Major registries posting “fabricated” Whois data
One or more of the major gTLD registries are publishing Whois query data that may be “fabricated”, according to some of ICANN’s top security minds.
The Security and Stability Advisory Committee recently wrote to ICANN’s top brass to complain about inconsistent and possibly outright bogus reporting of Whois port 43 query volumes.
SSAC said (pdf):
it appears that the WHOIS query statistics provided to ICANN by registry operators as part of their monthly reporting obligations are generally not reliable. Some operators are using different methods to count queries, some are interpreting the registry contract differently, and some may be reporting numbers that are fabricated or otherwise not reflective of reality. Reliable reporting is essential to the ICANN community, especially to inform policy-making.
SSAC says that the inconsistency of the data makes it very difficult to make informed decisions about the future of Whois access and to determine the impact of GPDR.
While the letter does not name names, I’ve replicated some of SSAC’s research and I think I’m in a position to point fingers.
In my opinion, Google, Verisign, Afilias and Donuts appear to be the causes of the greatest concern for SSAC, but several others exhibit behavior SSAC is not happy about.
I reached out to these four registries on Wednesday and have published their responses, if I received any, below.
SSAC’s concerns relate to the monthly data dumps that gTLD registries new and old are contractually obliged to provide ICANN, which publishes the data three months later.
Some of these stats concern billable transactions such as registrations and renewals. Others are used to measure uptime obligations. Others are largely of academic interest.
One such stat is “Whois port 43 queries”, defined in gTLD contracts as “number of WHOIS (port-43) queries responded during the reporting period”.
According to SSAC, and confirmed by my look at the data, there appears to be a wide divergence in how registries and back-end registry services providers calculate this number.
The most obvious example of bogosity is that some registries are reporting identical numbers for each of their TLDs. SSAC chair Rod Rasmussen told DI:
The largest issue we saw at various registries was the reporting of the exact or near exact same number of queries for many or all of their supported TLDs, regardless of how many registered domain names are in those zones. That result is a statistical improbability so vanishingly small that it seems clear that they were reporting some sort of aggregate number for all their TLDs, either as a whole or divided amongst them.
While Rasmussen would not name the registries concerned, my research shows that the main culprit here appears to be Google.
In its December data dumps, it reported exactly 68,031,882 port 43 queries for each of its 45 gTLDs.
If these numbers are to be believed, .app with its 385,000 domains received precisely the same amount of port 43 interest as .gbiz, which has no registrations.
As SSAC points out, this is simply not plausible.
A Google spokesperson has not yet responded to DI’s request for comment.
Similarly, Afilias appears to have reported identical data for a subset of its dot-brand clients’ gTLDs, 16 of which purportedly had exactly 1,071,939 port 43 lookups in December.
Afilias has many more TLDs that did not report identical data.
An Afilias spokesperson told DI: “Afilias has submitted data to ICANN that addresses the anomaly and the update should be posted shortly.”
SSAC’s second beef is that one particular operator may have reported numbers that “were altered or synthesized”. SSAC said in its letter:
In a given month, the number of reported WHOIS queries for each of the operator’s TLDs is different. While some of the TLDs are much larger than others, the WHOIS query totals for them are close to each other. Further statistical analysis on the number of WHOIS queries per TLD revealed that an abnormal distribution. For one month of data for one of the registries, the WHOIS query counts per TLD differed from the mean by about +/- 1%, nearly linearly. This appeared to be highly unusual, especially with TLDs that have different usage patterns and domain counts. There is a chance that the numbers were altered or synthesized.
I think SSAC could be either referring here to Donuts or Verisign
Looking again at December’s data, all but one of Donuts’ gTLDs reported port 43 queries between 99.3% and 100.7% of the mean average of 458,658,327 queries.
Is it plausible that .gripe, with 1,200 registrations, is getting almost as much Whois traffic as .live, with 343,000? Seems unlikely.
Donuts has yet to provide DI with its comments on the SSAC letter. I’ll update this post and tweet the link if I receive any new information.
All of the gTLDs Verisign manages on behalf of dot-brand clients, and some of its own non-.com gTLDs, exhibit the same pattern as Donuts in terms of all queries falling within +/- 1% of the mean, which is around 431 million per month.
So, as I put to Verisign, .realtor (~40k regs) purportedly has roughly the same number of port 43 queries as .comsec (which hasn’t launched).
Verisign explained this by saying that almost all of the port 43 queries it reports come from its own systems. A spokesperson told DI:
The .realtor and .comsec query responses are almost all responses to our own monitoring tools. After explaining to SSAC how Verisign continuously monitors its systems and services (which may be active in tens or even hundreds of locations at any given time) we are confident that the accuracy of the data Verisign reports is not in question. The reporting requirement calls for all query responses to be counted and does not draw a distinction between responses to monitoring and non-monitoring queries. If ICANN would prefer that all registries distinguish between the two, then it is up to ICANN to discuss that with registry operators.
It appears from the reported numbers that Verisign polls its own Whois servers more than 160 times per second. Donuts’ numbers are even larger.
I would guess, based on the huge volumes of queries being reported by other registries, that this is common (but not universal) practice.
SSAC said that it approves of the practice of monitoring port 43 responses, but it does not think that registries should aggregate their own internal queries with those that come from real Whois consumers when reporting traffic to ICANN.
Either way, it thinks that all registries should calculate their totals in the same way, to make apples-to-apples comparisons possible.
Afilias’ spokesperson said: “Afilias agrees that everyone should report the data the same way.”
As far as ICANN goes, its standard registry contract is open to interpretation. It doesn’t really say why registries are expected to collect and supply this data, merely that they are obliged to do so.
The contracts do not specify whether registries are supposed to report these numbers to show off the load their servers are bearing, or to quantify demand for Whois services.
SSAC thinks it should be the latter.
You may be thinking that the fact that it’s taken a decade or more for anyone to notice that the data is basically useless means that it’s probably not all that important.
But SSAC thinks the poor data quality interferes with research on important policy and practical issues.
It’s rendered SSAC’s attempt to figure out whether GDPR and ICANN’s Temp Spec have had an effect on Whois queries pretty much futile, for example.
The meaningful research in question also includes work leading to the replacement of Whois with RDAP, the Registration Data Access Protocol.
Finally, there’s the looming possibility that ICANN may before long start acting as a clearinghouse for access to unredacted Whois records. If it has no idea how often Whois is actually used, that’s going to make planning its infrastructure very difficult, which in turn could lead to downtime.
Rasmussen told DI: “Our impression is that all involved want to get the numbers right, but there are inconsistent approaches to reporting between registry operators that lead to data that cannot be utilized for meaningful research.”
Did Roussos pull off the impossible? Google, Donuts, Radix all drop out of .music race
Google won’t be the registry for the .music gTLD.
The company, along with pure-play registries Donuts and Radix, late last week withdrew their respective applications from the .music contention set, leaving just three possible winners in the running.
Those are Amazon, MMX, and DotMusic, the company run by long-time .music fanboy Constantinos Roussos.
As I blogged last week, applications from Domain Venture Partners and Far Further have also been withdrawn.
I suspect, but do not know for a fact, that the contention was settled with a private deal, likely an auction, recently.
The logical guess for a winner would be Amazon, if only because of the nexus of its business to the music industry and the amount of money it could throw at an auction.
But I’m beginning to suspect that DotMusic might have prevailed.
The company appears to have recently revamped its web site, almost as if it’s gearing up for a launch.
Comparing the current version of music.us to versions in Google’s cache, it appears that the site has been recently given a new look, new copy and even a new logo.
It’s even added a prominent header link inviting prospective resellers to sign up, using a form that also appears to have been added in the last few weeks.
These changes all seem to have been made after the crucial ICANN vote that threw out the last of DotMusic’s appeals, March 14.
Are those the actions of an applicant resigned to defeat, or has Roussos pulled off the apparently impossible, defeating two of the internet’s biggest companies to one of the industry’s most coveted and controversial strings?
Participants in gTLD auctions typically sign NDAs, so we’re going to have to wait a bit longer (probably no more than a few days) to find out which of the remaining three applicants actually won.
Yanks beat Aussies to accountancy gTLD
The contention set for .cpa has been resolved, clearing the way for a new accountancy-themed gTLD.
The winner is the American Institute of Certified Public Accountants, which submitted two bids for the string — one “community”, one vanilla, both overtly defensive in nature — back in 2012.
Its main rival, CPA Australia, which also applied on a community basis, withdrew its application two weeks ago.
Commercial registries Google, MMX and Donuts all have withdrawn their applications since late December, leaving only the two AICPA applications remaining.
This week, AICPA withdrew its community application, leaving its regular “single registrant” bid the winner.
AICPA is the US professional standards body for accountants, CPA Australia is the equivalent organization in Australia. ACIPA has 418,000 members, CPA Australia has 150,000.
Both groups failed their Community Priority Evaluations back in 2015 on the basis that their communities were tightly restricted to their own membership, and therefore too restrictive.
AICPA later amended its community application to permit CPAs belonging to non-US trade groups to register.
Both organizations were caught up in the CPE review that also entangled and delayed the likes of .music and .gay. They’ve also both appealed to ICANN with multiple Requests for Reconsideration and Cooperative Engagement Process engagements.
CPA Australia evidently threw in the towel after a December 14 resolution of ICANN’s Board Accountability Mechanisms Committee decision to throw out its latest RfR. It quit its CEP January 9.
It’s likely a private resolution of the set, perhaps an auction, occurred in December.
The winning application from AICPA states fairly unambiguously that the body has little appetite for actually running .cpa as a gTLD:
The main reasons for which AICPA submits this application for the .cpa gTLD is that it wants to prevent third parties from securing the TLD that is identical to AICPA’s highly distinctive and reputable trademark
So don’t get too excited if you’re an accountant champing at the bit for a .cpa domain. It’s going to be an unbelievably restrictive TLD, according to the application, with AICPA likely owning all the domains for years after delegation.
Google launches .dev with some big-name anchor tenants
Google is bringing .dev to general availability this week, and it’s already signed up some recognizable brands as anchor tenants.
Salesforce.com, GitHub and Cloudflare are among several outfits that have already developed web sites using pre-launch .dev domains granted to them by Google Registry.
Salesforce is offering developer tools at the catch crm.dev, GitHub is running a spin-off tool at github.dev and Cloudflare has workers.dev.
All are developed sites, among many more highlighted by Google’s “chief domain enthusiast” Ben Fried in a blog post yesterday.
Sites targeting female coders and offering advice on accessibility issues have also been launched.
.dev appears to have attracted over 500 registrations during its pre-launch periods, including sunrise.
Yesterday, it entered its Early Access Period, a week in which early birds can acquire .dev domains for a premium fee.
From five figures yesterday, prices decrease each day until they hit their .com-equivalent regular pricing on February 28.
Two controversial new gTLDs launching in January
Five years after the first batch of new gTLDs hit the market, registries continue to drip-feed them into the internet.
At least two more are due to launch on January 16 — .dev and .inc.
.dev is the latest of Google’s portfolio to be released, aimed at the software developer market.
It proved controversial briefly when it first was added to the DNS in 2014, causing headaches for some developers who were already using .dev domains on their private networks.
Four years is plenty of time for all of these collisions to have been cleaned up, however, so I can’t imagine many problems emerging when people start buying these names.
.dev starts a one-month sunrise January 16, sells at early access prices from February 19 to 28 before going to regular-price general availability.
Google has already launched one of its own products, web.dev, a testing tool for web developers, on a .dev domain.
Launching with a pretty much identical phased launch plan is .inc, from new market entrant Intercap Holdings, a Caymans-based subsidiary of a Toronto firm founded by .tv founder Jason Chapnik and managed by .xyz alumnus Shayan Rostam.
Intercap bought the .inc contract from Edmon Chong’s GTLD Limited earlier this year for an undisclosed sum. GTLD Ltd is believed to have paid in excess of $15 million for the TLD at auction.
.inc has proved controversial in the past, attracting criticism from states attorneys general in the US, which backed another bidder.
It may prove controversial in future, too. I have a hunch it’s going to attract more than its fair share of cybersquatters and will probably do quite well out of defensive registration fees.
Google abandons its .kid gTLD bid
Google has retreated from the interminable three-way battle for the .kids/.kid gTLDs.
The company this week withdrew its application for .kid, leaving the fight for .kids a two-horse race between Amazon and the not-for-profit DotKids Foundation.
Google’s application was intertwined with the two .kids applications due to a String Confusion Objection, which it won, drawing its bid into contention with DotKids and Amazon.
The contention set was, and arguably still is, due to be settled by an ICANN last-resort auction, but has been repeatedly postponed due to appeals to ICANN by DotKids, which doesn’t think it has the financial clout to beat its rivals.
Most recently, the auction was put on ice again after DotKids asked for ICANN money, then filed a Request for Reconsideration when ICANN refused.
Google’s .kid application had proposed an area for “kid-friendly content”. Registrants would have been vetted in advance of their domains going live to ensure they were established providers of such content.
Google adds censorship workaround to Android devices
Google is using experimental DNS to help people in censorious regimes access blocked web sites.
Alphabet sister company Jigsaw this week released an Android app called Intra, which enables users to tunnel their DNS queries over HTTPS to compatible servers, avoiding common types of on-the-wire manipulation.
The company reportedly says it has been testing the app with Venezuelan dissidents recently.
The feature will also be built in to the next version of Android — known as Android 9 or Android Pie — where it will be called Private DNS.
The app is designed for people who for one reason or another are unable to update their device’s OS.
Intra and Private DNS use “DNS over HTTPS”, an emerging protocol Google and others have been working on for a while.
As it’s non-standard, end users will have to configure their devices or Intra apps to use a DoH-compatible DNS server. The public DNS services operated by Google (8.8.8.8) and Cloudflare (1.1.1.1) are both currently compatible.
The release comes even as Google faces controversy for allegedly kowtowing to the Chinese government’s demands for censored search and news results.
You may notice that the new app is being marketed via a .org web site, rather than Google’s own .app gTLD, but intra.app takes visitors directly to the Intra page on the Google Play store.
Emoji domains now easier to use
Emoji domains have become marginally easier to navigate to in the last month, following an update to Google’s Chrome browser.
Google has added “Emoji” to the context menu that appears when users right-click in any editable text field — including the address/search bar.
Clicking the option brings up a searchable list of common emojis that can be inserted into the address bar for either search or, with the addition of a typed-in TLD, navigation.
TLDs currently supporting emojis include .ws, .fm and .to. ICANN has ruled out support for emojis in the gTLDs for security reasons.
When the domain is resolved, the emojis render in the address bar as Punycode-converted Latin characters beginning with the usual “xn--” prefix, at least under my default configuration.
The whole process is still a bit fiddly, so I wouldn’t all rush out to build your businesses on emoji domains just yet.
The context menu feature appears to have been on the experimental track in Chrome for at least a month, but was more recently turned on by default, at least on all the Chrome 69 installs I’ve tested.
If you don’t get the emoji option in your context menu, you should be able to turn it on by navigating to chrome://flags/#enable-emoji-context-menu and selecting the Enabled option.
Chutzpah alert! DotKids wants ICANN handout to fight gTLD auction
New gTLD applicant DotKids Foundation has asked ICANN for money to help it fight for .kids in an auction against Amazon and Google.
The not-for-profit was the only new gTLD applicant back in 2012 to meet the criteria for ICANN’s Applicant Support Program, meaning its application fee was reduced by $138,000 to just $47,000.
Now, DotKids reckons ICANN has a duty to carry on financially supporting it through the “later stages of the process” — namely, an auction with two of the world’s top three most-valuable companies.
The organization even suggests that ICANN dip into its original $2 million allocation to support the program to help fund its bids.
Because .kids is slated for a “last resort” auction, an ICANN-funded winning bid would be immediately returned to ICANN, minus auction provider fees.
It’s a ludicrously, hilariously ballsy move by the applicant, which is headed by DotAsia CEO Edmon Chung.
It’s difficult to see it as anything other than a delaying tactic.
DotKids is currently scheduled to go to auction against Google’s .kid and Amazon’s .kids application on October 10.
But after ICANN denied its request for funding last month, DotKids last week filed a Request for Reconsideration (pdf), which may wind up delaying the auction yet again.
According to DotKids, the original intent of the Applicant Support Program was to provide support for worthy applicants not just in terms of application fees, but throughout the application process.
It points to the recommendations of the Joint Applicant Support working group of the GNSO, which came up with the rules for the support program, as evidence of this intent.
It says ICANN needs to address the JAS recommendations it ignored in 2012 — something that could time quite some time — and put the .kids auction on hold until then.
Empty Whois a threat to the US elections?
Could a lack of Whois records thwart the fight against attempts to interfere in this year’s US elections?
That’s the threat raised by DomainTools CEO Tim Chen in a blog post, and others, this week.
Chen points to recent research by Facebook, based on an investigation by security company FireEye, that linked a large network of bogus news sites and social media accounts to the Iranian state media.
FireEye’s investigation used “historical Whois records”, presumably provided by DomainTools, to connect the dots between various domains and registrants associated with “Liberty Front Press”, a purportedly independent media organization and prolific social media user.
Facebook subsequently found that 652 accounts, pages and groups associated with the network, and removed them from its platform.
The accounts and sites in question were several years old but had been focusing primarily on politics in the UK and US since last year, Facebook said.
Based on screenshots shared by Facebook, the accounts had been used to spread political messages bashing US president Donald Trump and supporting the UK’s staunchly pro-Palestinian opposition leader Jeremy Corbyn.
Google’s research, also inspired by FireEye’s findings and Whois data, linked the network to the state-run Islamic Republic of Iran Broadcasting.
The actions by Google and Facebook come as part of their crackdown on fake news ahead of the US mid-term Congressional elections, this November, which are are largely being seen as a referendum on the Trump presidency.
Because the domains in question predate the General Data Protection Regulation and ICANN’s response to it, DomainTools was able to capture Whois records before they went dark in May.
While the records often use bogus data, registrant email addresses common to multiple domains could be used to establish common ownership.
Historical Whois data for domains registered after May 2018 is not available, which will likely degrade the utility of DomainTools’ service over time.
Chen concluded his blog post, which appeared to be written partly in response to data suggesting that GDPR has not led to a growth in spam, with this:
Domain name Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.
DomainTools is one of the founders of the new Coalition for a Secure and Transparent Internet, a lobby group devoted to encouraging legislatures to keep Whois open.
Representatives of Facebook and Iran’s government are among the members of the Expedited Policy Development Process on Whois, an emergency ICANN working group that is currently trying to write a permanent GDPR-compliant Whois policy for ICANN.
Recent Comments