ICANN preparing for ONE HUNDRED registry back-ends

The number of gTLD registry back-end providers could more than double during the next new gTLD application round, ICANN’s board of directors has been told.

There are currently about 40 registry services providers serving the gTLD industry, but ICANN is preparing for this to leap to as many as 100 when it launches its Registry Service Provider Evaluation Program for the 2026 application round.

“We’re preparing, I think, for roughly a hundred or so applications which will include the 40 existing providers that we’re aware of, and another 60 or so is sort of our rough market sizing,” Russ Weinstein, a VP at ICANN’s Global Domains Division, told the board during a meeting in Paris last week.

The number is based on what ICANN is preparing to be able to handle, rather than confirmed applicants to the RSP program, it seems.

“We are hoping to see some diversification and new entrants into the space,” Weinstein said.

Board member Edmon Chung elaborated that he expects most of the new entrants to be ccTLD registries hoping to break into the gTLD market.

“We can expect a few more ccTLD registries that might be be interested,” he said. “We’re probably not expecting a completely new startup that just comes in and becomes a registry, but beyond the 40, probably a few more ccTLDs.”

ccTLD registries already active in the gTLD market following the 2012 application round include Nominet, Nic.at and AFNIC, which tend to serve clients that are based in the same timezone and use the same native language.

A new way to game the new gTLD program

It may not help you win a gTLD, but a new method for screwing over your enemies in ICANN’s new gTLD program has emerged.

As I reported earlier today, it seems quite likely that ICANN is going to add a new step in the new gTLD evaluation process for the next round — testing each applied-for string in the live DNS to see if it causes significant name collision problems, breaking commonly deployed software or leading to data leaks.

The proposed new Technical Review Team would make this assessment based in part on how much query traffic non-existent TLDs receive at various places in the DNS, including the ICANN-managed root. A string with millions of daily queries would be flagged for further review and potentially banned.

The Name Collision Analysis Project Discussion Group, which came up with the new name collisions recommendations, reckons this fact could be used against new gTLD applicants as a form of sabotage, as it might be quite difficult for ICANN to figure out whether the traffic is organic or simulated.

The group wrote in its final report (pdf):

In the 2012 round, the issue of name collisions included an assumption that the existence of any name collision was accidental (e.g., individuals and organizations that made a mistake in configuration). In future rounds, there is a concern on the part of the NCAP DG that name collisions will become purposeful (e.g., individuals and organizations will simulate traffic with an intention to confuse or disrupt the delegation process)…

Determining whether a name collision is accidental or purposeful will be a best-effort determination given the limits of current technologies.

We’re basically talking about a form of denial of service attack, where the DNS is flooded with bogus traffic with the intention of breaking not a server or a router but a new gTLD application filed by a company you don’t like.

It probably wouldn’t even be that difficult or expensive to carry out. A string needs fewer than 10 million queries a day to make it into the top 25 non-existent TLDs to receive traffic.

It would make no sense if the attacker was also applying for the same gTLD — because it’s the string, not the applicant, that gets banned — but if you’re Pepsi and you want to scupper Coca-Cola’s chances of getting .coke, there’s arguably a rationale to launch such an attack.

The NCAP DG noted that such actions “may also impact the timing and quantity of legal objections issued against proposed allocations, how the coordination of the next gTLD round is designed, and contention sets and auctions.”

“Name collisions are now a well-defined and known area of concern for TLD applicants when compared to the 2012 round, which suggests that individuals and organizations looking to ‘game’ the system are potentially more prepared to do so,” the report states.

I’d argue that the potential downside of carrying out such an attack, and getting found out, would be huge. Even if it turns out not to be a criminal act, you’d probably find yourself in court, with all the associated financial and brand damage that would cause, regardless.

.home, .mail and .corp could get unbanned

The would-be new gTLDs .home, .mail and .corp — which were some of the most hotly contested strings in the 2012 application round before ICANN banned them — could get a new lease of life if ICANN adopts the recommendations of a panel of security experts.

More than 20 applications for the three strings were first put on hold, and then rejected outright in 2018, due to the risk of name collisions — where a TLD in the public DNS clashes with a domain used extensively on private networks.

The three non-existent TLDs receive more than 100 million queries per day at the DNS root due to queries leaking out from private networks, creating the risk of stuff breaking or sensitive data being stolen if they were to ever be delegated.

But now ICANN has been told that it “should not reject a TLD solely based on the volume of name collisions” and that it should submit .home, .mail and .corp to a new, more nuanced “Name Collision Risk Assessment Process”.

The recommendations comes in a newly published and rather extensive final report (pdf) from the Name Collision Analysis Project Discussion Group, which has been looking into the name collisions problem for the last four years.

While NCAP says ICANN should create a Collision String List of high-risk strings that new gTLD applicants could consult, it stopped short of recommending that the Org preemptively ban strings outright with a “do not apply” list, writing:

Regarding .CORP, .HOME, and .MAIL, high query volume is not a sufficient indicator of high-risk impact. The complexity and diversity of query sources further complicate the assessment of risk and impact. It is impractical to create a pre-emptive “do-not-apply” list for gTLD strings due to the dynamic nature of the DNS and the need for real-time, comprehensive analysis.

.corp might have a relatively easier time getting unblocked. NCAP figured out that most queries for that TLD are due to one “globally dominant software package” made by Microsoft that uses .corp as a default setting. This problem would be easier to fix than .home, which sees bogus traffic from a huge range of sources.

.mail also might be safe to delegate. NCAP noted that at least six gTLDs with more pre-delegation query traffic — .network, .ads, .prod, .dev, .office and .site — were subsequently delegated and received very low numbers of collision reports from live deployment.

Instead of banning any string, NCAP instead proposes a new Name Collision Risk Assessment Framework.

Under the framework, a new Technical Review Team would be in charge of testing every applied-for gTLD not already considered high risk for collision risks and placing the high-risk ones on a Collision String List of essentially banned strings.

To do so, the applied-for gTLD string would have to be actually delegated to the live DNS root zone, under the control of the TRT rather than a registry or applicant, while data is gathered using four different methods of responding to query traffic not unlike the “controlled interruption” method currently in use.

This would be a huge break from the current system, under which gTLDs only get delegated after ICANN has contracted with a registry operator, but it would mean that IANA would be able to quickly yank a gTLD from the DNS, if it started causing serious problems, without stepping on anyone’s commercial interests or inviting legal action.

There’s little doubt that the proposed framework would add friction to the new gTLD evaluation process in the next round, but the fact that NCAP has delivered its recommendations ahead of its original schedule is good news for those hoping for no more delays to the next round actually launching.

The NCAP study was considered on the critical path to the next round. It’s already been approved by the Security and Stability Advisory Committee and is expected to be considered by ICANN’s board of directors at an upcoming meeting. Implementing the recommendations would obviously take some time, but I doubt that would delay the expected Q2 2026 opening of the next application window.

The new recommendations on .corp, .home and .mail mean those gTLDs could well come back into play in the next round, which will come as cold comfort to the applicants who had their $185,000 application fees tied up for years before ICANN finally decided to ban them in 2018, offering a full refund.

There were seven applicants for .mail, six for .corp, and a whopping 11 for .home. Applicants included GoDaddy, Google, Amazon, and Identity Digital.

According to ICANN’s web site, Google never actually withdrew its applications for .home, .corp and .mail, and Amazon never withdrew its application for .mail. If that’s accurate, it could lead to some interesting disputes ahead of the 2026 application round.

Unstoppable to apply for Women in Tech gTLD

Unstoppable Domains and Women in Tech Global have announced that they plan to apply for a new gTLD when ICANN opens the next application round.

They want .witg, which Unstoppable has already launched on its blockchain-based naming system. They cost $10 a pop.

Unstoppable says the names come with some social networking features, as well as the usual ability to address cryptocurrency wallets.

The company has also recently announced gTLD application partnerships with POG Digital for .pog, Clay Nation for .clay and Pudgy Penguin for .pudgy.

Unstoppable is mainly competing here with D3 Global, which is also recruiting blockchain businesses that want to embrace the DNS when the next round opens.

GoDaddy getting a free pass from porn jail?

ICANN has shirked its compliance duties and is handing GoDaddy a “Get Out of Jail Free” card with proposed changes to their .xxx registry agreement, according to critics.

A recently closed public comment period saw a mixed response from the community on whether GoDaddy should be allowed to throw out inconvenient and costly terms of its 10-year-old registry contract and operate .xxx more of less like any other open gTLD.

While the deal’s chief critic, consultant and former ICANN director Michael Palage, has made a detailed case explaining why he thinks the amendments should not go ahead, other commenters agree with GoDaddy that some of its stricter registration policies are no longer needed.

Tucows said that the current .xxx rules, which require registrants to verify their identities, are “cumbersome or non-transparent”, not only adding unnecessary friction to the registration path but also amounting to the “surveillance of sex workers”.

Palage managed to persuade the At-Large Advisory Committee to submit its own comments, in which ALAC claims that GoDaddy has already “walked away” from three important contractual commitments on registrant verification and abuse reporting “unilaterally and without consequence from ICANN Contractual Compliance”.

According to Palage, when GoDaddy acquired ICM Registry from MMX a few years ago it unilaterally decided to stop verifying the identities of its registrants and did away with the unique community membership IDs that enabled it to deactivate a registrant’s entire portfolio if it was found to be in breach of the rules by, for example, publishing child sexual abuse material.

ICM also stopped donating $10 for every registration to its oversight body, IFFOR, which in turn spent the money it did receive on director salaries rather than making cash grants to child protection causes, Palage says. I’ve previously gone into some depth on this.

“I am concerned that instead of ICANN compliance holding ICM Registry accountable to these representations, they’re essentially giving them a get out of jail card free and potentially removing the ability for third parties to hold ICM Registry accountable to those representations,” Palage said during a March presentation to the ALAC.

His draft comments for the ALAC were subsequently submitted under his own name; ALAC submitted a shorter, somewhat watered down version drafted by chair Jonathan Zuck.

But ALAC and Palage are in agreement that GoDaddy should have gone through the usual Registry Services Evaluation Process if it wanted to change the terms of its contract, and that the proposed amendments set a terrible precedent. ALAC wrote:

ALAC believes that commitments made in order to operate a TLD by a Registry Operator should be enforceable, subsequently implemented by the Registry Operator, and enforced by ICANN Contractual Compliance… The ALAC is concerned that the removal of commitments, through a contract renewal, could set a precarious precedent for non-compliance without repercussion for existing Registry Operators

The Business Constituency echoed ALAC’s concerns in its own comments, as did registry operator CORE Association.

Comments in favor of the .xxx amendments came from two veteran, dissenting voices from the At-Large community, Evan Leibovitch and Carlton Samuels. They said removing the extra requirements from the .xxx contract would reduce confusion and were worthless anyway:

Given the benefit of hindsight, the “Sponsored gTLD” program and designation have not on the whole provided any significant benefit to the Internet-using public. As such, we welcome the removal of this designation — and any associated extra contract requirements — from all applicable Registry Agreements going forward.

Tucows’ support for the amendments are based largely on what a pain in the neck it can be — for registrant and registrar — to register a .xxx domain. Its comments explain:

Currently, to register a .xxx domain, one must become a member of the Sponsored Community, which involves a separate application process to verify eligibility. This extra step is a barrier for those looking to quickly secure a domain. Additionally, the domain cannot resolve—meaning it cannot be used to host a website—without a valid Membership ID, which is only issued after this verification process… This activation involves additional interactions between the registry, the registrant, and the registrar. Additional steps in the registration process can be a significant deterrent as they introduce complexity and time delays.

I’m not really buying the “surveillance of sex workers” claim. Porn producers in many jurisdictions, including the US, already routinely verify the identities of their performers, and keep copies of their identity documents on file, as a legal requirement to ensure their employees are not underage.

ICANN is due to publish its summary of the public comment period by May 20.

How ICANN handles the renewal of and amendments to the .xxx contract will be interesting to watch. Will the Governmental Advisory Committee get a chance to weigh in before the deal is signed? Will the board pass a resolution, or will we see a repeat of the .org renewal debacle?

Correction: Sinha’s seat is safe

Last Friday, I speculated that, based on my back-of-the-envelope calculations, ICANN chair Tripti Sinha could find herself ineligible to continue on the ICANN board of directors this November, due to geographic diversity quotas.

My calculations were incorrect, it turns out. While she still needs to be reappointed by the Nominating Committee, Sinha is not limited by the geographic diversity limits. I’ve deleted the article and apologize for the error.

D3 announces seventh blockchain gTLD client

D3 Global has announced yet another likely new gTLD applicant from the blockchain space.

The specialist consultancy said it has partnered with MAKE and the Casper Foundation, a software developer and its non-profit backer respectively, to apply for .cspr when ICANN opens its long-awaited next round of new gTLD applications in a couple years.

It’s the seventh such deal D3, which says it can help blockchain companies link their alternative namespaces to the DNS, has announced since its launch late last year.

It is also working with partners to apply for .ape, .core, .vic, .near, .gate, and .shib.

Single-letter .com case back in court

The domainer trying to get his hands on all the remaining single-character .com and .net domain names has re-filed his lawsuit against ICANN.

Bryan Tallman of VerandaGlobal.com (dba First Place Internet) has filed an amended complaint in a California court, after the judge threw out his initial complaint in March. He alleges deceptive trade practices and breach of contract, among other things.

His claim is that he has sole rights to all unregistered single-character .com and .net domains, such as 1.com and a.net, because he’s registered the matching domains in Verisign’s internationalized domain name transliterations, such as the Hebrew קום. or the Korean/Hangul .닷컴.

He paid Verisign, via registrar CSC Global, $25,285 for 1.닷넷 back in 2017 and reckons he was also buying the exclusive rights to 1.com and 1.net. The same arguments applies to the dozens of other ASCII.IDN domains he registered, according to the complaint.

The argument rests almost entirely on a letter (pdf) from Verisign to ICANN in 2013, in which the registry sets out some of its plans for its IDN gTLDs.

The letter is imprecisely worded, to the point where if you squint a bit, drop some acid, and hit your head against the wall a few times, you might be persuaded that Verisign is saying it would be willing to sell the rights to 1.com for 25 grand.

The complaint says this letter is “ICANN policy”, and the rest of its arguments are pretty much based on that incorrect premise.

ICANN has already filed a demurrer, asking the court to throw out the complaint again, largely on the grounds that the letter is not “policy” and ICANN doesn’t have a contract with any of the plaintiffs that it could be accused of breaching anyway.

The latest filings can be found here.

ICANN to slash costs as Verisign’s magic money tree dries up

ICANN is looking for $8 million of cost savings, $3 million more than it expected a quarter ago, amid gloomy predictions about the domain industry’s likely performance this year.

The Org last week told community members that it’s having to revise its expected revenue down by $3 million to $145 million after it became clear domain sales won’t be as good as previously thought. The new budget is due to be approved by the board this coming weekend.

“ICANN faces an inflation of its costs and also happens to face a lack of inflation of its funding,” CFO Xavier Calvez said on one of two conference calls explaining the changes.

ICANN’s bean counters are now predicting a 4% decline in transaction fees from legacy gTLDs — a line item mostly comprising .com — for ICANN’s fiscal 2025, which begins this July. Back in December, when the first draft of the budget was published, the prediction was for 0% growth.

The grim numbers match Verisign’s own growth story for the rest of the calendar year. Company bosses last week predicted .com/.net to grow at between 0.25% and negative 1.75%, a downwards revision on its guidance in February.

Talking to Verisign and other registries and registrars and looking at the monthly transaction data they file is the main way ICANN formulates its budget predictions.

“We gauged very strong expectations of a contraction in domain name registrations,” ICANN programs director Mukesh Chulani said.

Meanwhile, ICANN estimates transaction fees for new gTLDs will increase 7% in FY25, obviously from a much lower base then legacy, compared to the December estimate of 2% growth.

ICANN was already expecting its funding to miss its spending requirements by $5 million, but that figure is now $8 million. But rather than run ops at a loss, ICANN has instead put this number on a line labelled “Cost Savings Initiatives” in order to present a balanced bottom line.

Where these cost savings might come from doesn’t seem to have been figured out yet, and there’s some community worry that services might be affected by cuts.

There was some talk of finding efficiencies in the travel budget or with contractors, but those budgets are $13 million and $24 million respectively, so any cuts there could be swingeing.

By far the largest expenditure line item is staff, which costs $90 million. But there’s been no change to the expected number of ICANN full-timers in the budget, so layoffs don’t seem to be on the cards just yet.

Community revolts over ICANN’s auction proceeds power grab

Parts of the ICANN community have revolted over ICANN’s move to make it easier to turn off the mechanisms used to appeal its decisions.

Both registries and registrars, along with their usual opponents in the business and intellectual property communities, have told the Org that a proposal to change its foundational bylaws are overly broad and creates new powers to diminish ICANN’s accountability.

Meanwhile, the Intellectual Property Constituency seems to have escalated its beef with ICANN related to the proposals, entering into a Cooperative Engagement Process with ICANN. CEP is usually, but not always, a precursor to an expensive, quasi-judicial Independent Review Process case.

The row relates to the Grant Program, which launched a month ago and will see ICANN hand out $217 million it gained from auctioning registry contracts during the 2012 new gTLD program application round.

The rules of the program were developed by the Cross-Community Working Group on New gTLD Auction Proceeds.

The CCWG was afraid that ICANN might wind up frittering away most of the money on legal fees unless unsuccessful grant applicants, and third parties, were banned from appealing grant decisions they didn’t like. So its Recommendation 7 proposed a bylaws amendment that would prevent the Independent Review Process and Request for Reconsideration process from being used with reference to the Grant Program.

What ICANN came up with instead is a bylaws amendment that could be applied not only to the Grant Program, but also potentially to any future activities.

Specifically, ICANN’s proposed amendment gives future CCWGs, assuming they have sufficient community representation, the ability to recommend exceptions to the accountability mechanisms, which ICANN could then accept without having the amend the bylaws every time.

But almost every constituency that has filed an opinion on the proposals so far thinks ICANN has gone too far.

The IPC said says ICANN’s proposal is “unacceptably broad and exceeds what is necessary to give effect to Recommendation 7” adding:

The IPC is also concerned that making such a broad Bylaws amendment could have the consequence of normalizing the idea of removing access to accountability mechanisms, rather than this being an exceptional event. This is not something that should be encouraged.

The Registries Stakeholder Group said the proposal “creates an alternative path for amending the Bylaws that contradicts the existing amendment processes”

“The Accountability Mechanisms are foundational to ICANN’s legitimacy. Access to Accountability Mechanisms should be prevented only in rare circumstances with the clear support of the Empowered Community,” it added.

The Registrar Stakeholder Group concurred, writing:

Robust Accountability Mechanisms are a lynchpin of ICANN’s broader accountability structure. They should only be disallowed, if ever, in very specific circumstances, and as a result of the full bylaw amendment process. The proposed bylaws amendment vests CCWGs with the power to disallow Accountability Mechanisms which we believe is inappropriate.

Several commenters pointed out that CCWGs are less formal ICANN policy-making structure, with fewer checks and balances than regular Policy Development Processes.

The only dissenting view came from the At-Large Advisory Committee, which said it “strongly supports” ICANN’s proposed amendment, writing:

Although any limitation in accountability is potentially onerous, the ALAC is comfortable that the three conditions proposed in the amendment only allow such limitations in situations where a more specific Bylaw limitation would also be approved by the Empowered Community.

In a related development, the IPC has taken the highly unusual move of entering CEP with ICANN, suggesting it is on the IRP path.

The IPC had filed a Request for Reconsideration late last year, at a time when it appeared that ICANN had outright rejected Recommendation 7 (having previously approved it), but ICANN’s board threw it out mostly on the grounds that the IPC could not show it had been harmed, which the IPC found curious.

If the IPC were to go to IRP, it would be unprecedented. The mechanism has only ever been used by companies defending their commercial interests, never by one of ICANN’s own community groups on a matter of principle.