.web auction to go ahead after ICANN denies Donuts/Radix appeal

The new gTLD .web seems set to go to auction next week after ICANN rejected an 11th-hour delay attempt by two applicants.
ICANN’s Board Governance Committee said yesterday that there is no evidence that applicant Nu Dot Co has been taken over by a deep-pocketed third party.
The BGC therefore rejected Donuts’ and Radix’s joint attempt to have the July 27 “last resort” auction delayed.
Donuts and Radix had argued in a Request for Reconsideration earlier this week that Nu Dot Co has changed its board of directors since first applying for .web, which would oblige it to change the application.
Its failure to do so meant they auction should be delayed, they said.
They based their beliefs on an email from NDC director Jose Ignacio Rasco, in which he said one originally listed director was no longer involved with the application but that “several others” were.
There’s speculation in the contention set that a legacy gTLD operator such as Verisign or Neustar might now be in control of NDC.
But the BGC said ICANN had already “diligently” investigated these claims:

in response to the Requesters’ allegations, ICANN did diligently investigate the claims regarding potential changes to Nu Dot’s leadership and/or ownership. Indeed, on several occasions, ICANN staff communicated with the primary contact for Nu Dot both through emails and a phone conversation to determine whether there had been any changes to the Nu Dot organization that would require an application change request. On each occasion, Nu Dot confirmed that no such changes had occurred, and ICANN is entitled to rely upon those representations.

ICANN staff had asked Rasco via email and then telephone whether there had been any changes to NDC’s leadership or control, and he said there had not.
He is quoted by he BGC as saying:

[n]either the ownership nor the control of Nu Dotco, LLC has changed since we filed our application. The Managers designated pursuant to the company’s LLC operating agreement (the LLC equivalent of a corporate Board) have not changed. And there have been no changes to the membership of the LLC either.

The RfR has therefore been thrown out.
Unless further legal action is taken, the auction is still scheduled for July 27. The deadline for all eight applicants (seven for .web and one for .webs) to post deposits with ICANN passed on Wednesday.
As it’s a last resort auction, all funds raised will go into an ICANN pot, the purpose of which has yet to be determined. The winning bid will also be publicly disclosed.
Had the contention set been settled privately, all losing applicants would have made millions of dollars of profit from their applications and the price would have remained a secret.
NDC is the only applicant refusing to go to private auction.
The applicants for .web are NDC, Radix, Donuts, Schlund, Afilias, Google and Web.com. Vistaprint’s bid for .webs is also in the auction.
The RfR decision can he read here (pdf).

ICANN to flip the secret key to the internet

ICANN is about to embark on a year-long effort to warn the internet that it plans to replace the top-level cryptographic keys used in DNSSEC for the first time.
CTO David Conrad told DI today that ICANN will rotate the so-called Key Signing Key that is used as the “trust anchor” for all DNSSEC queries that happen on the internet.
Due to the complexity of the process, and the risk that something might go wrong, the move is to be announced in the coming days even though the new public key will not replace the existing one until October 2017.
The KSK is a cryptographic key pair used to sign the Zone Signing Keys that in turn sign the DNS root zone. It’s basically at the top of the DNSSEC hierarchy — all trust in DNSSEC flows from it.
It’s considered good practice in DNSSEC to rotate keys every so often, largely to reduce the window would-be attackers have to compromise them.
The Zone Signing Key used by ICANN and Verisign to sign the DNS root is rotated quarterly, and individual domain owners can rotate their own keys as and when they choose, but the same KSK has been in place since the root was first signed in 2010.
Conrad said that ICANN is doing the first rollover partly to ensure that the procedures in has in place for changing keys are effective and could be deployed in case of emergency.
That said, this first rotation is going to happen at a snail’s pace.
Key generation is a complex matter, requiring the physical presence of at least three of seven trusted key holders.
These seven individuals possess physical keys to bank-style strong boxes which contain secure smart cards. Three of the seven cards are needed to generate a new key.
Each of the quarterly ZSK signing ceremonies — which are recorded and broadcast live over the internet — takes about five hours.
The first step in the rollover, Conrad said, is to generate the keys at ICANN’s US east coast facility in October this year. A copy will be moved to a facility on the west coast in February.
The first time the public key will appear in DNS will be July 11, 2017, when it will appear alongside the current key.
It will finally replace the current key completely on October 11, 2017, by which time the DNS should be well aware of the new key, Conrad said.
There is some risk of things going wrong, which could affect domains that are DNSSEC-signed, which is another reason for the slowness of the rollover.
If ISPs that support DNSSEC do not start supporting the new KSK before the final switch-over, they’ll fail to correctly resolve DNSSEC-signed domains, which could lead to some sites going dark for some users.
There’s also a risk that the increased DNS packet sizes during the period when both KSKs are in use could cause queries to be dropped by firewalls, Conrad said.
“Folks who have things configured the right way won’t actually need to do anything but because DNSSEC is relatively new and this software hasn’t really been tested, we need to get the word out to everyone that this change is going to be occurring,” said Conrad.
ICANN will conduct outreach over the coming 15 months via the media, social media and technology conferences, he said.
It is estimated that about 20% of the internet’s DNS resolvers support DNSSEC, but most of those belong to just two companies — Google and Comcast — he said.
The number of signed domains is tiny as a percentage of the 326 million domains in existence today, but still amounts to millions of names.

Cruz’s ICANN paranoia is now official Republican policy

US Republicans have endorsed hitherto fringe views on the IANA transition as official party policy.
Yesterday delegates at the Republican National Convention approved the party’s 2016 Platform of the party, which “declares the Party’s principles and policies”.
Internet policy takes up just half a page of the 66-page document, but it’s half a page straight out of the paranoid mind of former presidential candidate Senator Ted Cruz.
It talks of the transition of the US government from its involvement in DNS root zone management (what the GOP calls “web names”) as an “abandonment” of internet freedoms to Russia, China and Iran, which are ready to “devour” them.
Here’s the relevant passage in (almost) full.

Protecting Internet Freedom
The survival of the internet as we know it is at risk. Its gravest peril originates in the White House, the current occupant of which has launched a campaign, both at home and internationally, to subjugate it to agents of government. The President… has unilaterally announced America’s abandonment of the international internet by surrendering U.S. control of the root zone of web names [sic] and addresses. He threw the internet to the wolves, and they — Russia, China, Iran, and others — are ready to devour it.
We salute the Congressional Republicans who have legislatively impeded his plans to turn over the Information Freedom Highway to regulators and tyrants. That fight must continue, for its outcome is in doubt. We will consistently support internet policies that allow people and private enterprise to thrive, without providing new and expanded government powers to tax and regulate so that the internet does not become the vehicle for a dramatic expansion of government power.
The internet’s independence is its power. It has unleashed innovation, enabled growth, and inspired freedom more rapidly and extensively than any other technological advance in human history. We will therefore resist any effort to shift control toward governance by international or other intergovernmental organizations. We will ensure that personal data receives full constitutional protection from government overreach. The only way to safeguard or improve these systems is through the private sector. The internet’s free market needs to be free and open to all ideas and competition without the government or service providers picking winners and losers.

Previously, such views had been expressed by just a handful of elected Republicans, notably Cruz, who has introduced a bill to block the IANA transition until Congress passes law specifically allowing it.
The irony in the latest GOP statement is that the transition is actually a transfer of power away from governments (specifically, the US government) into the private sector.
The current plan for a post-US ICANN, which was put together over two years by hundreds of participants mostly from the private sector, would see Governmental Advisory Committee advice carry less weight unless it receives full consensus.
In other words, if Iran, China and Russia want to destroy freedom of speech, they’ll have to persuade over 150 other governments to their cause.
Should that ever happen, a new multi-stakeholder (and in this example, government free) “Empowered Community” would have the power to put a stop to it.
The goal is to have the transition completed shortly after the current IANA contract between ICANN and the US Department of Commerce expires at the end of September.
That’s before the US presidential elections, of course, which take place in November.

How many elephants did ICANN send to Helsinki?

ICANN ships a quite staggering amount of equipment to its thrice-yearly public meetings, equivalent to more than 12 mid-sized cars at the recent Helsinki meeting.
That’s one of the interesting data points in ICANN’s just published “Technical Report” — a 49-page data dump — for ICANN 56.
It’s the second meeting in a row the organization has published such a report, the first for a so-called “Meeting B” or “Policy Forum” which run on a reduced-formality, more focused schedule.
The Helsinki report reveals that 1,436 people showed up in person, compared to 2,273 for March’s Marrakech meeting, which had a normal ICANN meeting agenda.
The attendees were 61% male and 32% female. Another 7% did not disclose their gender. No comparable numbers were published in the Marrakech report.
I’m going to go out on a limb and guess that the Helsinki numbers show not a terrible gender balance as far as tech conferences go. It’s a bit better than you’d expect from anecdotal evidence.
Not many big tech events publish their male/female attendee ratios, but Google has said attendees at this year’s Google IO were 23% female.
Europeans accounted for most of the Helsinki attendees, as you might expect, at 43%. That compared to 20% in Marrakech.
The next largest geographic contingent came from North America — 27%, compared to just 18% in Marrakech.
The big surprise to me is how much equipment ICANN ships out to each of its meetings.
In March, it moved 93 metric tonnes (103 American tons) of kit to Marrakech. About 19 metric tonnes of that was ICANN-owned gear, the rest was hired. That weighs as much as 3.5 African elephants, the report says.
For Helsinki, that was up to 19.7 metric tonnes, more than 12 cars’ worth. Shipped equipment includes stuff like 412 microphones, 73 laptops and 28 printers.
In both reports, ICANN explains the shipments like this:

Much like a touring band, ICANN learned over time that the most cost-effective method of ensuring that meeting participants have a positive experience is to sea freight our own equipment to ICANN meetings. We ship critical equipment, then rent the remaining equipment locally to help promote the economy.

Rock on.
The Helsinki report, which reveals more data than anyone could possibly find useful, can be downloaded as a PDF here.

Is Verisign .web applicant’s secret sugar daddy?

The fiercely contested .web gTLD is being forced into a last-resort auction and some people seem to think a major registry player is behind it.
Two .web applicants — Radix (pdf) and Schlund (pdf) — this week wrote to ICANN to demand that the .web auction, currently planned for July 27, be postponed.
They said the sale should be delayed to give applicants time “to investigate whether there has been a change of leadership and/or control” at rival applicant Nu Dot Co LLC.
Nu Dot Co is a new gTLD investment vehicle headed up by Juan Diego Calle, who launched and ran .CO Internet until it was sold to Neustar a couple of years ago.
I gather that some applicants believe that Nu Dot Co’s .web application is now being bankrolled by a larger company with deeper pockets.
The two names I’ve heard bandied around, talking to industry sources this week, are Verisign and Neustar.
Nobody I’ve talked to has a shred of direct evidence either company is involved and Calle declined to comment.
So is this paranoia or not?
There are a few reasons these suspicions may have come about.
First, the recent revelation that successful .blog applicant Primer Nivel, a no-name Panama entity with a Colombian connection, was actually secretly being bankrolled by WordPress, has opened eyes to the possibility of proxy bidders.
It was only after the .blog contention set was irreversibly settled that the .blog contract changed hands and the truth become known.
Some applicants may have pushed the price up beyond the $19 million winning bid — making the rewards of losing the private auction that much higher — had they known they were bidding against a richer, more motivated opponent.
Second, sources say the .web contention set had been heading to a private auction — in which all losing applicants get a share of the winning bid — but Nu Dot Co decided to back out at the last minute.
Under ICANN rules, if competing applicants are not able to privately resolve their contention set, an ICANN last-resort auction must ensue.
Third, this effective vetoing of the private auction does not appear to fit in with Nu Dot Co’s strategy to date.
It applied for 13 gTLDs in total. Nine of those have already gone to auctions that Nu Dot Co ultimately lost (usually reaping the rewards of losing).
The other four are either still awaiting auction or, in the case of .corp, have been essentially rejected for technical reasons.
It usually only makes sense to go to an ICANN last-resort auction — where the proceeds all go to ICANN — if you plan on winning or if you want to make sure your competitors do not get a financial windfall from a private auction.
Nu Dot Co isn’t actually an operational registry, so it doesn’t strictly have competitors.
That suggests to some that its backer is an operational registry with a disdain for new gTLD rivals. Verisign, in other words.
Others think Neustar, given the fact that its non-domains business is on the verge of imploding and its previous acquisition of .CO Internet from Calle.
I have no evidence either company is involved. I’m just explaining the thought process here.
According to its application, two entities own more than 15% of Nu Dot Co. Both — Domain Marketing Holdings, LLC and NUCO LP, LLC — are Delaware shell corporations set up via an agent in March 2012, shortly before the new gTLD application filing deadline.
Many in the industry are expecting .web to go for more than the $41.5 million GMO paid for .shop. Others talk down the price, saying “web” lacks the cultural impact it once had.
But it seems we will all find out later this month.
Responding to the letters from Schlund and Radix, ICANN yesterday said that it had no plans to postpone the July 27 last-resort auction.
All seven applicants had to submit a postponement form by June 12 if they wanted a delay, ICANN informed them in a letter (pdf), and they missed that deadline.
They now have until July 20 to either resolve the contention privately or put down their deposits, ICANN said.
The applicants for .web, aside from Nu Dot Co, are Google, Donuts, Radix, Schlund, Web.com and Afilias.
Due to a string confusion ruling, .webs applicant Vistaprint will also be in the auction.

Web.com policy exec moves to ICANN

Domain industry veteran Jennifer Gore is to become ICANN’s new director of registrar relations.
She takes over the role from Mike Zupke, who I gather is leaving ICANN, from next Monday. She will report to Cyrus Namazi in ICANN’s Global Domains Division.
Gore was most recently senior director of policy at Web.com, a role she held for over five years. Much of her earlier career was spent at Network Solutions and Verisign.
Her move from industry to ICANN means she has had to resign her position on the GNSO Council, where she represented the Registrars Stakeholder Group.
The RrSG will now have to hold an election to find her replacement.

After long battle, first Bulgarian IDN domain goes live

Bulgarians finally have the ability to register domain names in their native Cyrillic script, after years of fighting with ICANN.
The domain Имена.бг, which translates as “names.bg” went live on the internet this week, according to local reports.
Bulgaria was one of the first countries to ask for a internationalized domain name version of its ccTLD, almost seven years ago, but it was rejected by ICANN in 2010.
The requested .бг was found too similar to Brazil’s existing Latin-script ccTLD .br. Evaluators thought the risk of phishing and other types of attacks was too high.
The requested string didn’t change, but ICANN processes were adapted to allow appeals and a new method for establishing similarity was established.
On appeal, .бг was determined to be less prone to confusion with .br than existing pairs of Latin ccTLDs are with each other, ergo should be approved.
Имена.бг does not yet directly resolve (for me at least) from the Google Chrome address bar. It’s treated as a web search instead. But clicking on links to it does work.
The new ccTLD, which is .xn--90ae in the DNS, was delegated last week.
The registry is Imena.bg (which also means “names.bg”), based in Sofia and partially owned by Register.bg, the .bg registry.
Despite the long battle, the success of .бг is by no means assured. IDNs have a patchy record worldwide.
It’s true that Russians went nuts for their .рф (.rf for Russian Federation) ccTLD during its scandal-rocked launch in 2010, but Arabic IDNs have had hardly any interest and the current boom in China seems to be largely concentrated on Latin-script TLDs.
.бг is expected to open for general registration in the fourth quarter.
I guess we’ll have to wait until at least next year to discover whether the concerns about confusion with .br were well-founded.

Buy it or lose it? Governments could get first dibs on two-letter domains

Governments and ccTLD registries would get new rights to own two-letter domains in new gTLDs under a proposed ICANN policy.
These highly-prized domains, many of which are likely worth thousands or tens of thousands of dollars, would be subject to a mini sunrise period, under the proposal.
The so-called Exclusive Availability Pre-registration Period would be limited to those companies or government entities in charge of matching ccTLDs.
The measures are outlined in “Proposed Measures for Letter/Letter Two-Character ASCII Labels to Avoid Confusion with Corresponding Country Codes” (pdf), published by ICANN late last week.
The surprisingly succinct document outlines three things new gTLD registries must do if they want to start selling two-letter domains matching ccTLDs, which are currently restricted.
The key measure is:

Registry Operator must implement a 30-day period in which registration of letter/letter two-character ASCII labels that are country codes, as specified in the ISO 3166-1 alpha-2 standard, will be made exclusively available to the applicable country-code manager or government.

In other words, if you’re a government or company listed as the ccTLD manager here, you get 30 days of exclusive opportunity to buy the LL.example matching your ccTLD.
Until now, governments have been able to block the release of LL new gTLD domains matching their ccTLDs.
The new proposal, introduced in an attempt to settle a long-running debate about the most appropriate way to enable the release of two-character strings, appears to add a “buy it or lose it” component to existing policy.
Under the base New gTLD Registry Agreement, all two-character domains were initially reserved.
Then, in late 2014, ICANN said registries could release all letter-number, number-letter and number-number combinations.
Many registries have already released such names, some selling for thousands at auction. When Rightside released its LN/NL/NN names, some carried price tags as high as $50,000.
Letter-letter domains could also be released following a formal registry request to ICANN, but were subject to a 60-day period during which governments could object.
Almost 1,000 new gTLDs have submitted such requests, and almost all have been “partially approved”.
That means some governments objected to the release of ccTLD-matching domains. Over 16,000 unique domain names have been objected to and therefore blocked over the last year or so.
The new proposal would add an extra process under which these blocked domains could be released, with ccTLD concerns getting first rights.
Interestingly, it appears to bring ccTLD managers into the mix, rather than restricting the names simply to governments.
The Governmental Advisory Committee has been the main driving force behind demands for restrictions on LL domains, but the proposed policy appears to also extend rights to private entities.
Remember, many ccTLDs are operated independently by private companies, without local government oversight.
For example, .uk is managed by Nominet, a non-governmental entity. The UK government has blocked many uk.example domains from being registered. The new policy appears to allow either Nominet or the government to register these names.
The one-page proposal is light on some details. It does not say, for example, what happens when the government and the ccTLD manager both want the name.
In keeping with ICANN’s habit of staying out of pricing, it does not specify price caps either.
It does, however, oblige registries to ban registrants from pretending to be affiliated with the relevant government when they are not.
Governments also get to complain, and registries have to investigate, if the relevant domains are causing “confusion”, though registries do not appear to be under a strict obligation to delete or suspend domains.
The policy is open for public comment until August here.

Chinese gTLD cranks up renewal prices from $18 to $100

Chinese new gTLD registry Beijing RITT-Net has said it intends to more than quintuple its registration and renewal prices.
From January 1, 2017, prices for .手机 will go up from $18 a year to $100 a year, the company said in a notice to ICANN late last month.
.手机 (.xn--kput3i) is a Chinese internationalized domain name meaning “.cell” or “.cellphone”.
The registry told ICANN:

it is our sincere hope to adjust the initial registration and renewal fees from 18 dollars to 100 dollars with the aim to keep up with the status quo of China’s domain name market and to provide registrants with better services. We wish the new price will be effective from Jan 1st, 2017.

I believe this is the biggest renewal price hike for a new gTLD registry to date.
Around 25,000 existing registrations appear to be affected, but very few registrars will have to deal with the ramifications.
According to registry reports, over 99% of its registrations were made via Beijing Innovative Linkage Technology, which does business at dns.com.cn.

GoDaddy gets its dot-brand

GoDaddy has become a new gTLD registry with the delegation yesterday of .godaddy.
It’s a dot-brand, so domain name registrations will not be made available to the general public.
In one of the shortest mission statements found in new gTLD applications, the company describes .godaddy like this:

The mission or purpose of the .GODADDY gTLD is strictly for branding protection and internal use. The gTLD .GODADDY will give visitors to any .GODADDY site the assurance that they are truly dealing with Go Daddy and not an imposter or cybersquatter.

GoDaddy has not yet gone live with its nic.godaddy site.
It’s not the first domain name firm to get its own dot-brand. Notably, Neustar and Verisign own .neustar and .verisign.
It’s not the only registrar with a dot-brand, either. France’s OVH got there first with .ovh.
GoDaddy originally applied for two other gTLDs — .home and .casa — but withdrew their applications almost immediately after a shift of company strategy.