Latest news of the domain name industry

Recent Posts

DNSSEC claims another victim as entire TLD disappears

Kevin Murphy, March 9, 2022, Domain Tech

A country’s top-level domain disappeared from the internet for many people yesterday, apparently due to a DNSSEC key rollover gone wrong.

All domains in Fiji’s ccTLD, .fj, stopped resolving for anyone behind a strict DNSSEC resolver in the early hours of the morning UTC, afternoon local time, and stayed down for over 12 hours.

Some domains may still be affected due to caching, according to the registry and others.

The University of the South Pacific, which runs the domain, said that it had to contact ICANN’s IANA people to get the problem fixed, which took a while because it had to wait for IANA’s US-based support desk to wake up.

IANA head Kim Davies said that in fact its support runs 24/7 and in this case IANA took Fiji’s call at 2.47am local time.

Analyses on mailing lists and by Cloudflare immediately pointed to a misconfiguration in the country’s DNSSEC.

It seems Fiji rolled one of its keys for the first time and messed it up, meaning its zone was signed with a non-existent key.

Resolvers that implement DNSSEC strictly view such misconfigurations as a potential attack and nix the entire affected zone.

It happens surprisingly often, though not usually at the TLD level. That said, a similar problem hit thousands of Sweden’s .se domains, despite the registry having a decade’s more DNSSEC experience than Fiji, last month.

Domain Incite had a similar problem recently when its registrar carried on publishing DNSSEC information for the domain long after I’d stopped paying for it.

UPDATE: This post was updated with comment from IANA.

Maybe now’s the time for ICANN to start dismantling the Soviet Union

Kevin Murphy, February 25, 2022, Domain Policy

Like I’m sure a great many of you, I spent much of yesterday listening to the news and doom-scrolling social media in despair, anger and helplessness.

War has returned to Europe, with Vladimir Putin’s Russia yesterday invading Ukraine on a flimsy pretext, in an apparent effort to begin to recreate the former Soviet Union.

I watched r/ukraine on Reddit, as its number of subscribers increased by tens of thousands in a matter of hours, with people from all over the world wondering what they could do to help, from volunteering to literally take up arms to hollow if well-meaning virtue-signalling.

Can I volunteer for the Ukrainian army? I live in Japan and can’t speak the language, does that matter?

If any Ukrainians can make it to Ottawa, I have a spare couch for as long as you need it!

Here’s a guide to how I survived the snipers in Sarajevo!

Here’s a yellow-and-blue banner I made that you can use on your Twitter!

Slava Ukraini!

It got me thinking: is there anything the domain industry or ICANN community can do? Is there anything I can do?

The only thing I could think of was to run this idea up the flagpole and see if anyone sets fire to it:

Maybe now’s the time for ICANN to start dismantling the Soviet Union.

It may sound ludicrous. The Soviet Union hasn’t existed outside Putin’s fantasies since 1991.

But it’s alive and well in the DNS, where the top-level domain .su has somehow managed to survive the death of its nation, evade any efforts to have it removed, and stick around in the root for over 30 years.

It currently has over 100,000 registered domains.

I’m not suggesting for a second that all of these domains were registered by people who support the return of the USSR, or are even aware of the connection, but it is the ccTLD of choice for sites like this gung-ho propaganda rag, and the Donetsk People’s Republic, the breakaway Ukrainian region.

Whenever I’ve asked people with better in-depth knowledge of ccTLD policy than me for an explanation of why .su continues to exist, despite not having a nation to represent, I generally get a lot of hand-waving and mumbling about a “lack of political will”.

Maybe there’s a political will now, if not at ICANN Org then perhaps in the ICANN community.

My understanding, based on a deep-dive through the public record, is that it might be possible to have .su deleted — the word ICANN uses is “retired” — but the rules are arguably open to interpretation.

A bit of background first

ICANN’s rules concerning ccTLDs are a bit like the UK constitution — they’re not written down in any one document, but have rather evolved over the years through a combination of habit, convention, case law and pure making-it-up-on-the-spot.

ICANN, and IANA before it, “is not in the business of deciding what is and what is not a country”. It has always deferred to the International Organization for Standardization, which maintains a list of names and corresponding country-codes called ISO 3166-1.

If a country or territory appears on the 3166-1 list, its corresponding “alpha-2” code is eligible to become a ccTLD.

SU was listed on 3166-1, the same as any other country, until September 1992, when it was broken up into 15 names and codes corresponding to the 15 former Soviet nations. Russia got RU and Ukraine got UA, for examples, and their ccTLDs are .ru and .ua.

SU was then given a “transitionally reserved” status by the ISO, which basically means it’s due to be phased off the list altogether (albeit not for 50 years) and organizations are discouraged from using it.

In corresponding ccTLDs, every string on the “transitionally reserved” list has either transitioned to a new ccTLD (such as East Timor’s .tp becoming Timor-Leste’s .tl) or split into a collection of new ccTLDs (such as the break-up of the Netherlands Antilles).

Since ICANN took over the root, these and other transitions typically happen with the consent of the local government and the local registry. But the Soviet Union dissolved long before ICANN existed, it doesn’t have a government, and the registry is in no hurry to give up its asset, which is a bit of a money maker.

ICANN stated its intention to retire .su as early as 2003, and the earliest archived IANA record, from 2006, said it was “being phased out”.

It launched a brief consultation on the retirement of ccTLDs in 2006, which prompted a flood of comments from outraged .su supporters.

The following year, there were face-to-face talks between ICANN and the two Moscow companies running .su at the time — the Foundation for Internet Development (FID) and Russian Institute for Public Networks (RIPN).

IANA’s Kim Davies, who now heads the division as an ICANN VP, blogged in 2007, partly in response to these comments, that .su had a chance to remain delegated:

To retain .SU, under current policy they would need to successfully apply for the code to be re-instated into the ISO 3166-1 standard, either as a regular two-letter country code, or as an “exceptionally reserved” code like UK and EU.

The “exceptionally reserved” list is another subdivision of ISO 3166-1. It currently includes four codes that are also ccTLDs — .ac for Ascension Island, a UK territory, .uk itself, and the European Union’s .eu.

The fourth is .su, because FID somehow managed to persuade the ISO 3166 Maintenance Agency to get SU on the list, reversing its 50-year sentence on the transitional list, in 2008. It appears to be the only example of a private, non-governmental, non-UN entity requesting and obtaining a special listing.

There’s been very little public discussion about .su’s fate since then. My suspicion is that it fell off the radar when ICANN CEO Paul Twomey, who made ccTLD relations a cornerstone of his administration, left the Org in 2009.

Or it could be that that the “exceptionally reserved” status was enough to satisfy IANA’s eligibility criteria. But there are several reasons why that might not be the case.

In Davies’ 2007 blog, post he said: “There are other issues that will need to be addressed for .SU to be a viable ccTLD designation, but recognition by the appropriate standard is a prerequisite.”

IANA currently has a web page in which it lays out seven ways a TLD can get into the root. This is what it says about exceptionally reserved strings:

Eligible under ICANN Board Resolution 00.74. This resolution provides for eligibility for domains that are not on the ISO 3166-1 standard, but that the Maintenance Agency deems exceptionally reserved, and requires that the Agency “has issued a reservation of the code that covers any application of ISO 3166-1 that needs a coded representation in the name of the country, territory, or area involved”. There is currently (as of June 2013) only one code eligible under these requirements, “EU” for the European Union.

The cited ICANN board resolution, now incorporated into IANA precedential law, dates from September 2000. It’s the resolution that hacked historical IANA practice in order to set the groundwork for eventually levering .eu into the root.

But the relevant part here is where IANA explicitly rules out any exceptionally reserved string other than EU meeting the requirements to be a ccTLD as of 2013. SU’s ISO 3166-1 status has not changed since 2008.

RIPN and FID explicitly acknowledged this in a joint letter (pdf) to ICANN then-CEO Paul Twomey in 2007. In it, they wrote:

we understand that should ISO-3166/MA add the two letter code “SU” to the exceptionally reserved or indeterminately reserved ISO3166-1 list will not be sufficient to clarify the status of .SU as current ICANN/IANA policies require a venue in which legality of actions can be determined.

To paraphrase: being on the list ain’t no good if you got no country.

They said that if ICANN went ahead and retired .su anyway, they would like 10 to 15 years to transition their registrants to alternative TLDs.

Which handily brings me to now

There has never been a formal community-agreed ICANN policy on retiring ccTLDs, until now.

By happy coincidence, the ccTLD Name Supporting Organization recently finished work on such a policy. It came out of public comment a few weeks ago and will next (I was going to write “soon”, but you know?) come before the ICANN board of directors for consideration.

The proposed policy (pdf) conspicuously avoids mentioning .su by name and seems to go out of its way to kick the can on .su’s potential retirement.

The silence is deafening, and the ambiguity is claustrophobic.

It defines ccTLDs as:

  • 2-letter ccTLDs corresponding to an ISO 3166-1 Alpha-2 Code Element (the majority of ccTLDs).
  • 2-letter Latin ccTLDs not corresponding to an ISO 3166-1 Alpha-2 Code Element
  • IDN ccTLDs as approved by ICANN

The second bullet point is accompanied by a footnote that explains it’s referring to the “exceptionally reserved” codes UK, AC and EU, three of the four ccTLDs on the ISO’s exceptional list.

The ccTLDs .uk and .ac which refer to exceptionally reserved codes UK and AC are grandfathered as ccTLDs and .eu, which corresponds to the exceptionally reserved code EU, was delegated under the relevant ICANN Board resolution from September 2000

There’s no mention of SU, the fourth.

Under the proposed policy, the ball would start rolling on a possible retirement whenever a “triggering event” happens. The relevant trigger for .su (and .uk, .eu and .ac) is the ISO making a change — seemingly any change — to its 3166-1 listing.

IANA, referred to in the policy as the IANA Functions Operator or IFO, would then have to decide whether the change warranted initiating the retirement process, which would take at least five years.

As is so often the case in ICANN policy-making, the difficult decisions seem to have been punted.

Only one ccTLD operator filed a public comment on this proposed policy — it was RIPN, operator of .su. While generally supportive, it worried aloud that triggering events prior to the approval of the policy should not count. Its triggering events were in 2008 and the 1990s, after all.

The policy’s creators again ambiguously kicked the can:

The [Working Group] believes the applicability of the Policy to existing situations or those emerging before the proposed Policy becomes effective is out of scope of its mandate. For situations prior to this Policy coming into force, responsibility lies with the IFO to create a suitable procedure. The WG suggests that such a procedure could be based on and anticipates the proposed Policy.

So… does ICANN get to apply the policy retroactively or not?

My overall sense is that the .su situation, which the record shows was certainly on the minds of the ccNSO during the early stages of the policy-development process, was considered too difficult to address, so they took the ostrich approach of pretending it doesn’t exist.

The .su registry seems to think it’s safe from enforced retirement, but it doesn’t seem to be absolutely sure.

In conclusion

I think the record shows that .su doesn’t really deserve to exist in the DNS, and that there’s an opportunity to get rid of it. ccTLDs are for countries and territories that exist and the Soviet Union hasn’t existed for three decades.

IANA rules don’t seem to support its existence, and upcoming policy changes seem to give enough wiggle room for the retirement process to be kicked off, if the will is there to do so.

It would take years, sure.

Would it help stop innocent Ukrainians getting gunned down in the street this week? No.

Would it be more than simple virtue signalling? I think so.

And if not, why not just do it anyway?

In a world where an organization like UEFA considers Russia too toxic for poxy football match, what would it say about an organization that allows the actual Soviet Union’s domain to continue to exist online?

ICANN stuck between Ukraine and Russia in time zone debate

Kevin Murphy, February 15, 2022, Domain Policy

As the world waits nervously to see whether Russia’s weeks-long troop build-up on the Ukrainian border will result in an invasion, ICANN is embroiled in an infinitely more trivial conflict between the two nations.

As well as overseeing domain names, IP addresses and protocol numbers, a decade ago ICANN took over the time zone database that most of the world’s computers rely on to figure out what the correct time is or was.

The Time Zone Database or tzdb has been hosted by ICANN’s IANA unit since 2011, when it stepped in to relieve the previous host, which was being badgered in court by astrologers.

It’s managed and regularly updated — such as when a country changes its time zone or modifies its daylight savings practices — by Paul Eggert of the University of California.

While it’s apolitical, governed by IETF best practice, it occasionally finds itself in the firing line due to political controversies.

In recent years, a recurrent controversy — which has raised its head again this month in light of the current border crisis — has been the spelling of the Ukrainian capital city.

It has long been rendered in English as “Kiev”, but that’s the Latin-script transliteration of the Russian-Cyrillic spelling Киев, rather than the Ukrainian-Cyrillic spelling, Київ, which is transliterated as “Kyiv”.

With tensions between Russia and Ukraine intensifying since the 2014 annexation of Crimea, Ukraine has for years appealed to the international community to change its “painful” spelling practices.

The Ukrainian Ministry of Foreign Affairs in 2019, part of its #CorrectUA and #KyivNotKiev campaigns, described the situation like this:

Under the Russian empire and later the Union of Soviet Socialist Republics (USSR), Russification was actively used as a tool to extinguish each constituent country’s national identity, culture and language. In light of Russia’s war of aggression against Ukraine, including its illegal occupation of Crimea, we are once again experiencing Russification as a tactic that attempts to destabilize and delegitimize our country. You will appreciate, we hope, how the use of Soviet-era placenames – rooted in the Russian language – is especially painful and unacceptable to the people of Ukraine.

Many English-language news outlets — including the Associated Press and Guardian style guides, the BBC, New York Times and Wall Street Journal — have since switched to the “Kyiv” spelling, though many are still using “Kiev”.

The US and UK governments both currently use “Kyiv”. Wikipedia switched to “Kyiv” in 2020. ICANN’s own new gTLD program rules, which draw on international standards, would treat both “Kiev” and “Kyiv” as protected geographic names.

My Windows computer used “Kyiv”, but the clock on my Android phone uses “Kiev”.

The tzdb currently lists Kyiv’s time zone as “Europe/Kiev”, because it follows the English-language consensus, with the comments providing this October 2018 explanation from Eggert:

As is usual in tzdb, Ukrainian zones use the most common English spellings. For example, tzdb uses Europe/Kiev, as “Kiev” is the most common spelling in English for Ukraine’s capital, even though it is certainly wrong as a transliteration of the Ukrainian “Київ”. This is similar to tzdb’s use of Europe/Prague, which is certainly wrong as a transliteration of the Czech “Praha”. (“Kiev” came from old Slavic via Russian to English, and “Prague” came from old Slavic via French to English, so the two cases have something in common.) Admittedly English-language spelling of Ukrainian names is controversial, and some day “Kyiv” may become substantially more popular in English; in the meantime, stick with the traditional English “Kiev” as that means less disruption for our users.

Because the tzdb is incorporated in billions of installations of operating systems, programming frameworks and applications worldwide, a conservative approach to changes has been used for compatibility reasons.

In addition, the spelling in the database is not supposed to be exposed to end users. Developers may use tzdb in their code, but they’re encouraged to draw on resources such as the Unicode Common Locale Data Repository to localize their user interfaces.

As Eggert put it on the tzdb mailing list recently “the choice of spelling should not be important to end users, as the tzdb spelling is not intended to be visible to them”.

Based on past changes, it seems that “Kyiv” could one day before too long supplant “Kiev” in the tzdb, if the current political status quo remains and English-speaking nations increasingly support Ukraine’s independent sovereignty.

But if Russia should invade and occupy, who knows how the language will change?

This article has been part of an irregular series entitled “Murphy Feels Guilty About Covering Incredibly Serious Current Events With A Trivial Domain Angle, But He Writes A Domain Blog So Cut Him Some Slack FFS”.

At ICANN, you can have any registrar you want, as long as it begins with A

Kevin Murphy, February 3, 2022, Domain Registrars

Want to find a registrar based in your home country, or in a friendlier foreign jurisdiction? Don’t rely on ICANN to help.

A recent outcome of the Org’s information transparency car crash is a registrar search engine that only returns filtered results where the registrar’s name begins with the letter A.

The search engine allows users to search for registrars by name, IANA number or the country/territory where the registrar is based. Results can also be filtered alphabetically.

But it’s broken.

If you’re looking for a local registrar, or an overseas registrar, perhaps because you’re concerned about the legal jurisdiction of the company before you register a domain, you might expect the handy drop-down countries menu to bear fruit.

Say you’re looking for an Irish registrar. You select “Ireland” from the drop-down:

ICANN screencap

And the results come back:

ICANN screencap

Oh. According to these results, there are no ICANN-accredited registrars based in Ireland.

But I notice the letter A is highlighted. Perhaps it’s only showing me the registrars beginning with A.

Are there any Irish registrars beginning with B? I’m sure I’ve heard of one, but the name escapes me. I click B:

ICANN screencap

Oh. It’s showing me registrars beginning with B, but they’re not all Irish. The search engine has cleared my original filter.

With B still selected, I filter again by country, and now I’m looking at an empty result set again. There are no Irish registrars beginning with A, ICANN is telling me again.

ICANN screencap

There also doesn’t appear to be a way to filter for registrars that begin with numerals or special symbols, so the likes of 123reg and 101domain appear to be fresh out of luck.

This search engine appears to have been live for about a year, replacing the old flat list, which appears to have been deleted, because that’s how ICANN rolls nowadays.

I don’t know whether it’s been broken the whole time it’s been live, nor whether ICANN knows it’s broken.

Perhaps nobody uses it. It does appear to be the only way to find accredited registrars by country on the ICANN or IANA web sites.

UPDATE Feb 4, 2022: within approximately seven hours, one of the major bugs reported in this post had been fixed. That’s what I call tech support!

.gov TLD quietly changes hands

Kevin Murphy, April 26, 2021, Domain Registries

The .gov TLD used exclusively by governmental entities in the US has quietly changed managers.

On Friday, the IANA records for .gov changed from the General Services Administration to the Cybersecurity and Infrastructure Security Agency.

It was not unexpected. CISA announced the move in March.

But it’s less clear how the change request was handled. The ICANN board of directors certainly didn’t have a formal vote on the matter. IANA has not released a redelegation report as it would with a ccTLD.

CISA intends to make .gov domains more widely available to agencies at the federal, state, city and tribal level, and reduce the price to free or almost free.

Verisign currently manages the technical aspects of the domain, for $400 per domain per year.

As .gov changes hands, would Verisign run it for free?

Kevin Murphy, March 15, 2021, Domain Registries

The .gov top-level domain is moving for the first time since 1997, and the new owner is promising some pricing changes from next year.

The US General Services Administration has been running .gov, one of the original gTLDs, for almost a quarter-century, but next month it will be taken over by the Cybersecurity and Infrastructure Security Agency.

No changes have been made at IANA yet, but CISA is talking of the handover as if it is a done deal.

It will be the first time ICANN has been asked to redelegate what is essentially an uncontracted gTLD with some of the characteristics of a ccTLD. To be honest, I’ve no idea what rules even apply here.

The move was mandated by the DOTGOV Act of 2019, which was incorporated in a recently passed US spending bill.

Legislators wanted to improve .gov’s usefulness by increasing its public profile and security.

The bill was quite adamant that .gov domains should be priced at “no cost or a negligible cost”, but there’s a catch — Verisign runs the technical infrastructure for the domain, and currently charges $400 per domain per year.

According to CISA, “The way .gov domains are priced is tied closely with the service contract to operate the TLD, and change in the price of a domain is not expected until next year.”

So we’re looking at either a contract renegotiation or a rebid.

Frankly, given the really rather generous money-printing machine the US government has granted Verisign with its perpetual right to run .com and increase its profit margins in most years, it seems to me the company should be running it for free.

The .gov zone currently has domains measured in the low thousand.

GoDaddy could lose control of .co this week

Kevin Murphy, September 8, 2020, Domain Registries

It looks like GoDaddy’s recently acquired .co registry could lose formal control of the ccTLD this week.

ICANN’s board of directors has “Transfer of the .CO (Colombia) top-level domain to the Ministry of Information and Communications Technologies” on its agenda for its meeting this Thursday.

Since 2009, IANA record for .co shows the Colombian company .CO Internet as the sponsor, admin contact and tech contact.

.CO Internet was acquired by Neustar for $109 million in 2014. Neustar’s registry business, including the .co contract, was acquired by GoDaddy earlier this year. Most of .CO Internet’s original staff are still with the company.

GoDaddy now has the contract to run .co for the next five years, but as a service provider rather than having full administrative control of the TLD.

A redelegation to the Colombian ministry will not affect that contract, and in fact seems to have been envisaged by it.

Back in April when the renewal was announced, MinTIC said it would in future “be in charge of its [.co’s] administration through a group dedicated to Internet governance with technical personnel with knowledge and ability to manage and administer the domain”.

The new deal also sees Colombia receive 81% of the profits from .co, compared to the 6-7% it received under the old deal.

Assuming the ICANN board gives the redelegation the nod this week, it usually only takes IANA a day or two to make the appropriate updates to its registry.

Mystery .vu registry revealed

Kevin Murphy, August 13, 2019, Domain Registries

Neustar has been selected as the back-end domain registry operator for the nation of Vanuatu.
The company, and the Telecommunications Radiocommunications and Broadcasting Regulator, announced the appointment, which came after a competitive tender process between nine competing back-end providers, last night.
The ccTLD is .vu.
It’s unrestricted, with no local presence requirements, and currently costs $50 per year if you buy directly from the registry, Telecom Vanuatu Ltd (TVL).
Unusually, if you show up at TVL’s office in Vanuatu capital Port Vila, you can buy a domain for cash. I’ve never heard of that kind of “retail” domain name option before.
A handful of international registrars also sell the domains marked up, generally to over the $80 mark.
TVL was originally the sponsor of the ccTLD, but ICANN redelegated it to TRBR in March after Vanuatu’s government passed a law in 2016 calling for redelegation.
Under the deal, Neustar will take over the registry function from TVL after its 24 years in charge, bringing the .vu option to hundreds of other registrars.
Most registrars are already plugged in to Neustar, due to its operation of .us, .biz and .co. It also recently took over India’s .in.
There’s no public data on the number of domains under management, but Vanuatu is likely to have a much smaller footprint that Neustar’s main ccTLD clients.
It’s quite a young country, gaining independence from France and the UK in 1980, a Pacific archipelago of roughly 272,000 people.
Neustar expects the transition to its back-end to be completed September 30.

.gay gets rooted

Kevin Murphy, August 12, 2019, Domain Registries

The new gTLD .gay, which was often used as an example of a controversial TLD that could be blocked from the DNS, has finally made it to the DNS.
While no .gay domains are currently resolving, the TLD itself was added to the root zone over the weekend.
Its registry is Top Level Design, which currently also runs .design, .ink and .wiki.
The company won the string in February, after an auction with three other applicants.
While Top Level Design had planned to launch .gay this October on National Coming Out Day in the US, but had to postpone the release so as not to rush things.
It’s now eyeing a second-quarter 2020 launch, possibly timed to coincide with a major Pride event.
The registry is currently hiring marketing staff to assist in the launch.
It’s the first new TLD to hit the internet since February, when South Sudan acquired .ss.
But it’s been over a year since the last 2012-round new gTLD appeared, when .inc was delegated in July 2018.
There are currently 1,528 TLDs in the root. That’s actually down a bit compared to a year ago, due to the removal of several delegated dot-brands.
.gay was, prior to 2012, often used as an example of a string that could have been blocked by governments or others on “morality and public order” grounds.
But that never transpired. The protracted time it’s taken to get .gay into the root has been more a result of seemingly endless procedural reviews of ICANN decision-making.

ICANN gives .bj to Jeny

The ccTLD for Benin has been redelegated to the country’s government.
ICANN’s board of directors yesterday voted to hand over .bj to Autorité de Régulation des Communications Electroniques et de la Poste du Bénin, ARCEP, the nation’s telecoms regulator.
It had been in the hands of Benin Telecoms, the incumbent national telco, for the last 15 years, but authority over domain names was granted to ARCEP in legislation in 2017 and 2018.
A local ISP, Jeny, has been awarded the contract to run the registry.
According to IANA, Jeny was already running the registry before the redelegation request was even processed, so there’s no risk of the change of control affecting operations.
As usual with ccTLD redelegations, you’ll learn almost nothing from the ICANN board resolution. You’ll get a better precis of the situation from the IANA redelegation report.
Benin is a Francophone nation in West Africa with about 11 million inhabitants.