former CEO.)

The newly visible .xxx domains do not paint the full picture of defensive registrations in the gTLD. There are another roughly 8,000 registered .xxx domains that do not yet appear in the zone files, according to registry transaction reports.

There are also an unknown number of brands being blocked there, which do not show up in public records, as a result of GoDaddy’s AdultBlock and GlobalBlock services.

GoDaddy loses .co to Team Internet

Team Internet is to take over back-end duties for .co, after agreeing to take less than half as much as GoDaddy was charging.

The London-based company has teamed up on a joint venture, Equipo PuntoCo, with Panama-based registrar CCI REG to sign a 10-year deal with Colombia’s communications ministry, MINTIC.

The handover will put an end to GoDaddy’s 15-year stint as .co’s back end. The TLD was relaunched globally as a .com alternative in 2010 by .CO Internet, which was subsequently acquired by Neustar and then GoDaddy.

It seems Team Internet was willing to price its services much lower than GoDaddy. The company said in a statement that Equipo PuntoCo is getting 8% of gross revenue from .co sales, compared to the 19% GoDaddy was getting and the 93% .CO Internet originally received. The rest goes into the Colombian public purse.

While it’s not the biggest TLD on Team Internet’s servers (that honor goes to .xyz), it’s going to be the second or third largest migration of a single TLD between registry services providers in the history of the DNS.

.co had about 3.2 million domains at the start of the year. Today, Team Internet says it has “more than 3 million”. It’s the same ballpark as .au’s 2018 move from Neustar to Afilias, which was 3.1 million names, but a million shy of this year’s migration of .in from GoDaddy to Tucows.

When it comes to retaining the big ccTLDs, it seems GoDaddy really can’t catch a break.

Radix and Identity Digital also competed for the contract.

GoDaddy loses last Amazon business to Identity Digital

GoDaddy appears to have lost the last remnants of its Amazon back-end registry services deal.

IANA records show that GoDaddy was recently replaced by Identity Digital as the technical contact for all of the remaining 12 gTLDs it was serving.

The gTLDs in question are: .coupon, .song, .zero and the IDNs .ストア, .セール, .家電, .クラウド, .食品, .ファッション, .書籍, .ポイント and .通販, which are generic terms for things like “fashion” and “books”.

Five of the IDNs have actually launched and have been generally available for years, but they’re been phenomenally unsuccessful — the largest zone has just 146 domains in it. The remaining seven are dormant, unlaunched.

Amazon originally used GoDaddy (then Neustar) for all 54 of the gTLDs it successfully applied for back in the 2012 gTLD application round, but it switched all but 12 of them to Nominet back in 2019, where they remain today.

Zoom says GoDaddy took it down for hours

A screwup by MarkMonitor and GoDaddy was responsible for a two-hour outage affecting Zoom’s videoconferencing services yesterday, according to the company.

The widely used services were offline between 1825 and 2012 UTC yesterday because GoDaddy Registry, apparently acting under MarkMonitor’s instructions, shut down the zoom.us domain.

Screenshots posted to social media show zoom.us returning an NXDOMAIN error in web browsers. In-progress conference calls were reportedly shut off mid-stream.

Zoom said in a statement:

On April 16, between 2:25 P.M. ET and 4:12 P.M. ET, the domain zoom.us was not available due to a server block by GoDaddy Registry. This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.

Zoom, Markmonitor and GoDaddy worked quickly to identify and remove the block, which restored service to the domain zoom.us. There was no product, security, network failure or Distributed Denial of Service (DDoS) attack at Zoom during the outage. GoDaddy and Markmonitor are working together to prevent this from happening again.

It’s not entirely clear what is meant by “server block”, but it sounds consistent with a serverHold EPP status, where a registry prevents a domain from resolving in the DNS.

GoDaddy is the registry for .us domains. MarkMonitor is a hands-on corporate registrar dealing primarily with high-value brand clients.

Zoom is the incredibly popular conferencing service that grew to such popularity during the pandemic one could almost argue that it could be considered critical infrastructure.

While two hours downtime is hardly the end of the world, it’s still one hell of a screwup.

.co deal worth $77 million up for grabs

The Colombian government has put the contract to run .co out for bidding, and it looks like the successful registry could make as much as $77 million over the lifetime of the deal.

GoDaddy currently runs .co through its subsidiary .CO Internet, which it acquired when in bought Neustar five years ago. The government’s RFP does not rule out the incumbent reapplying despite some friction in the past.

It’s not simply a back-end registry services deal. The successful registry will have to be the public face of .co too, handling front-of-house services and marketing as well.

Extrapolating from some figures and formulas in the RFP, it seems GoDaddy’s share (19% of the total revenue) has worked out to about $7.7 million a year on average over the last five years. The new contract would be a 10-year deal.

But is .co on the decline? According to the RFP, the were 3,217,570 .co domains in January this year, down from 3.4 million in 2022 and 3.3 million in 2023. Numbers for 2024 were not included.

That downward trend may merely be the post-Covid slump experienced by many TLDs. Indeed, when the current contract was signed in 2020, there were just 2.3 million .co domains under management, so GoDaddy’s done a pretty good job of growing the namespace.

Largest back-end switch EVER as GoDaddy loses deal

It’s going to be the largest ever migration of a single TLD between back-end registry service providers, but it was announced without fanfare late last week.

On page four of Tucows CEO Elliot Noss’s prepared fourth-quarter remarks to analysts last week, he revealed the company has beaten GoDaddy to take over the contract to run India’s .in ccTLD:

Tucows Domains was recently selected to be the technical services provider for the .IN country code domain, operated by the National Internet Exchange of India. Our teams are closely collaborating and we are establishing a dedicated team in India to support this initiative

Noss said that the migration involves “approximately 4 million domains” and will take place “later this year”.

While NIXI does not publish its registration numbers, Verisign’s Domain Name industry Brief put .in at 4.1 million names at the end of 2024.

Even accounting for upwards rounding by Noss, 4 million names would make the migration the largest in the history of the DNS.

The current record was set in 2018, when Afilias (now Identity Digital) took over Australia’s .au from Neustar (now GoDaddy. There were 3.1 million names in .au at that time.

When Neustar/GoDaddy took over .in from Afilias/Identity Digital in 2019, it was reportedly because it had bid $0.70 per domain, undercutting the incumbent’s offer of $1.10

But, while the deal is surely worth many millions (maybe $10 million over five years if we guess at a $0.50 bid) to Tucows’ top line, it may not be especially profitable.

Noss said in his remarks to analysts: “The pricing and margin contribution for this piece of business is typical of a large, high volume customer.”

But a demonstrable track record of handling large migrations often comes up in registry RFPs, so the .in deal puts Tucows in a strong position in future contract opportunities.

Super Bowl a bit of a dud for .com?

Having two of its largest registrars advertising during Sunday’s Super Bowl broadcast doesn’t seem to have given Verisign’s declining .com flagship much of a boost.

According to numbers published on the company’s web site, .com has grown by about 30,000 domains in the last two days.

While that’s certainly not to be sniffed it, it’s well within the parameters of a normal day’s operation for .com. The TLD’s zone file shrinks more days than it grows nowadays, but five-figure daily upticks are not uncommon.

GoDaddy and Squarespace both took out 30-second spots during the Super Bowl. Both featured high-profile actors and had high production values, but neither mentioned domain names once.

GoDaddy’s focused on its Airo tool and Squarespace’s… goodness knows what that was all about.

Verisign CEO Jim Bidzos last week told analysts that the two commercials were a sign that its registrar partners are starting to focus more on customer acquisition, which should help .com return to growth.

GoDaddy ordered to stop lying about crappy security

GoDaddy has agreed to roll out some pretty basic security measures and has been told to stop lying about how secure its hosting is, under an agreement with US regulators.

It turns out that the company, while claiming that security “was at the core of everything we do”, was failing to do some pretty basic stuff like installing software patches, retiring end-of-life servers, or securing internet-facing APIs.

Its settlement with the Federal Trade Commission finds that GoDaddy engaged in “false or misleading” advertising and orders that it “must not misrepresent in any manner” its security profile in future.

The FTC complaint (pdf), filed in 2023 after reports of mass hacking incidents, states:

Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.

The complaint says that GoDaddy had a slack patching regime that was left up to individual product teams to execute, with no centralized management.

This meant thousands of boxes in its Shared Hosting environment were subject to critical vulnerabilities that allowed bad guys to get in and steal data such as user credentials and credit card info for months.

The complaint also describes a custom internet-facing API designed to enable customer support staff to access details about managed WordPress users, such as login credentials.

This API was apparently open to the internet, unfirewalled, used plaintext for credentials, and had no multi-factor authentication in place, again enabling hackers to steal data.

One or more “threat actors” abused this lax security to pwn tens of thousands of servers between October 2019 and December 2022, according to the complaint.

The settlement (pdf), in which GoDaddy does not admit or deny any wrongdoing, does not come with an associated fine.

Instead, GoDaddy has agreed to a fairly extensive list of requirements designed to increase the security of its hosting services.

ICANN lawyers want to keep their clients secret

IP lawyers in the ICANN community have come out swinging against proposed rules that would require them to come clean about who they work for, rules that are supported by registrars and governments.

A proposed policy that would force lawyers to disclose the identities of their clients when they participate in policy-making would violate their clients’ human rights, according to the Intellectual Property Constituency.

The criticisms came in response to an ICANN public comment period on a draft Community Participant Code of Conduct Concerning Statements of Interest, which opened in October and closed this week.

The draft would close a loophole that allows ICANN policy makers to keep their potential conflicts of interest secret when “professional ethical obligations” prevent them from disclosing this information.

“When disclosure cannot be made, the participant must not participate in ICANN processes on that issue,” the draft states.

The changes are keenly supported by the Registrar Stakeholder Group as a whole and by GoDaddy and Tucows in particular. As far as the registrars are concerned, the main problem with the draft is the somewhat vague enforcement mechanisms.

GoDaddy, for example, said in its comments:

We recognize that there may be situations in which a party is unable to disclose their client(s), and in those rare cases, GoDaddy agrees with ICANN’s conclusion that the participant forfeits the ability to participate in associated processes.

It added, echoing the RrSG as a whole, that more clarity is needed on enforcement, where the buck seems to stop with the chair of the working group where the disclosure infraction is alleged to have taken place, with no escalation.

On the opposing side are the IPC, the Business Constituency, and the International Trademark Association, which all filed comments criticizing the proposed changes. The IPC said:

The often-argued response of having attorneys not participate if they fail to uphold their ethical duty to their clients effectively vitiates the human right of representation by counsel and is not for the public benefit. ICANN has agreed to uphold human rights and therefore counsel cannot be compelled to disclose client identity.

Two of the concerns from lawyers is that the policy could require their clients to divulge trade secrets, such as whether they intend to apply for a new gTLD in the forthcoming application round.

Perhaps anticipating the Governmental Advisory Committee’s expected support for the policy changes, which was no secret, the IPC also raises the specter of the policy being broad enough to apply to the governments themselves: should they all be compelled to reveal the names of all the lobbyists who knock on their doors?

This forcing of transparency of national interest would significantly inhibit GAC members from fulfilling their role. Imagine a GAC member from one country filing an SOI saying that their government was being lobbied by numerous parties to gain favor in the New gTLD Rounds?

The GAC’s response to the public comment period was in fact cautiously supportive of the rule changes, saying:

Prima facie, the proposal referring to Statements of Interests seems to be in the right direction, and to fulfil the expectations expressed by the GAC. At the same time, the GAC looks forward to the reactions from ICANN org to the views expressed during the public comment period

Like the registrars, the GAC is looking for more clarity on enforcement mechanisms.

The public comments will by summarized for publication mid-December and the ICANN board could take action on the proposals next year.

GoDaddy’s .xxx contract renewed

GoDaddy’s .xxx gTLD will no longer be “sponsored”, following a vote of ICANN’s board of directors last week.

At its ICANN 81 AGM in Istanbul, the board approved the renewal of GoDaddy subsidiary ICM Registry’s Registry Agreement.

The new deal closely follows the text of the standard RA most other gTLDs use, scrapping restrictions that GoDaddy found onerous but which were vital in getting the deal approved in the first place back in 2011.

It means the end of IFFOR, the International Foundation For Online Responsibility, the largely toothless oversight body that had been tasked with creating policies and issuing grants to worth causes but arguably did neither.

It also means less friction for the .xxx registration process, as registrants will no longer have to affirm they are members of the “sponsored community”, which never existed in any real sense anyway.

Some elements of the original sponsorship agreement, such as strict prohibitions on child sexual abuse material and the suggestion thereof, have been moved to Public Interest Commitments that ICANN could in theory enforce.

In its resolution text, ICANN noted that the Governmental Advisory Committee, which almost got .xxx killed off a couple decades ago, had not felt strongly enough about the new deal to publicly comment on it one way or the other.

.xxx makes most of its money from defensive registrations. It had almost 45,000 domains under management at the end of June, but barely 7,000 of those appeared in its zone file of the same date. That does not included domains blocked via the AdultBlock and GlobalBlock services, which are not counted in any public document but which I estimate are measured in five figures.