Five times ICANN deleted a ccTLD, and what it means for .io
With the future of .io coming into question this week, with the news that the UK will return sovereignty of the British Indian Ocean Territory to Mauritius, I thought it would be a good time to see how ICANN has treated disappearing countries and territories in the past.
As far as I can tell, ccTLDs have been removed from the DNS root on only five occasions since ICANN came into existence in 1998.
While the circumstances differ, in all but one case the trigger for the deletion was a change to the International Standards Organization’s ISO 3166-1 alpha-2 list, which ICANN uses to decide who gets a ccTLD and what ccTLD they get.
.yu — Yugoslavia
The Socialist Federal Republic of Yugoslavia broke up in 1992 due to a bloody civil war, but it wasn’t until 2010 that ICANN finally removed .yu from the root.
Splinter nations Slovenia, Croatia, North Macedonia, and Bosnia and Herzegovina were all assigned their own new country codes — .si, .hr, .mk and .ba — in the 1990s, but the now independent and separate states of Serbia and Montenegro, initially known as the Federal Republic of Yugoslavia, carried on using .yu.
When the country renamed itself the State Union of Serbia and Montenegro in 2003, the ISO list was updated to assign it the new code .cs, but the corresponding ccTLD was never actually delegated before the country broke up again in 2006, getting the ccTLDs .rs and .me the following year.
RNIDS, the .rs registry, carried on running .yu for a few years while it transitioned registrants to the new ccTLD. The process was not entirely painless, and ICANN had to keep .yu live longer than planned, before eventually deleting it April 1, 2010.
.tp — Portuguese Timor
The country we now know as East Timor or Timor Leste started the 21st century as Portuguese Timor, under Indonesian occupation. Its ccTLD was .tp.
After the country gained its independence in 2002, it renamed itself Timor Leste and the ISO assigned it the new code TL, deleting TP from its list.
IANA delegated .tl to the local government in 2005 and encouraged .tp registrants to migrate, but it took a full decade before it followed through and removed .tp from the root, in February 2015.
.zr — Zaire
The first ccTLD to get deleted by IANA under ICANN’s watch was .zr, which was no longer needed after Zaire changed its name to Democratic Republic of the Congo, receiving the code CD from ISO, in 1997.
The pre-ICANN IANA delegated .cd to the newly named country in 1997 and the registry operator set about moving .zr names to .cd. By 2001, that process was completed and .zr was deleted from the root.
.an — Netherlands Antilles
The Netherlands Antilles was a collection of former Dutch colonies in the Caribbean, until the territory split, with its component islands receiving new statuses under Dutch law, in 2010. The ccTLD was .an.
Curaçao got .cw, Sint Maarten (Dutch part) got the sexy-sounding .sx, and Bonaire, Saint Eustatius and Saba got to share .bq. ISO removed AN from its list.
The transition was a bit more complicated than usual, as .an registrants had to transfer to a new ccTLD based on what island they were on, but the local authorities managed it and within five years .an went poof.
.um — United States Minor Outlying Islands
This one’s unique in that it was deleted apparently simply because the registry operator couldn’t be bothered with it any more.
The United States Minor Outlying Islands are pretty much unpopulated, but strategically well-located, islands belonging to the US. There’s eight in the Pacific and one in the Caribbean.
Its ccTLD was operated by the University of Southern California until 2006, when somebody at ICANN noticed it appeared to be broken. When it approached USC for an explanation, it was told “they were no longer interested in managing the .UM domain”.
It had no registered domains, so there was no need for a transition plan and IANA deleted it from the root the following year.
The islands and their code are still on the ISO list and are still eligible for their ccTLD. Presumably it’s only the fact that the US government has asserted its authority over .um that has prevented an opportunist Just Some Guy registry from snapping it up to market .um domains as the leading destination for indecisive people or something.
What does this mean for .io?
ICANN’s policy on ccTLDs is pretty straightforward — your territory has to be on the ISO 3166 list and the ccTLD has to match the code ISO gives you. If your code drops off the list, you have five years, extensible to 10, to conduct an orderly transition before the TLD is retired.
Much like Portuguese Timor changing its name to Timor Leste to shuck off its enforced colonial branding, it seems inconceivable that the Chagos Archipelago will continue to be known as the British Indian Ocean Territory.
The key questions for .io registrants are: will the renamed BIOT keep the IO assignment on the ISO list, and will the archipelago continue to qualify as a distinct territory eligible for ccTLD status?
If BIOT simply becomes part of Mauritius, no longer recognized by the UN as a distinct territory, .io gains an existential threat. It would drop off ISO’s list and ICANN could issue it a retirement notice.
If BIOT remains a distinct territory and remains eligible for a ccTLD, the possibilities become a whole lot more interesting.
If Mauritius decides to change the territory’s name, there’s no problem. But if it asks ISO for a corresponding change of two-letter code to better reflect its new name, .io’s future is in doubt.
If the name is changed to something like “Chagos” and Mauritius wants a “C” code, only CB, CE and CJ are still available.
Theoretically, the government of Mauritius could unilaterally force an undesirable string change on Identity Digital, the American company that runs the .io registry, forcing a years-long migration to the newly chosen ccTLD.
I can’t imagine many of .io’s hundreds of thousands of registrants, particularly those using .io as a domain hack or to hitch themselves to a cool tech-startup bandwagon, being happy with a forced migration to, say, .cj.
The power to decoolify an entire TLD would be a compelling weapon in a redelegation fight. I’m deep into speculative territory here, but I can’t help but feel that Identity Digital is going to have to give Mauritius some money at some point.
Another possibility is that the registry, one of ICANN’s biggest funders, could lobby ICANN to change its policies and somehow grandfather .io in as a stateless ccTLD.
The fact that ICANN hasn’t acted to remove .su from the root, thirty years after the Soviet Union collapsed, could be seen as precedent.
The answers to .io’s future might be found in the proposed UK-Mauritius treaty, but that has yet to be published. As it has to be ratified by the UK Parliament we can expect it to enter the public domain before long.
Future of .io domains uncertain as UK hands over Chagos islands
The future of the .io ccTLD is up in the air today with the announcement that the UK is to hand over the British Indian Ocean Territory, also known as the Chagos Archipelago, to Mauritius.
The two governments announced today that they will sign a treaty agreeing “that Mauritius is sovereign over the Chagos Archipelago”. It’s being called the end of British colonialism in Africa.
Under the broad-ranging 99-year deal, native Chagossians, forcibly exiled since the late 1960s, will be free to return to the islands, apart from Diego Garcia, which is home to a strategically important UK-US military base.
There’s no talk yet of the future the ccTLD, of course — the governments have bigger fish to fry — but the change of sovereignty could have interesting implications for the .io registry and its registrants.
The positive spin is that owning a .io domain could now be seen as a less dubious ethical choice.
For almost a decade, largely unsuccessful boycotts of .io have been organized by tech bros upset with the treatment of the Chagossians. Now that they’re getting their land back, the queasiness of supporting “digital colonialism” might go away.
The bad news is that a change of sovereignty could ultimately lead to a change of registry, or the ccTLD disappearing entirely.
ICANN takes its lead from the International Standards Organization, specifically the ISO 3166-1 alpha-2 list, when it comes to deciding whether a ccTLD deserves to exist and what two-letter code it gets.
If BIOT ceases to exist and is removed from the ISO list, as seems likely, there’s a strong case to be made that .io should cease to exist too.
Whether ICANN would actually remove .io from the DNS root is another matter, of course. While it has removed ccTLDs before when the associated country disappears, it has done so in a measured, managed fashion.
The Org also seems quite happy for .su to stay in the root, thirty-odd years after the Soviet Union fell apart.
But what of redelegation? There’s already a campaign to get .io redelegated to the Chagossians, and now that the UK is relinquishing its control of BIOT to Mauritius, the redelegation claim could be strengthened by the weight of a national government.
However, while .io is assigned to BIOT, the UK government says it has no formal relationship with the registry, so a change of ownership of the territory doesn’t necessarily mean the ccTLD changes owners.
The registry is run by a private UK company, Internet Computer Bureau, which nowadays is basically a shell owned by an Irish company that is in turn owned by US-based Identity Digital and its parent Beignet.
And ICANN typically doesn’t redelegate ccTLDs without the consent of the losing registry, which in many cases is Just Some Guy who spotted a business opportunity in the 1990s.
Niue, the Pacific island nation, has been fighting fruitlessly for control of .nu for two decades, for example, but the extant registry doesn’t want to hand it over so ICANN has not acted.
As I reported earlier this week, .io had turnover of almost $40 million last year, so it seems unlikely that Identity Digital would follow the UK’s lead and just hand it over.
While the registry does not disclose its registration numbers, the revenue suggests it’s possible over a million .io domains have been registered.
.io sells $40 million of domains after massive uptick
.io is now a $40-million-a-year domain, after a few years of impressive growth, judging by the registry’s latest financial reports.
UK-based Internet Computer Bureau, a subsidiary of Identity Digital, recently reported turnover of £29.6 million ($39.6 million) for 2023, up 13.9% on the £26.1 million it reported in 2022.
While that’s respectable growth, it pales compared to 2022 (which I don’t think was reported at the time), when turnover was up a whopping 59%.
Identity Digital does not reveal .io’s registration numbers, but with turnover of over $39 million and retail renewal prices bottoming out at around $39 a year, it seems quite possible that the TLD’s domains under management has reached seven digits.
When Afilias paid $70 million for ICB in 2017, it had turnover of $7 million and domains were reported at 270,000.
ICB’s gross margins are terrible — one can only assume its registry services deal with Identity Digital is rather generous to its parent — at 4.4%, with £28 million being paid out as cost of sales.
With another £3 million of unelaborated “administrative expenses”, ICB reported a 2023 net loss of £404,000 compared to a 2022 profit of £1.7 million. It paid £17,660 in UK tax, down from £277,703. It had just $69,000 cash on hand at the end of the year.
While ICB also runs .ac (Ascension Island) and .sh (Saint Helena, Ascension and Tristan da Cunha), it’s only .io that has seen broad uptake among the global domain-registering public. Tech firms like it because I/O means “input/output”.
.io is the ccTLD for the contested British Indian Ocean Territory, also known as the Chagos Archipelago, which is administered from the UK and used almost exclusively to house a strategically important US military base.
Former .co registry defeated in $350 million contract fix case
The Neustar spin-off that once operated the .co TLD reportedly has lost a case against the Colombian government in which it had sought $350 million in damages over the acrimonious renewal of its registry contract.
According to local reports, the International Center for the Settlement of Investment Disputes, part of the World Bank, last week ruled in favor of Colombia on both the merits and on jurisdictional grounds.
The case had been brought in late 2019 by Neustar, which at the time managed some 2.3 million .co domains, under government contract, via a Colombian subsidiary it acquired in 2014.
Neustar has since been acquired by GoDaddy, which continues to run .co, but the ICSID case was inherited by Vercara, the DNS security services arm of the company that GoDaddy didn’t buy.
As .CO Internet, Vercara was hired by Colombia to turn .co into a global alternative to .com with a much-hyped 2010 relaunch. It was very successful, but when it came time to renew the initial 10-year contract, Colombia instead put it out for rebid and started behaving very strangely.
You may recall from coverage here on DI and on The Register that the Colombian tender process seemed to have been specially constructed so that only Afilias, then Neustar’s fiercest rival and now part of Identity Digital, could win.
The government’s RFP had set technical thresholds, such as daily registry transactions, that Afilias could show it met but Neustar could not. It looked naive and arbitrary at best and dodgy at worst.
So Neustar took Colombia to arbitration with ICSID, saying (pdf) the government was in breach of the Trade Promotion Agreement between the US and Colombia.
Neustar ended up winning the contract anyway, albeit on terms that were massively more favorable to the government, and it sold its entire registry services business to GoDaddy days later.
Now, almost five years later, it seems Vercara has lost the case it inherited. While ICSID has not yet published its arbitration panel’s decision, local newspapers have got hold of a copy.
Colombia’s oldest newspaper, El Spectador, reports: “The court, in addition to stating that it does not have jurisdiction to hear Vercara’s claims, rejected all the claims on the merits.”
In unrelated news, Vercara’s recently announced acquisition by DigiCert closed yesterday.
Hackers break .mobi after Whois domain expires
It’s probably a bad idea to let a critical infrastructure domain expire, even if you don’t use it any more, as Identity Digital seems to be discovering this week.
White-hat hackers at WatchTowr today published research showing how they managed to undermine SSL security in the entire .mobi TLD, by registering an expired domain previously used as the registry’s Whois server.
Identity Digital, which now runs .mobi after a series of acquisitions, originally used whois.dotmobiregistry.net for its Whois server, but this later changed to whois.nic.mobi and the original domain expired last December.
WatchTowr spotted this, registered the name, and set up a Whois server there, which went on to receive 2.5 million queries from 135,000 systems in less than a week.
Sources of the queries included security tools such as VirusTotal and URLSCAN, which apparently hadn’t updated the hard-coded Whois URL list in their software, the researchers said.
GoDaddy and Domain.com were among the registrars whose Whois tools were sending queries to the outdated URL, WatchTowr found.
Incredibly, so was Name.com, which is owned by Identity Digital, the actual .mobi registry.
More worryingly, it seems some Certificate Authorities, responsible for issuing the digital certificates that make SSL work, were also using the old Whois address to verify domain ownership.
WatchTowr says it was possible to obtain a cert for microsoft.mobi by providing its own email address in a phony Whois record served up by its bogus Whois server.
“Effectively, we had inadvertently undermined the CA process for the entire .mobi TLD,” the researchers wrote.
They said they would have also been able to send malicious code payloads to vulnerable Whois clients.
While WatchTowr’s research doesn’t mention ICANN, it might be worth noting that the change from whois.dotmobiregistry.net to whois.nic.mobi is very probably a result of .mobi’s transition to a standardized gTLD registry contract, which requires all registries to use the whois.nic.[TLD] format for their Whois servers.
As a pre-2012 gTLD, .mobi did not have this requirement until it signed a new Registry Agreement in 2017. There are still some legacy gTLDs, such as .post, that have not migrated to the new standard URL format.
The WatchTowr research, with a plentiful side order of cockiness, can be read in full here.
Unstoppable reveals gTLD bid doomed to fail
It’s finally happened. Somebody has announced an application for a new gTLD that will almost certainly fall foul of ICANN’s rules and be rejected.
The would-be applicant is Farmsent, a United Arab Emirates startup that is building a blockchain-based marketplace for farmers and buyers of farm produce, and its domains partner is Unstoppable Domains.
Unstoppable said last week that the two companies are launching .farms domains on Unstoppable’s alternative naming system, and that an ICANN application for a proper gTLD is in the works.
The company said it “will be collaborating with Farmsent to plan and strategize for the next ICANN gTLD application, further solidifying .farms in the wider domain ecosystem”.
The problem is that .farms will likely be banned under the rules set out in ICANN’s Applicant Guidebook for the next round, unless the current draft recommendations are completely rewritten or rejected.
ICANN is to be told to reject applications for the plural and singular variants of existing gTLDs in the next round, and .farms is of course the plural of .farm, which is one of the few hundred names in Identity Digital’s stable.
The draft recommendations would merely require for ICANN to be informed that an applied-for string is a single or plural variant of an existing gTLD in the same language and check in a dictionary to confirm that is indeed the case.
In the case of .farm and .farms, I doubt the dictionary verification would realistically even be needed — though I’d bet checking that box would be at least one billable hour for somebody — as it’s a pretty clear-cut case of a bannable clash.
The ICANN staff/community working group drafting the recommendations has spent a huge amount of time arguing about the language of the plurals rule. It’s a surprisingly tricky problem, especially when ICANN is terrified of being seen as a content regulator.
Pride fails to reverse gay domains decline
There are any number of ways gay people can express themselves during Pride, but buying gay-themed domain names doesn’t appear to be one of them.
Zone files show that the .gay gTLD lost over 700 domains in June, which is recognized in most Anglophone liberal democracies as Pride Month, to end the period with about 21,400 names.
Meanwhile, .lgbt lost about 80 domains over the same period, ending the month with about 3,700 domains in its zone.
The declines were not unique to June. Both gTLDs have been on the slide for a while, with .gay peaking at 29,761 domains last November and .lgbt peaking at about 3,930 in May 2023.
.gay is managed by GoDaddy, .lgbt by Identity Digital.
GlobalBlock blocking 2.5 million domains
GoDaddy-led brand protection project GlobalBlock says it is already blocking over 2.5 million domains, just a couple of weeks after its formal launch.
The GlobalBlock web site reports that 2,569,815 domains are currently being blocked across 559 extensions (a mix of ccTLDs, gTLDs, third-level domains and blockchain names), for an average of just under 4,600 per extension.
It’s difficult to extrapolate much useful information about rapid market demand for the service from this one number, for a variety of reasons.
First, the more-expensive GlobalBlock+ service can block well north of 10,000 domains, mostly homographic variants of a trademark, for a single fee, which could mean as few as just a couple hundred customers have signed up so far at the most pessimistic interpretation.
Second, GlobalBlock offered pricing incentives to existing customers of GoDaddy’s AdultBlock and Identity Digital’s Domain Protected Marks List, both of which are over a decade old, in the months-long run-up to launch.
The vanilla, single-brand GlobalBlock service retails for about $6,000 per year, with GlobalBlock+ going for closer to $9,000.
Namecheap sues ICANN over .org price caps
Namecheap has sued ICANN in California, asking a court to force the Org to revisit its decision to lift price caps on .org and .info domain names five years ago.
Registrar CEO Richard Kirkendall announced the suit on Twitter this afternoon:
Today we filed suit against @ICANN. After a previous ruling via a mediation process they have taken little action towards the recommendations of that ruling and so our hand has been forced to take this action. We feel that ICANN is in direct violation of their mandate and…
— Richard Kirkendall (@NamecheapCEO) February 5, 2024
The lawsuit follows an Independent Review Process case that Namecheap partially won in December 2022, where the panel said ICANN should hire an economist to look at whether price caps are a good idea before revisiting its decision to scrap them.
The panel found that the ICANN board of directors had shirked its duties to make the decision itself and had failed to act as transparently as its bylaws mandate.
Namecheap says that over a year after that decision was delivered, ICANN has not implemented the IRP panel’s recommendations, so now it wants the Superior Court in Los Angeles to hand down an injunction forcing ICANN to do so.
Before 2019, .org was limited to 10% price increases every year, but the cap was lifted, along with caps in .info and .biz, when ICANN renewed, standardized and updated the respective registries’ Registry Agreements.
After the decision was made to scrap .org price caps, despite huge public outrage, Namecheap rounded up its lawyers almost immediately.
The caps decision led to the ulimtately unsuccessful attempt by Ethos Capital to acquire Public Interest Registry, which runs .org.
Namecheap’s new lawsuit wants the judge to issue “an order directing ICANN to comply with the recommendations of the IRP Panel”.
That means ICANN’s board would be told to consider approaching PIR and .info registry Identity Digital to talk about reintroducing price caps, to hire the economist, and to modify its procedures to avoid any future transparency missteps.
Airline gTLD crashes and burns
Another would-be dot-brand has added itself to the list of “On second thoughts…” gTLD registries, asking ICANN to tear up its contract.
Century-old Avianca, Colombia’s largest airline, filed its termination papers with ICANN in December and ICANN published them for comment last week.
While the original 2012 application clearly stated that .avianca was intended as a single-registrant dot-brand, Avianca never actually got around to applying for its Spec 13 exemptions so I won’t be technically counting it as a dead dot-brand.
Despite being operational since early 2016, the TLD never had any registrations beyond the mandatory nic.avianca registry placeholder.
The back-end registry services provider and original application consultant was Identity Digital (née Afilias).
Recent Comments