Latest news of the domain name industry

Recent Posts

GoDaddy among five companies competing for .za contract

Kevin Murphy, February 21, 2022, Domain Registries

Five companies are bidding for the contract to run the back-end for South Africa’s .za domains, which is expected to be awarded shortly.

Local ccTLD overseer ZADNA has named ZA Registry Consortium (ZARC), Lexreg and Fevertree Consulting Consortium, GoDaddy Registry, The Bean App & GMO Internet Group, and Catalytic Peter capital Consortium as respondents to its 2021 RFP.

Of those, only GoDaddy is a lone bidder, and the only one without an obvious South African partner. The rest are consortia, apparently newly created to bid for the contract.

ZARC is a venture of incumbent back-end ZA Central Registry and its affiliated commercial arm Domain Name Services, according to ZACR.

Lexreg and Fevertree Consulting Consortium appears to be made up of local corporate registrar Lexsynergy and a South African consulting firm.

The Bean App is a South African startup registrar. Its partner GMO is the Japanese registry provider behind .shop and a bunch of geographic and dot-brand gTLDs.

I’m sorry to say I have no idea what “Catalytic Peter” is. It has no internet footprint and ZADNA has not revealed any information beyond the name.

ZADNA said it is “currently at the advanced stage of the final checkpoints of the procurement process.”

.za has over 1.3 million domains and over 600 registrars. While ZACR currently runs four additional African geographic gTLDs, .za is by far its biggest deal in terms of registrations.

GoDaddy Registry to raise some TLD prices, lower others

Kevin Murphy, February 16, 2022, Domain Registries

GoDaddy Registry is to raise the base price of three of its recent acquired gTLDs and lower the price on three others.

The company is telling registrars that the prices of .biz, .club and .design domains are going up later this year, while the prices of .luxe, .abogado and .case are going down.

For .biz, which GoDaddy took over when it acquired Neustar’s registry business in 2020, the price will increase by $0.87 to $13.50.

While .biz hasn’t been price-regulated by ICANN since 2019, the new rise is lower than the annual 10% it was allowed to impose under its previous, price-capped contracts. It’s around 7% this year, roughly in line with .com’s capped increase. It will mean the price of a .biz has gone up by over 70% in the last decade.

For .club, which GoDaddy acquired last year, registrations, renewals and transfers are going up by a dollar to $10.95, the fourth consecutive year in which .club fees have increased.

It’s in the ball-park of what previous owner .CLUB Domains was already doing — .club launched in 2014 with a $8.05 fee, but that went up to $8.95 in 2019, then $9.45 in 2020, then $9.95 last year.

.club has about a million domains under management at the moment. If that level holds, it’s an extra million bucks a year to GoDaddy, which frankly will barely register on the company’s now billion-dollars-a-quarter income statement.

For lower-volume .design, another one of the 2021 acquisitions, the price is going up by $2 to $35.

All of these price changes go into effect September 1 this year, giving registrants over six months to lock-in their pricing for up to 10 years by committing to a multi-year renewal before the changes kick in.

Registrars in most cases pass on registry price increases to their customers, but they don’t have the same six-month notification obligations as registries.

For three other GoDaddy Registry TLDs, prices are coming down in the same timeframe, so registrants may wish to see if the savings are passed on in future by registrars.

.luxe prices are going down from $15 a year to $12, .abogado is going down from $25 to $20 and .casa is going down from $7.50 to $6. The latter two mean “lawyer” and “home” respectively in Spanish.

GoDaddy isn’t currently altering the regular price of the TLDs it acquired from MMX, but it is bumping the restore fee for expired domains by $10 to $40, bringing them into line with .com.

GoDaddy now making over $1 billion a quarter

Kevin Murphy, February 11, 2022, Domain Registrars

It doesn’t seem like five minutes ago that GoDaddy became the first domain registrar to top $1 billion in annual revenue. It was actually 2013. Now, it’s doing that in a quarter.

The company last night reported fourth-quarter revenue of $1.02 billion, almost half of which was from domains, up from $873.9 million a year earlier.

Domains revenue was up a whopping 23.6% at $497.3 million, but this was mainly due to aftermarket sales and the registry business.

The company does not report its domains under management, growth or renewal rates in its quarterly earnings announcements.

CFO Mark McCaffrey told analysts that up to two thirds of the growth could be attributed to the aftermarket, where domains sell at premium prices, and GoDaddy “saw an uptick in both volume and average deal size”.

He also highlighted GoDaddy Registry as a key growth contributor, due to the launch in Q4 of a “reputation protection solution” that I can only assume refers to the AdultBlock service that blocks trademarks in the company’s four porn gTLDs.

GoDaddy sent out renewal notices for AdultBlock, valued at as much as $30 million, in December.

It’s not currently possible to measure the success of AdultBlock from public data sources. GoDaddy expunged the roughly 80,000 blocked .xxx domains from its zone file on December 1. Whereas they previously resolved to a registry placeholder, now they do not resolve at all.

Domains revenue for the full year was $1.81 billion, up 19.5%. Including non-domains businesses, annual revenue was $3.81 billion, up 15%.

The company had 2021 net income of $242.8 million, reversing a loss of $494.1 million in 2020.

.xxx shows up in botnet top-five TLDs for the first time

Kevin Murphy, January 21, 2022, Domain Registries

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.

New gTLD pioneer MMX to wind up

Kevin Murphy, January 14, 2022, Domain Registries

MMX, the new gTLD registry also known as Minds + Machines, has decided to close down and de-list.

The company said today that it plans to return its remaining cash to investors through a tender offer and then cancel its remaining shares, which are listed on London’s Alternative Investment Market.

The cancellation plan is subject to shareholder approval at a February 7 general meeting, but the tender does not require approval.

MMX will buy back shares to the tune of £19 million ($26 million) at 10.4 pence per share, a premium of 26.1% on yesterday’s closing price and 24.8% on the last month’s average price.

It follows an $80 million tender offer completed in October.

MMX sold off its major assets — 22 new gTLD registry contracts — to GoDaddy last year in a $120 million deal, and has wound down its legacy registrar businesses.

Now, all that remains is a transition services agreement with GoDaddy, which will soon end.

There had been talk of using the AIM listing as a reverse-takeover vehicle for an operating business seeking quick access to the public markets, but it appears that’s no longer on the table.

If everything goes according to plan, MMX will cease to exist as a public company on February 22. Shareholders have until January 28 to accept the tender offer.

It seems the remaining shareholders will be losing out — if the tender offer is fully subscribed, they’ll only get to sell one share for every 1.485 shares they currently own.

“National security” cited as registry says you have to ask its CEO if you want to register more than TWO domains

Kevin Murphy, January 10, 2022, Domain Registries

India, a country with some 2.2 million ccTLD domains, has implemented perhaps the strangest and most Draconian restrictions on bulk registration of modern times.

The local registry, NIXI, informed its registrars all over the world in late December that they will have to seek formal written permission directly from the CEO if a customer wishes to register more than two .in domains.

Registrars breaking the rules face losing their accreditation, NIXI said.

A terse notice (pdf) published on the registry’s web site, signed by CEO Anil Kumar Jain, reads:

It is decided that a written approval of CEO, NIXI is required if an individual Registrant submit a request for registering more than two domains.

In case a registered accredited company try to book domains more than 100 than also a written approval of CEO, NIXI is required.

In case any Registrar is booking domains violating the above norms NIXI has right to disallow/disconnect the domains booking under that category. A process may be initiated for de-accreditation of such Registrar.

Approval will be given within 24 hours of a request, regardless of weekends or holidays, the notice reads.

Asked for clarification, Jain told DI in an email that the “new procedure is drawn after reviewing national security concerns” and that “NIXI registry is not stopping any domain registration.”

“An individual can book up to 2 domains and a company can book up to 100 domains without permissions,” he wrote. “Permission sought is given within 24 hrs.”

The new rule has registrars scratching their heads, with one describing it as “crazy”, “very vague” and very difficult to enforce.

NIXI uses GoDaddy Registry as its back-end, but GoDaddy does not appear to be playing a role in the implementation of the new policy. A spokesperson said in a statement:

At this time, the responsibilities are on the registrars and it’s a discussion between NIXI and them. As the back-end provider, we work closely with .in on any changes they would like to make at the registry level.

GoDaddy gets another year to negotiate .xxx contract

Kevin Murphy, December 15, 2021, Domain Registries

ICANN and GoDaddy seem to have missed their deadline for long-term renewal of their .xxx registry agreement for a second time.

The contract was extended earlier this week until December 15, 2022, giving the parties another full year to bash out whatever amendments are needed.

The initial deal, signed in 2011, was due to expire March 31, but was extended until today to give more time for renegotiation.

.xxx was the last gTLD approved prior to the 2012 application round, and as such it has a few differences to the standard gTLD contract.

The fee structure is particularly complicated; originally, the registry had to pay ICANN $2 per domain, to stuff ICANN’s war chest for anticipated litigation, but that has been reduced through amendments over the years.

ICANN is always keen to bring older contracts into line with the standard Registry Agreement.

The .xxx contract, like legacy gTLDs before it, will be subject to public comment before approval.

GoDaddy is currently pushing renewals for its AdultBlock trademark-protection services.

GoDaddy wins .tv contract after Verisign blows off 20-year deal

Kevin Murphy, December 14, 2021, Domain Registries

GoDaddy is taking over the contract to run .tv from Verisign, after Verisign didn’t even bother to bid for renewal.

The deal brings to an end a relationship between Verisign and the tiny Pacific island nation of Tuvalu that has lasted 20 years and contributed millions to the country’s economy.

The country’s communications ministry said on its Facebook page that GoDaddy Registry was selected after a “competitive tender process”, but DI understands that Verisign did not participate.

While terms of the new GoDaddy deal have not been disclosed, it seems likely that Tuvalu was looking for a far bigger slice of the pie than the $5 million a year it was getting from Verisign, and for moneybags Verisign, with its .com cash-printing machine, it simply wasn’t worth the hassle.

Tuvalu has around 11,000 inhabitants and gross national income of around $60 million — its .tv money was a big deal for the country, even at the amount Verisign was paying.

With a likely bigger chunk of change coming from GoDaddy, it’s going to have more to invest in what it calls its “digital nation” strategy, which appears to involve investing heavily in blockchain-based technologies to compensate for the fact that it may well disappear beneath the waves over the next few decades.

.tv is a cornerstone of this strategy, the government says.

There’s thought to be at least half a million registered .tv domains, and the bog-standard non-premiums retail for about $50 a year, so it’s been a nice little earner for Verisign over the last two decades.

The company first took on .tv in 2001 when it acquired startup .tv Corp, which had inked the original deal with Tuvalu in 1998, for $45 million. The contract has been renewed a few times since then.

The ccTLD was the first example of a mainstream TLD offering tiered pricing, with premium strings carrying bigger price tags — controversial 20 years ago, almost standard practice today.

There have been reports over the years that the country thought it was getting short-changed by the deal, and the contract was put up for bidding earlier this year.

Despite reports that the tender seemed suspiciously tailored for a Donuts win, it seems GoDaddy has emerged the victor.

One can only assume it’s offered Tuvalu a bigger slice of the pie, which is what it had to do (under its previous incarnation as Neustar) to keep hold of the contract to run Colombia’s .co last year.

Neither Verisign nor GoDaddy has publicly released a statement about the switch. While it’s a lot of money, it’s not strictly material to either company’s already swollen top lines.

GoDaddy hack exposed a million customer passwords

Kevin Murphy, November 24, 2021, Domain Registrars

GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.

The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.

The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.

In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.

GoDaddy discovered the hack November 17 and disclosed it November 22.

It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.

Comes wrote in his blog post:

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection

You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.

About 500 staff reportedly failed the test.

Virgin territory as GoDaddy pushes $30 million porn domain renewals

Kevin Murphy, November 16, 2021, Domain Registries

Brand owners big and small are in for a potential surprise December 1, as their 10-year-old .xxx domain blocks expire and registrars bill their customers to convert them into a new annually-renewing GoDaddy service.

GoDaddy confirmed to DI today that it will “auto-convert” the old Sunrise B blocks, first sold by ICM Registry in 2011, to its new AdultBlock service, which provides essentially the same functionality but across four TLDs rather than one.

Tony Kirsch, head of professional services at GoDaddy Registry, said:

Registrars have been contacting all the Sunrise B owners and advising them that as of December 1 they will be grandfathered and automatically converted into an AdultBlock service, but they have a choice to expire that or stop that happening prior to December 1.

And if it is that they don’t do that before December 1, we’ll still give them a grace period of at least 45 days. If that happens they can then, as you’d normally do, just turn around to the registrar and say “We don’t want that” and we will of course refund the money.

This means that GoDaddy, which acquired .xxx and ICM from MMX earlier this year, is billing its .xxx registrar partners to convert and renew what could be as many as 81,000 Sunrise B blocks.

While the registry fee for AdultBlock has not been published, retail registrars I checked have priced the service at $370 to $400 per year, which we can probably assume is low-end pricing. Most .xxx domains are sold via the specialist brand-protection registrars like CSC and Markmonitor, which sometimes have more complex pricing.

So that’s something in the ballpark of $30 million worth of renewal invoices being sent out in the coming weeks, for something in many cases brand owners may have institutionally forgot about.

Kirsch said that AdultBlock was introduced by MMX about 18 months ago and that registrars have been preparing their customers for the Sunrise B expiration for some time.

Sunrise B was a program, unprecedented in the industry at the time, whereby trademark owners could pay a one-off fee — ICM charged its registrars about $160 wholesale — to have their brands removed from the available pool.

The domains exist in the .xxx zone file and resolve to a black page bearing the words “This domain has been reserved from registration”, but they’re not registered and usable like normal defensive or sunrise registrations would be.

Companies got to avoid not only the potential embarrassment of being porn-squatted, but also the hassle of having to explain to a tabloid reporter why they “owned” the .xxx domain in question.

The term of the Sunrise B block was 10 years. ICM told me at the time that this was because the company’s initial registry contract with ICANN only lasted for 10 years, so it was legally unable to sell longer-term blocks, but I’ve never been sure how much I buy that explanation.

Regardless, that 10 year period comes to an end in two weeks.

Because Sunrise B was unprecedented, this first renewal phase is also unprecedented. We’re in virgin territory (pun, of course, very much intended) here.

Will we see the industry’s first public “block junk drop”?

There are a number of reasons to believe trademark owners, assuming they don’t just blindly pay their registrar’s invoices, would choose to allow their blocks to expire or to ask for a refund after the fact.

First, the price has gone up — a lot.

While ICM charged $160 for a 10-year Sunrise B block (maybe marked up by registrars to a few hundred bucks) brand owners can expect to pay something like $3,000 retail for a single string blocked for 10 years.

But buyers do get a bit more bang for their buck. Unlike Sunrise B, AdultBlock also blocks the trademark in three additional GoDaddy-owned TLDs — .porn, .sex and .adult — as standard.

Kirsch said he expects buyers to see a 40% to 50% saving compared to the cost of defensively registering each domain individually.

Second, the appetite for defensive registrations has waned over the past 10 years, with trademark owners employing more nuanced approaches to brand protection, largely due to the flood of new gTLDs since 2013.

When .adult, .sex and .porn launched, without the possibility of Sunrise B blocks, they got about 2,000 regular sunrise registrations each. And that’s extraordinarily high — for most new gTLDs a couple hundred was a good turnout.

Third, the .xxx launch attracted a whole lot of controversy and overreaction, and the .xxx zone file today contains a lot of Sunrise B crap.

When I scrolled a little through the zone, cherry-picking silly-looking blocks in 2019, I found these examples:

100percentwholewheatthatkidslovetoeat.xxx, 101waystoleaveagameshow.xxx, 1firstnationalmergersandacquisitions.xxx, 1stchoiceliquorsuperstore.xxx, 2bupushingalltherightbuttons.xxx, 247claimsservicethesupportyouneed30minutesguaranteed.xxx, 3pathpowerdeliverysystembypioneermagneticsinc.xxx

Is it worth $400 a year to block the trademark “100 Percent Whole Wheat That Kids Love To Eat”? Is there any real danger of a cybersquatter going after that particular brand (apart from the fact that I’ve now written about it twice)?

Kirsch said a “small percentage” of Sunrise B owners have already said they don’t want to convert, but given that the rest will auto-convert, and that the registrars are doing all the customer-facing stuff, the company has limited visibility into likely uptake.

Brian King, director of policy at MarkMonitor, told us: “We generally encourage our clients to consider blocks. They can be cost effective and a lot of times clients would rather have their brand be unavailable without having to register in TLDs where they don’t want to own domain registrations for any number of reasons.”

One reason brand owners may want to consider converting to AdultBlock — it’s rumored that GoDaddy will be relaxing its eligibility criteria for .xxx next year, removing the requirement for registrants to have a nexus to the porn industry.

It’s always been kind of a bullshit rule, basically a hack to allow ICM to run a “sponsored” TLD under ICANN’s rules from the 2003 application round, but doing away with it would potentially make it easier for cybersquatters to get their hands on .xxx domains.

CSC told customers in a recent webinar that the rules are likely to be changed next year, increasing the risk of cybersquatting.

There’s some circumstantial evidence to suggest that CSC might be on to something — pretty much every “sponsored” gTLD from the same 2003 application round as .xxx has relaxed their reg rules to some extent, sometimes when their contracts come up for renewal and ICANN tries to normalize them with the text of the standard 2012-round agreement.

And GoDaddy’s .xxx contract with ICANN is being renegotiated right now. It was due to expire in March, but it was extended in February until December 15, a little under a month from now. We may soon see ICANN open up the new text for public comment.

Kirsch, who’s not part of the negotiations, could not confirm that the eligibility relaxation is going to happen or that it’s something GoDaddy is pushing for.

If it were to happen, it wouldn’t be for some time, and it wouldn’t necessarily impact on the December 1 deadline for Sunrise B conversions, which is going to be interesting to watch in its own right.

“There are registrations that are protecting people’s trademarks that are expiring and our primary objective here is to ensure that that protection continues, and that’s what we’ll do,” GoDaddy’s Kirsch said.

“If we just let them expire, it would create a lot of opportunity for brand infringement. Faced with that choice, our primary objective is to protect trademark owners,” he said.