Recent Posts
- Americans and ICANNers avoid Kigali in droves
- RDRS stats improve a little in June
- Unstoppable Domains goes down after domain hijack
- Four more gTLDs in emergency measures
- New gTLDs and ccTLDs drive domain universe growth
- Eight interesting recent dot-brand registrations
- .me premium sales down
- Pride fails to reverse gay domains decline
- Unstoppable announces another new gTLD bid
- Blockchain naming firm gets ICANN accreditation
- ICANN takes over gTLD after Whois failures
- Verisign: would-be .com contract killers are “wrong”
- Five gTLDs at risk as registry goes AWOL
- Groups make flawed case that .com is a cartel
- RDRS usage hits all-time low
- A dot-brand so unloved they killed it twice
- PorkBun hits two million domain milestone
- Crawford returns to industry to head up Com Laude
- ICANN financial data dump a damp squib?
- Unstoppable plotting manga-themed gTLDs
- Governments call for new gTLD auctions ban
- ICANN names new CEO, and it isn’t Costerton
- ICANN: We will NOT police content
- More sticker shock as new gTLD fees could top $300,000
- ICANN slashes staff and domain prices could rise
- Secret new gTLD application revealed
- WhatsApp now linkifying new gTLDs, but…
- Outrage over ICANN’s new gTLD fees
- Barrett gets second term on ICANN board
- DotMusic delays gTLD launch again
- .tm prices to skyrocket next week
- Bitcoin gTLD gets launch dates
- First metaverse gTLD is announced
- Alibaba off the naughty step
- ICANN to kill auction fund bylaws change
- The people have spoken on RDRS and they said “Meh”
- ICANN restarts work on controversial Whois privacy rules
- GNSO mulls lawyering up over auction fund dispute
- Jury still out on ICANN’s content policing powers
- It now takes TWO WEEKS to get a Whois record with RDRS
- Travel expenses push ICANN into the red again
- ICANN preparing for ONE HUNDRED registry back-ends
- DNS Abuse Institute changes name
- A new way to game the new gTLD program
- .home, .mail and .corp could get unbanned
- Unstoppable to apply for Women in Tech gTLD
- Bob Parsons publishes autobiography
- GoDaddy getting a free pass from porn jail?
- Correction: Sinha’s seat is safe
- Chinese domains plummet again in 2023
- GoDaddy price increases lead to revenue growth
- D3 announces seventh blockchain gTLD client
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- .my domains to be sold globally next month
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
ICANN attendance shrank in Denmark
Attendance at ICANN’s recent meeting in Copenhagen was down about 8% on the comparable meeting a year earlier in Marrakech, according to ICANN statistics.
There were 2,089 at the Denmark meeting, down from 2,273 reported a year ago in Morocco.
The decline appears to be largely a result of relatively lower local participation. Africa is usually under-represented at ICANN meetings, but there was a surge in Marrakech, with almost 956 attendees hailing from the continent.
About half of Copenhagen participants — 1,012 people, of which 417 were first-timers — were European.
The number of remote participation attendees was much higher in Copenhagen. ICANN counted 4,428 unique users logging into Adobe Connect meeting rooms, compared to 3,458 in Marrakech.
Both Copenhagen and Marrakech, ICANNs 55 and 58, are designated as “community forums”, meaning they follow the traditional ICANN schedule. ICANN 56 was a shorter, policy-focused meeting and ICANN 57 was a longer meeting with a focus on outreach.
The stats for Copenhagen can be downloaded here (pdf).
Verisign to keep price increase power under new .net contract
The wholesale price of a .net domain is likely to top $15 by 2023, under a proposed renewal of its ICANN contract revealed today.
ICANN-imposed price caps are staying in the new Registry Agreement, but Verisign retains the right to increase its fees by 10% in each of the six years of the deal’s lifespan.
But domain investors do have at least one reason to be cheerful — while the contract adds many features of the standard new gTLD registry agreement, it does not include a commitment to implement the Uniform Rapid Suspension anti-cybersquatting procedure.
The current .net annual fee charged to registrars is $8.95 — $8.20 for Verisign, $0.75 for ICANN — but Verisign will continue to be allowed to increase its portion by up to 10% a year.
That means the cost of a .net could hit $15.27 wholesale (including the $0.75 ICANN fee) by the time the proposed contract expires in 2023.
Verisign has form when it comes to utilizing its price-raising powers. It exercised all six options under its current contract, raising its share of the fee from $4.65 in 2011.
On the bright side for volume .net holders, the prices increases continue to be predictable. ICANN has not removed the price caps.
Also likely to cheer up domainers is the fact that there are no new intellectual property protection mechanisms in the proposed contract.
Several post-2000 legacy gTLDs have agreed to incorporate the URS into their new contracts, leading to outrage from domainer organization the Internet Commerce Association.
ICA is worried that URS will one day wind up in .com without a proper ICANN community consensus, opening its members up to more risk of losing valuable domains.
The fact that URS is not being slipped into the .net contract makes it much less likely to be forced on .com too.
But Verisign has agreed to several mostly technical provisions that bring it more into line with the standard 2012-round new gTLD RA.
For example, it appears that daily .net zone files will become accessible via ICANN’s Centralized Zone Data Service before the end of the year.
Verisign has also agreed to standardize the format of its data escrow, Whois and monthly transaction reports.
The company has also agreed to start discussions about handing .net over to an emergency back-end operator in the event it files for bankruptcy.
The current contract is due to expire at the end of June and the proposed new deal would kick in July 1.
It’s now open for public comment until June 13.
ICANN loosens Whois privacy rules for registrars
ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.
From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.
Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.
In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.
The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.
European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.
ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.
Dozens of European registrars have applied for and obtained this RAA opt-out.
Pirate Bay founder launches piracy-friendly domain privacy service
The founder of controversial BitTorrent search engine The Pirate Bay has entered the domain name market with a new proxy service.
It’s called Njalla, it’s based in a Caribbean tax haven, and it says it offers a higher level of privacy protection than you get anywhere else.
The company described itself in its inaugural blog post today like this:
Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions. As long as you keep within the boundaries of reasonable law and you’re not a right-wing extremist, we’re for promoting your freedom of speech, your political weird thinking, your kinky forums and whatever.
Founder Peter Sunde was reluctant to describe Njalla as a proxy registration service, but it’s difficult to think of another way of describing it.
When you buy a domain via the company’s web site, the name is registered by Njalla for itself. You can still use the domain as you would with a regular registrar, but the name is “owned” by Njalla (1337 LLC, based in Saint Kitts & Nevis).
The company is a Tucows reseller via OpenSRS, and it supports almost all gTLDs and several ccTLDs (it’s declined to support Uniregistry due to recent price increase announcements).
Prices are rather industry standard, with a .com setting you back €15 ($16).
The big difference appears to be that the service doesn’t want to know anything about its registrants. You can sign up with just an email address or, unusually, an XMPP address. It doesn’t want to know your name, home address, or anything like that.
This means that whenever Njalla receives a legal request for the user’s identity, it doesn’t have much to hand over.
It’s based on Nevis due to the strong privacy laws there, Sunde said.
Under what circumstances Njalla would suspend service to a customer and hand over their scant private information appears to be somewhat vague and based on the subjective judgement or politics of its management.
“As long as you don’t hurt anyone else, we’ll let you do your thing,” Sunde said.
Child abuse material is verboten. Spam is in a “gray zone” (although forbidden by Njalla’s terms of service).
Copyright infringement appears to be just fine and dandy, which might not be surprising. Sunde founded The Pirate Bay in 2003 and spent time in prison in Sweden for assisting copyright infringement as a result.
“You don’t hurt people by putting a movie online,” Sunde said. “You do hurt someone by putting child porn or revenge porn or stuff like that… If you look at any statistics on file sharing, it proves that the more people file-share the more money goes into the ecosystem of the media.”
While this is likely to upset the IP lobby within the domain name community, I think there’s a possibility that existing ICANN policy will soon have an impact on Njalla’s ability to operate as it hopes.
ICANN is in the process of implementing a privacy/proxy services accreditation program that will require registrars to only work with approved, accredited proxy services.
Sunde thinks Njalla doesn’t fall into the ICANN definition of a proxy service, and said his lawyers agree.
Personally, I can’t see the distinction. I expect ICANN Compliance will probably have to make a call one way or the other one day after the accreditation system comes online.
IANA boss quits ICANN
The head of IANA is to leave the organization, ICANN announced this week.
Elise Gerich, currently vice president of IANA Services at ICANN and president of Public Technical Identifiers (PTI), will leave in October, according to a blog post.
She’ll stick around long enough to oversee the DNS root’s first DNSSEC Key-Signing Key rollover, which is due to go ahead October 11.
Gerich has been VP of IANA since May 2010, and took on the job of PTI president last October when the IANA function was restructured to remove the US government from the mix.
ICANN said it will start the hunt for her replacement shortly.
Companies losing $10 BILLION by ignoring new gTLDs — report
The world economy is “conservatively” losing out on almost $10 billion of annual revenue due to a lack of support for new gTLDs and internationalized domain names, according to an ICANN-commissioned research report.
The report, conducted by Analysys Mason for the semi-independent Universal Acceptance Steering Group, calculated that patchy new gTLD support means $3.6 billion of activity is lost, with lack of IDN support costing $6.2 billion.
Despite “new” gTLDs being around for a decade and a half, there are still plenty of web sites and apps that incorrectly assume that all TLDs are either two or three characters. Others don’t support non-Latin scripts.
This leads to internet users abandoning transactions, the report says, when their email addresses are rejected as invalid.
Mason calculated the $3.6 billion number by multiplying the estimated number of email addresses using new gTLD domains (152 million) by the estimated average annual revenue generated per email address ($360), then calculating what portion of these transactions cannot happen due to incomplete TLD support.
Earlier research by .CLUB Domains suggests that 13% of sites do not support new gTLDs, so that’s the number Mason used. The researchers then cut the number in half, to account for the 50% of people it reckons would simply switch to an email address in a legacy TLD name.
That gets you to $3.6 billion of potential revenue lost for want of gTLD support.
Another, more cynical way to spin this would be to say that new gTLDs are causing $3.6 billion of economic damage. After all, if everyone were to use legacy TLDs there would be no problem.
For the IDN number, Mason calculated how many users of five major language groups (Russian, Chinese, Arabic, Vietnamese and Indian languages) are not currently online, then estimated how much revenue would be generated if just 5% of these users (17 million people) were persuaded online by the existences of IDN TLDs.
The report was commissioned in order to raise awareness of the financial benefits of universal acceptance.
The UASG has spent most of its efforts so far focusing on UA as a “bug fix” to be communicated to engineers, so the report is intended to broaden its message to catch the attention of the money people too.
The report, which goes into much more detail about how the numbers were arrived at, can be downloaded here.
.feedback threatens to shut off MarkMonitor
Top Level Spectrum, the controversial .feedback gTLD registry, has threatened to de-accredit MarkMonitor unless it apologizes for “breaching” its registrar contract.
The move is evidently retaliation for the MarkMonitor-coordinated complaint about .feedback’s launch policies, which last month led to TLS being found in breach of its own ICANN contract.
De-accreditation would mean MarkMonitor would not be able to sell .feedback domains any more, and its .feedback names would be transferred to another registrar.
In a letter to MarkMonitor (pdf) yesterday, TLS informs the registrar that it breached its Registry-Registrar Agreement by releasing said RRA to “the press” as part of the exhibits to its Public Interest Commitments Dispute Resolution Policy complaint.
The problem we take issue with is that your exhibit should have redacted the “Confidential RRA Agreement” prior to being handed over to ” the press ” and it should have been marked in an appropriate way so ICANN would not publicly disclose it. As we can tell no precautions were taken and as a party to the action we find that you violated the confidentiality of the agreement.
I understand “the press” in this case includes DI and others. We published the document last October. We were not asked to keep anything confidential.
The RRA section of the document is marked as “private and confidential” and contains terms forbidding the disclosure of such information, but the name of the registrar is redacted.
TLS believes the undisclosed registrar is actually Facebook, a MarkMonitor client and one of the several parties to the PICDRP complaint against .feedback.
While Facebook may not have actually signed the RRA, MarkMonitor certainly did and therefore should not have released the document, TLS says.
The letter concludes that the “breach… seems incurable” and says: “Please let us know what actions you will take to cure this breach with us or we will have no other option but to de-accredited your Registrars.”
Despite this, TLS CEO Jay Westerdal tells us that an apology will be enough to cure the alleged breach.
The threat is reminiscent of a move pulled by Vox Populi, the .sucks registry, last year. Vox deaccredited MarkMonitor rival Com Laude in June for allegedly leaking a confidential document to DI (I was never able to locate or identify the allegedly leaked document, and had not published any document marked as confidential).
TLS was found in breach of the Public Interest Commitments in its ICANN contract last month by a PICDRP panel. It was the first registry to suffer such a loss.
The PICDRP panel found that .feedback’s launch had not been conducted in a transparent way, but it stopped short of addressing MarkMonitor’s complaints about “fraudulent” behavior.
Now new gTLDs are being scapegoated for child abuse material (rant)
The guy responsible for getting the string “rape” closely restricted for no reason in .uk domain names is now gunning for ICANN and new gTLDs with a very similar playbook.
Campaigner John Carr, secretary of the little-known Children’s Charities’ Coalition on Internet Safety, wants ICANN to bring in strict controls to prevent convicted pedophiles registering domains in child-oriented domains such as .kids.
He’s written to the UK prime minister, the two other ministers with the relevant brief, the US federal government and the California attorney general to make these demands.
That’s despite the fact that he freely acknowledges that he does not have any evidence of a problem in existing kid-oriented TLDs and that he does not expect there to be a problem with .kids, should it be delegated, in future.
Regardless, ICANN comes in for a bit of a battering in the letter (pdf), with Carr insinuating that it and the domain industry are quite happy to throw child safety under the bus in order to make a quick buck. He writes:
ICANN has definitely not been keeping the internet secure for children. On the contrary ICANN shows complete indifference towards children’s safety. This has led to real dangers that ICANN could have prevented or mitigated.
…
ICANN, the Registries and the Registrars have an obvious financial interest in increasing the number of domain names being sold. Their interest in maximising or securing their revenues appears sometimes to blind them to a larger obligation to protect the weak and vulnerable e.g. in this instance children.
Despite this worrying premise, Carr admits in an accompanying paper (pdf) that the Russian version of .kids (.дети), which has been live for three years and only has about 1,000 registrations, does not seem to have experienced a deluge of sex offenders.
Nevertheless, he says ICANN should have forced the .дети registry to do criminal background checks on all registrants to make sure they did not have a record of sexual offences.
While at the time of writing we have no information which suggests anything untoward has happened with any Russian .kids websites, and we understand the volume of sales has been low so far, the matter should never have been left open in that way. When ICANN let the contract it could have included clauses which would have made it a contractual obligation to carry out the sort of checks mentioned. The fact that ICANN did not do this illustrates a degree of carelessness about children’s well-being which is tantamount to gross negligence.
Quite how a domain registry would go about running criminal records checks on all of its customers globally, and what the costs and the benefits would be, Carr does not say.
The letter goes on to state incorrectly that Amazon and Google are in contention for .kids.
In fact, Google applied for the singular .kid. While the two strings are in contention due to an adverse String Confusion Objection, there’s also a second applicant for .kids, the DotKids Foundation, which proposes to keep .kids highly restricted and which Carr is either unaware of or deliberately omits from his letter.
Based on his assumption that .kids is a two-horse race between Amazon and Google, he says:
while I am sure both Google and Amazon will choose to do the right thing, whichever one is the eventual winner of the contract, the point is matters of this kind should never have been left as an option
So not only does Carr not have any evidence that extant “.kids” domains are currently being abused years after delegation, he’s also sure that .kids won’t be in future.
But he wants Draconian background checks implemented on all registrants anyway.
His letter coincides with the release of and heavily cites the 2016 annual report (pdf) of the Internet Watch Foundation — the organization that coordinates the takedown of child abuse material in the UK and elsewhere.
That report found that new gTLD domains are being increasingly used to distribute such material, but that Verisign-run TLDs such as .com are still by far the most abused for this purpose.
The number of takedowns against new gTLD domains in 2016 was 272 (226 of which were “dedicated to distributing child sexual abuse content”) the IWF reported, a 258% increase on 2015.
That’s 272 domains too many, but averages out at about a quarter of a domain per new gTLD.
There were 2,416 domains being used to distribute this material in 2016, IWF said. That means new gTLDs accounted for about 11% of the total child abuse domains — higher than the 7.8% market share that new gTLDs command (according to Verisign’s Q4 industry brief).
But the IWF report states that 80% of the total abuse domains are concentrated in just five TLDs — .com, .net, .se, .io, and .cc. Even child abusers are not fans of new gTLDs, it seems.
Despite the fact that two of these domains are operated under ICANN contract, and the fact that .io is operated by a British company representing a British overseas territory, Carr focuses his calls for action instead on new gTLDs exclusively.
And his calls are receiving attention.
A The Times article this week cries “New internet domain is magnet for paedophiles, charities warn”, while tabloid stable sister The Sun reported on “fears predators are exploiting new website addresses to hide indecent material”.
This is how it started with Carr’s campaign to get “rape” domains banned in the UK.
Back in 2013, he wrote a blog post complaining that it was possible to register “rapeher.co.uk” — not that it had been registered, only that it could be registered — and managed to place a couple of stories in the right-leaning press calling for Nominet to do more to prevent the registration of “depraved and disgusting” domains such as the one he thought up.
This led to a government minister calling for an independent policy review, an actual review, and a subsequent policy that sees some poor bastard at Nominet having to pore over every .uk registration containing rapey strings to see if they’re potentially advocating or promoting actual rape.
Implementation of that policy has so far confirmed that Carr’s worries were, as I said in my 2013 rant, baseless.
In 2016, there were 2,407 registrations of domains containing the string “rape”, but just one of them was found to be using it in the context of sexual assault and was suspended, according to Nominet stats.
In 2015, the number of suspensions was the same. One.
The same story is playing out now — a single Don Quixote with a tenuous grasp of the systems he’s criticizing calling for ludicrous policies to prevent a problem that he freely admits does not exist and probably won’t exist in future.
Still, at least he gets to wave some headlines in front of his employers to pretend he’s actually earning his salary.
New gTLD registries want a $17 million ICANN rebate
Many gTLDs are performing more poorly than expected and their registries want some money back from ICANN to compensate.
The Registries Stakeholder Group this week asked ICANN for a 75% credit on their quarterly fees, which they estimate would cost $16.875 million per year.
The money would come from leftover new gTLD application fee money, currently stashed in an ICANN war chest valued at nearly $100 million.
The RySG, in a letter to ICANN (pdf), also asked for $3 million from the fund to be used to pay for advertising the availability of new gTLDs.
“These measures combined would support ICANN’s mission to promote competition for the public interest and operational interoperability of the internet,” the proposal states.
Currently, all gTLDs on the 2012-round contract have to pay ICANN $25,000 per year, split into quarterly payments, in fixed fees.
Transaction volume over 50,000 transactions per year is taxed at $0.25 per add, renewal or transfer.
The RySG wants the $6,250 quarterly fee reduced by $4,687.50 for a year, with the possibility of the discount being renewed in subsequent years.
In its letter, it cites an example of 900 delegated gTLDs being affected, which would cost $16.875 million per year.
However, that’s only three quarters of the total number of new gTLDs in the root. That currently stands at over 1,200 string, so the actual cost would presumably be closer to £23 million.
Because the new gTLD program, with its $185,000 application fees, was never meant to turn a profit, the RySG thinks it’s fair that the excess money comes back to the companies that originally paid it.
The rationale for the discount is that many new gTLDs (not all, as the RySG is quick to point out) are struggling under poor sales volumes, meaning a 5,000-name TLD, of which there are many, is in effect costing the registry $5 per name per year in fixed ICANN fees.
But that rationale does not of course apply to all new gTLDs. There are currently almost 470 dot-brand gTLDs in the root, which have business models oriented on harder-to-quantify ROI rather than sales volumes and profits.
It’s not clear from the RySG letter whether the discount would apply to all gTLDs or only those with a straightforward old-school profit motive.
Hacker hostage crisis at ICANN secret key ceremony! (on TV)
One of ICANN’s Seven Secret Key-Holders To The Internet got taken out as part of an elaborate heist or something on American TV this week.
In tense scenes, a couple of secret agents or something with guns were forced to break into one of ICANN’s quarterly root zone key signing ceremonies to prevent a hacker or terrorist or something from something something, something something.
The stand-off came after the secret agents or whatever discovered that a hacker called Mayhew had poisoned a guy named Adler, causing a heart attack, in order to secure his position as a replacement ICANN key-holder and hijack the ceremony.
This all happened on a TV show called Blacklist: Redemption that aired in the US March 16.
I’d be lying if I said I fully understood what was supposed to be going on in the episode, not being a regular viewer of the series, but here’s the exposition from the beginning of the second act.
Botox Boss Lady: Seven keys control the internet? That can’t be possible.
Neck Beard Exposition Guy: They don’t control what’s on it, just how to secure it. All domain names have an assigned number. But who assigns the numbers?
Soap Opera Secret Agent: Key holders?
Neck Beard Exposition Guy: Seven security experts randomly selected by ICANN, the Internet Corporation for Assigned Names and Numbers.
Bored Secret Agent: Max Adler’s wife mentioned a key ceremony.
Neck Beard Exposition Guy: Yeah, four times a year the key holders meet to generate a master key and to assign new numbers, to make life difficult for hackers who want to direct folks to malicious sites or steal their credit card information.
Botox Boss Lady: But by being at the ceremony, Mayhew gets around those precautions?
Neck Beard Exposition Guy: Oh, he does more than that. He can route any domain name to him.
That’s the genuine dialogue. ICANN, jarringly, isn’t fictionalized in the way one might usually expect from US TV drama.
The scene carries on to explain the elaborate security precautions ICANN has put in place around its key-signing ceremonies, including biometrics, smart cards and the like.
The fast-moving show then cuts to the aforementioned heist situation, in which our villain of the week takes an ICANN staffer hostage before using the root’s DNSSEC keys to somehow compromise a government data drop and download a McGuffin.
Earlier this week I begged Matt Larson, ICANN’s VP of research and a regular participant in the ceremonies (which are real) to watch the show and explain to me what bits reflect reality and what was plainly bogus.
“There are some points about it that are quite close to how the how the root KSK administration works,” he said, describing the depiction as “kind of surreal”.
“But then they take it not one but two steps further. The way the ceremony happens is not accurate, the consequences of what happens at the ceremony are not accurate,” he added.
“They talk about how at the ceremony we generate a key, well that’s not true. It’s used for signing a new key. And then they talk about how as a result of the ceremony anyone can intercept any domain name anywhere and of course that’s not true.”
The ceremonies are used to sign the keys that make end-to-end DNSSEC possible. By signing the root, DNSSEC resolvers have a “chain of trust” that goes all the way to the top of the DNS hierarchy.
The root keys just secure the bit between the root at the TLDs. Compromising them would not enable a hacker to immediately start downloading data from the site of his choosing, as depicted in the show. He’d then have to go on to compromise the rest of the chain.
“You’d have to create an entire path of spoofed zones to who you wanted to impersonate,” Larson said. “Your fake root zone would have to delegate to a fake TLD zone to a fake SLD zone and so on so you could finally convince someone they were going to the address that you wanted.”
“If you could somehow compromise the processes at the root, that alone doesn’t give you anything,” he said.
But the show did present a somewhat realistic description of how the ceremony rooms (located in Virginia and California, not Manhattan as seen on TV) are secured.
Among other precautions, the facilities are secured with smart cards and PINs, retina scans for ICANN staff, and have reinforced walls to prevent somebody coming in with a sledgehammer, Larson said.
Blacklist: Redemption airs on Thursday nights on NBC in the US, but I wouldn’t bother if I were you.
Recent Comments