Recent Posts
- Domain world growth despite .com slide
- Verisign predicts more gloom as registrars shun .com growth
- Republicans quiz NTIA on Verisign .com renewal
- Smaller, more intense ICANN meetings with no free cocktails?
- Private auctions to be banned in next new gTLD round
- .au prices going up
- Nominet names director hopefuls
- Crowdstrike screw-up took down ICANN’s email
- We grassed up .TOP, says free abuse outfit
- ICANN to earmark $10 million for new gTLD subsidies
- TV network rebrands on single-letter domain
- First registry gets breach notice over new abuse rules
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
Verisign loses prestige .gov contract to Cloudflare
Cloudflare is to take over registry services for the US government’s .gov domain, ending Verisign’s 12-year run.
It seems .gov manager CISA, the Cybersecurity and Infrastructure Security Agency, opened the contract up for bidding last August and awarded it to Cloudflare in mid-December.
The deal is worth $7.2 million, Cloudflare said in a press release on Friday, which is more than twice as much as Verisign charged when it took over the .gov back-end in 2011.
But it seems the deal includes Cloudflare providing authoritative DNS for .gov domains, something Verisign does not currently provide the TLD, in addition to managing the zone file, registry, Whois, etc.
It’s not clear who’s running the exclusive .gov registrar, but CISA appears to be building a new one.
.gov domains are only available to US federal, state, tribal and local government organizations, and there was a $400-a-year fee until April 2021, when CISA made them free to register.
There are about 8,600 .gov domains today. Not a lot, but the deal comes with bragging rights.
CISA took over .gov from the General Services Administration in March 2021 and dropped the fees a month later.
It’s not clear whether Verisign had bid for a renewed contract or simply walked away, as it did when it conceded .tv to GoDaddy last year. I’ve asked the company for comment.
The loss of .gov is obviously a drop in the ocean compared to .com, which continues to make Verisign one of world’s most-profitable companies.
While it’s an ICANN-accredited registrar, I believe this is Cloudflare’s first foray into registry services. Might we see the company as an emergent threat to the established players in the next new gTLD round? It’s certainly looking that way.
.gov TLD quietly changes hands
The .gov TLD used exclusively by governmental entities in the US has quietly changed managers.
On Friday, the IANA records for .gov changed from the General Services Administration to the Cybersecurity and Infrastructure Security Agency.
It was not unexpected. CISA announced the move in March.
But it’s less clear how the change request was handled. The ICANN board of directors certainly didn’t have a formal vote on the matter. IANA has not released a redelegation report as it would with a ccTLD.
CISA intends to make .gov domains more widely available to agencies at the federal, state, city and tribal level, and reduce the price to free or almost free.
Verisign currently manages the technical aspects of the domain, for $400 per domain per year.
As .gov changes hands, would Verisign run it for free?
The .gov top-level domain is moving for the first time since 1997, and the new owner is promising some pricing changes from next year.
The US General Services Administration has been running .gov, one of the original gTLDs, for almost a quarter-century, but next month it will be taken over by the Cybersecurity and Infrastructure Security Agency.
No changes have been made at IANA yet, but CISA is talking of the handover as if it is a done deal.
It will be the first time ICANN has been asked to redelegate what is essentially an uncontracted gTLD with some of the characteristics of a ccTLD. To be honest, I’ve no idea what rules even apply here.
The move was mandated by the DOTGOV Act of 2019, which was incorporated in a recently passed US spending bill.
Legislators wanted to improve .gov’s usefulness by increasing its public profile and security.
The bill was quite adamant that .gov domains should be priced at “no cost or a negligible cost”, but there’s a catch — Verisign runs the technical infrastructure for the domain, and currently charges $400 per domain per year.
According to CISA, “The way .gov domains are priced is tied closely with the service contract to operate the TLD, and change in the price of a domain is not expected until next year.”
So we’re looking at either a contract renegotiation or a rebid.
Frankly, given the really rather generous money-printing machine the US government has granted Verisign with its perpetual right to run .com and increase its profit margins in most years, it seems to me the company should be running it for free.
The .gov zone currently has domains measured in the low thousand.
The DNS’s former overseer now has its own domain name
The National Telecommunications and Information Administration, which for many years was the instrument of the US government’s oversight of the DNS root zone, has got its first proper domain name.
It’s been operating at ntia.doc.gov forever, but today announced that it’s upgrading to the second-level ntia.gov.
The agency said the switch “will make NTIA’s site consistent with most other Department of Commerce websites”.
Staff there will also get new ntia.gov email addresses, starting from today. Their old addresses will continue to forward.
NTIA was part of the DNS root management triumvirate, along with ICANN/IANA and Verisign, until the IANA transition in 2016.
The agency still has a contractual relationship with Verisign concerning the operation of .com.
Could Verisign lose $3.3m .gov deal?
The US government has put its feelers out for information about a possible successor to Verisign as manager of the .gov TLD.
A formal Request For Information — potentially a precursor to a Request For Proposals — was was issued by the General Services Administration on March 9.
The GSA, which is the sponsor of the .gov gTLD, seems to be looking for information about all aspects of running a registry back-end and the secure dotgov.gov registrar front-end.
Those functions have been carried out by Verisign since it took them over from the GSA itself in December 2010.
Its five-year contract expires in September this year.
Because it’s restricted to US government entities, .gov is not a large gTLD — the RFI says it has about 5,000 domains and grows at about 5% a year — but it does carry a certain prestige.
It also carries a not inconsiderable fee. According to the September 2010 award page, the deal is worth $3,325,000 to Verisign.
It’s quite possible that the RFI is just a case of the US government going through the necessary motions prescribed by its procurement policies; Verisign may well be a shoo-in.
But the company’s record with .gov isn’t as great as its record with .com and .net.
In August 2013, Verisign screwed up a DNSSEC key rollover in the .gov zone, causing resolution failures on the small number of networks that rigorously enforce DNSSEC.
The deadline for RFI responses is March 23.
Verisign confirms .gov downtime, blames algorithm
Verisign this morning confirmed yesterday’s reports that the .gov top-level domain went down for some internet users due to a DNSSEC problem, which it said was related to an algorithm change.
In a posting to various mailing lists, Verisign principal engineer Duane Wessels said:
On the morning of August 14, a relatively small number of networks may have experienced an operational disruption related to the signing of the .gov zone. In preparation for a previously announced algorithm rollover, a software defect resulted in publishing the .gov zone signed only with DNSSEC algorithm 8 keys rather than with both algorithm 7 and 8. As a result .gov name resolution may have failed for validating recursive name servers. Upon discovery of the issue, Verisign took prompt action to restore the valid zone.
Verisign plans to proceed with the previously announced .gov algorithm rollover at the end of the month with the zone being signed with both algorithms for a period of approximately 10 days.
This clarifies that the problem was slightly different to what had been assumed yesterday.
It was related to change of the cryptographic algorithm used to create .gov’s DNSSEC keys, a relatively rare event, rather than a scheduled key rollover, which is a rather more frequent occurrence.
The problem would only have made .gov domains (and consequently web sites, email, etc) inaccessible for users of networks where DNSSEC validation is strictly enforced, which is quite small.
The US ISP with the strongest support for DNSSEC is Comcast. Since turning on its validators it has reported dozens of instances of DNSSEC failing — mostly in second-level .gov domains, where DNSSEC is mandated by US policy.
On two other occasions Comcast has blogged about the whole .gov TLD failing DNSSEC validation due to problems keeping keys up to date.
The general problem is widespread enough, and the impact severe enough, that Comcast has had to create an entirely new technology to prevent borked key rollovers making web sites go dark for its customers.
Called Negative Trust Anchors, it’s basically a Band-Aid that allows the ISP to deliberately ignore DNSSEC on a given domain while it waits for that domain’s owner to sort out its key problem.
The technology was created following the widely reported nasa.gov outage last year.
It’s really little wonder that so few organizations are interested in deploying DNSSEC today.
Yesterday’s .gov problem may have been minor, lasting only an hour or two, but had the affected TLD been .com, and had DNSSEC deployment been more widespread, everyone on the planet would have noticed.
Under ICANN contract, DNSSEC is mandatory for new gTLDs at the top level, but not the second level.
Reports: .gov fails due to DNSSEC error
The .gov top-level domain suffered a DNSSEC problem today and was unavailable to some internet users, according to reports.
According to mailing lists and the SANS Internet Storm Center, it appeared that .gov rolled one of its DNSSEC keys without telling the root zone about the update.
This meant that anyone whose DNS servers do strict DNSSEC validation — a relatively small number of networks — would have been unable to access .gov web sites, email and other resources.
As a matter of policy, all second-level .gov domains have to be DNSSEC-signed.
The problem was corrected quite quickly — looks like within an hour or two — but as SANS noted, caching issues may prolong the impact.
Both .gov and the root zone are managed by Verisign, which isn’t on the best of terms with the US government at the moment.
VeriSign takes over .gov
VeriSign has taken over registry functions at .gov, the top-level domain for the US government.
IANA records show that VeriSign Global Registry Services was named technical contact for .gov possibly as recently as this Monday.
The TLD is still administratively delegated to the US General Services Administration. Google’s cache of the IANA site shows the GSA was the technical contact for .gov as recently as October 29.
VeriSign certainly kept this contract win quiet.
At least, the first I heard about it was tonight, in an email VeriSign sent to the dns-ops mailing list, asking DNS administrators to reconfigure their DNSSEC set-up to reflect the change.
A KSK [Key Signing Key] roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov.
The email expresses the urgency of making the changes, which are apparently needed in part because .gov was signed with DNSSEC before the root zone was signed, and some resolvers may be configured to use .gov as a “trust anchor” instead of the root.
The .gov TLD is reserved for the exclusive use of US federal and state government departments and agencies.
It’s certainly a prestige contract for VeriSign.
This appears to be the GSA page awarding the contract to VeriSign, in September, following an RFP. It’s valued at $3,325,000.
Recent Comments