ICANN’s name collision plan “creates risk of abuse”

One of ICANN’s proposed methods of reducing the risk of name collisions in new gTLDs actually may create its own “significant risk for abuse”, according to RIPE NCC.
Asking registry operators to send a notification to the owner of IP address blocks that have done look-ups of their TLD before it is delegated risks creating a “backlash” against ICANN and registry operators, RIPE said.
Earlier this month, ICANN said that for the 80% of applied-for strings that are categorized as low risk, “the registry operator will notify the point of contacts of the IP addresses that issue DNS requests for an un-delegated TLD or names under it.”
The proposal is intended to reduce the risk of harms caused by the collision of new gTLDs and matching names that are already in use on internal networks.
For example, if the company given .web discovers that .web already receives queries from 100 different IP blocks, it will have to look up the owners of those blocks with the Regional Internet Registries and send them each an email telling them than .web is about to hit the internet.
RIPE is the RIR for Europe, responsible for allocating IP addresses in the region, so its view on how effective a mitigation plan this is cannot be easily shrugged off.
Chief scientist Daniel Karrenberg told ICANN today that the complexity of the DNS, with its layers of recursive name servers and such, makes the approach pointless:

The notifications will not be effective because they will typically not reach the party that is potentially at risk.

In addition, it will be trivial for mischief-makers to create floods of useless notifications by conducting deliberately erroneous DNS queries for target TLDs, he said:

anyone can cause the registry operator to send an arbitrary amount of mandatory notifications to any holder of IP address space. It will be highly impractical to detect such attacks or find their source by technical means. On the other hand there are quite a number of motivations for such an attack directed at the recipient or the sender of the notifications. The backlash towards the registry operator, ICANN and other parties in the chain will be even more severe once the volume increases and when it turns out that the notifications are for “non-existing” queries.

With a suitably large botnet, it’s easy to see how an attacker could generate the need for many thousands of mandatory notifications.
If the registry has a manual notification process, such a flood would effectively DDoS the registry’s ability to send the notices, potentially delaying the gTLD.
Even if the process were to be automated, you can imagine how IP address block owners (network admins at ISPs and hosting companies, for example) would respond to receiving notifications, each of which creates work, from hundred of affected gTLD operators.
It’s an interesting view, and one that affected new gTLD applicants (which is most of them) will no doubt point to in their own comments on the name collisions mitigation plan.

15 new gTLD applications enter Extended Evaluation

The first batch of new gTLD applications have officially entered the Extended Evaluation stage of the process.
Fifteen bids that failed to achieve passing scores during Initial Evaluation are now taking a second crack at getting approved.
Extended Evaluation is voluntary but in most cases — such as when additional financial or geographic support information is required — it is also free from additional ICANN fees.
If an application goes into EE, its whole contention set is delayed — possibly for months — while the evaluation is completed.
The affected strings so far are: .online, .bcg, .ged, .supersport, .life, .payu, .locus, .shop, .taipei, .pay, .ltd, .olayangroup, .llc, العليان., and .mckinsey.
The 15 comprise basically every application that has so far been told it is eligible for extended evaluation, but excluding most of those that received the news last Friday.
The DI PRO Application Tracker has been updated to reflect the new statuses, and we’ve added a new search option that lets you view or exclude “In EE” applications.
The DI PRO New gTLD Timeline now also includes diary entries related to Extended Evaluation.

.taipei not blocked after all

Taipei City Government’s application for the .taipei new gTLD is still live, despite indications to the contrary from ICANN last week.
On Friday, we reported that there was some confusion about the status of the bid, which was flagged by ICANN as “Eligible for Extended Evaluation” in one place and “Ineligible for Further Review” in another.
We wondered aloud whether Taiwan’s controversial national identity was responsible for the application failing due to lack of governmental support.
But an ICANN spokesperson called last night to confirm that the “Eligible” status is the correct one. The ICANN web site has been corrected accordingly.
What this means is that .taipei is not rejected yet, but must provide more evidence of government support if it wants to pass Extended Evaluation and eventually get delegated.
The question remains, however: which government are we talking about here? If it’s the People’s Republic of China, which claims Taiwan as a province, Taipei may still face problems.

CNNIC hit by “largest ever” denial of service attack

Chinese ccTLD operator CNNIC suffered up to half a day of degraded performance and intermittent accessibility yesterday, after being hit by what it called its “largest ever” denial of service attack.
CNNIC is one of ICANN’s three Emergency Back-End Registry Operators, contracted to take over the running of any new gTLD registries that fail. It’s also the named back-end for seven new gTLD applications.
According to an announcement on its web site, as well as local reports and tips to DI, the first wave of DDoS hit it at about midnight yesterday. A second wave followed up at 4am local time and lasted up to six hours.
According to a tipster, all five of .cn’s name servers were inaccessible in China during the attack.
Local reports (translated) say that many Chinese web sites were also inaccessible to many users, but the full scale of the problem doesn’t seem to be clear yet.
China’s .cn is the fourth-largest ccTLD, with close to 10 million domains under management.

Failures mount up as ICANN releases penultimate week of IE results

Eight new gTLD applications flunked Initial Evaluation this week, according to ICANN’s just-released results.
One of them, the Taipei City Government’s bid for .taipei, has been flagged as “Ineligible for Further Review” — the only application to receive such a status to date — suggesting it is fully dead.
But the full IE report delivered by ICANN says .taipei is actually “Eligible for Extended Evaluation”. It’s not clear right now which of these statuses is the correct one.
Its IE report says “the required documentation of support or non-objection was either not provided or did not meet the criteria” for Taipei’s bid to pass the Geographic Names Review.
While the city government seems to be the applicant, city bids also require national government support, which could be problematic given that the People’s Republic of China regards Taiwan as a province and the United Nations does not officially recognize it as a nation.
Also failing to receive a passing score this week was one of three bidders for the hotly contested gTLD .eco.
Planet Dot Eco failed on both its financial and technical questions, one of the first two applicants to suffer this double whammy. The other was Metaregistrar, which has just found out its app for .frl has failed on both counts.
The clothing retailer Express, noted for its failed Legal Rights Objection against Donuts, also failed its technical evaluation.
Express had a Verisign back-end, while Planet Dot Eco is using ARI Registry Services. Metaregistrar did not specify a third-party back-end provider in its application.
.olayan became the third application from the Saudi conglomerate Olayan Investments to fail because it did not provide its financial statements as required by the Applicant Guidebook.
.place, an application by 1589757 Alberta Ltd (‘DotPlace’) also failed to provide financial statements, as did the dot-brands .shaw, .alcon and .rexroth.
These applications received passing scores this week:

.mail .tech .kpn .play .weatherchannel .crown .aeg .statoil .app .cloud .honeywell .cruises .vig .netaporter .juegos .aramco .lamborghini .soccer .ping .surf .lol .gallo .parts .flowers .gree .webs .netflix .science .school .inc .rio .bbt .mutual .auspost .best .men .symantec .med .doctor .deals .insure .citadel .care .barcelona .racing .feedback .amfam .design .save .nhk .productions .forum .finish .spot .hitachi .web .dish .vistaprint .art .maison .properties .nissay .book .tiffany .haus .skin .hockey .phone .allfinanz .finance .通用电气公司 .手表 .電訊盈科 .珠宝 .ارامكو .hisamitsu .intuit .orientexpress .gecompany .team .church .panasonic .onyourside .ski

With only 141 applications left in evaluation, there’s only one week officially left on the IE timetable, though I expect ICANN will spend some time mopping up the stragglers afterwards.
There are 23 applications eligible for extended evaluation.

Bank takes blame for gTLD name collision

The Commonwealth Bank of Australia, which has applied for the new gTLD .cba, has told ICANN that its own systems are to blame for most of the error traffic the string sees at the DNS root.
The company wants ICANN to downgrade its gTLD application to “low risk” from its current delay-laden “uncalculated” status, saying that it can remediate the problem itself.
Since the publication of Interisle Consulting’s name collisions report, CBA said it has discovered that its own systems “make extensive use of ‘.cba’ as a strictly internal domain.”
Leakage is the reason Interisle’s analysis of root error traffic saw so many occurrences of .cba, the bank claims:

As the cause of the name collision is primarily from CBA internal systems and associated certificate use, it is within the CBA realm of control to detect and remediate said systems and internal certificate use.

One has to wonder how CBA can be so confident based merely on an “internal investigation”, apparently without access to the same extensive and highly restricted data set Interisle used.
There are many uses of the string CBA and there can be no guarantees that CBA is the only organization spewing internal DNS queries out onto the internet.
CBA’s comment is however notable for being an example of a bank that is so unconcerned about the potential risks of name collision that it’s happy to let ICANN delegate its dot-brand without additional review.
This will surely help those who are skeptical about Interisle’s report and ICANN’s response to it.

.vip and .now clear objections

The latest batch of Legal Rights Objection results has seen two proposed new gTLDs — .vip and .now — emerge unscathed from the objections phase of the new gTLD program.
There are six applications for .vip and one of the applicants, I-Registry, had filed LROs against its competitors.
Starbucks (HK), a cable company rather than a coffee chain, had also filed LROs against each of its five rivals for .now.
With yesterday’s decisions, all 10 objections have now been rejected.
In the case of .vip, every applicant wants to run it as a generic term, but I-Registry had obtained a European trademark on its proposed brand.
But Starbucks’ .now was to be a dot-brand reflecting a pre-existing mark unrelated to domain names. WIPO panelists found that trademark did not trump the proposed generic use by other applicants, however.
Both strings will now head to contention resolution, where an auction seems the most likely way to decide the winners.

ICANN passes 92 new gTLDs

Ninety-two new gTLD applications received passing Initial Evaluation scores this week, as ICANN approaches the end of the long-running process.
With two weeks left on the official timetable, only 236 applications remain in IE. Another 1,574 have passed. With no failures this week, the number heading to Extended Evaluation remains at 14.
These are this week’s passing strings, with links to the corresponding application on DI PRO.

.villas .soccer .delivery .med .casino .sina .pamperedchef .case .weibo .kids .college .tech .newholland .life .yoga .world .barclaycard .report .casino .orange .shop .music .walter .srl .poker .shop .qtel .author .help .sap .consulting .starhub .stcgroup .stada .gives .srt .vuelos .zuerich .thd .vacations .taxi .pid .garden .news .industries .love .poker .taxi .express .athleta .pitney .phd .etisalat .mom .merck .earth .beer .safeway .actor .foundation .dclk .hamburg .home .studio .cologne .aquarelle .archi .kia .quest .buy .panerai .chat .band .spa .flickr .playstation .mobile .cash .jprs .saarland .kfh .condos .chintai .blog .cpa .sfr .sale .sky .erni .mih .visa .tickets

Uniregistry wins .gift and AOL yanks .patch bid

Three more new gTLD applications were withdrawn today, only one of which was related to this week’s previously reported batch of private auctions.
First, Famous Four Media has pulled out of the .gift race with Uniregistry, presumably after some kind of deal. They were the only two applicants, meaning Uniregistry wins the contention set.
Potentially complicating matters, there are also two applicants for .gifts — if the plural/singular debate is reopened, which seems possible after today’s events, it might not be over yet.
Second, AOL withdrew its application for .patch, which was to be a single-registrant space for its Patch-branded network of local web sites.
This seems to be connected to cost-cutting at AOL.
Last week, the company fired Patch’s creative director in front of 1,000 colleagues and announced it was cutting the number of sites in the network.
Today, it started laying off almost half of Patch’s 1,100 employees, according to the Wall Street Journal.
Third, Top Level Domain Holdings withdrew from the .guide contention set, leaving Donuts the winner — a formality following this week’s Innovative Auctions auction, which it lost.

Google beats Donuts in objection — .pet and .pets ARE confusingly similar

Google has won a String Confusion Objection against rival new gTLD applicant Donuts, potentially forcing .pet and .pets into the same contention set.
The shock ruling by International Centre for Dispute Resolution panelist Richard Page goes against previous decisions finding singulars and plurals not confusingly similar.
In the 11-page decision, Page said he decided to not consider the reams of UDRP precedent or US trademark law submitted by the two companies, and seems to have come to his opinion based on a few simple facts:

Objector has come forward with the following evidence for visual, aural and meaning similarity. Visually, the words are identical but for the mere addition of the letter “s”. Aurally, the word “pets” is essentially phonetically equivalent to the word “pet”. The term “pet” is pronounced as it is spelled, “pet”. The term “pets” is likewise pronounced as “pets” in essentially a phonetically equivalent fashion. The terms each have only one syllable, and they have the same stress pattern, with primary accent on the initial “pe” portion of the words. In commercial meaning, the terms show no material difference. As English nouns, “pets” is the pluralization of “pet”.
The visual similarity and algorithmic score are high, the aural similarity is high, the meaning similarity is high. Objector has met its burden of proof. The cumulative impact of these factors is such that the Expert determines that the delegation of <.pet> gTLD and the <.pets> gTLD into the root zone will cause a probability of confusion.

Page did take into account the similarity score provided by the Sword algorithm — for .pet and .pets it’s actually a fairly weak 72% — in his thinking on visual similarity.
But he specifically rejected Donuts’ defense that co-existence of plurals at the second level was proof that plural/singular gTLDs could also co-exist at the top-level, saying:

The rapid historical development of the Internet and the proliferation of domain names over the past two decades has taken place without the application of the string confusion standard now established for gTLDs. Therefore, the Expert has not considered the current coexistence of pluralized second-level TLDs or similarities between country code TLDs and existing gTLDs in the application of the string confusion standard in this proceeding.

Can: open. Worms: everywhere.
The decision stands in stark contrast to the decision (pdf) of Bruce Belding in the .hotel v .hotels case, in which it was found that the two strings were “sufficiently visually and audibly different”.
Likewise, the panelist in .car v .cars (pdf) found that Google had not met the high evidential bar to proving the “probability” rather than mere “possibility” of confusion.
One has to assume that the evidence Google submitted in .car is fairly similar to the evidence it submitted in .pets.
Are String Confusion Objections just a crap shoot, the outcome depending on which panelist you get? It’s probably too early to say for sure, but it’s looking like a possibility.
The big test will come with the next .pets decision. Afilias, the other .pet applicant, has also filed an SCO against Donuts over its .pets bid.
What if the panel in the Afilias case goes the other way? Will Donuts be in a contention set with Google and Afilias or won’t it?
I asked Akram Atallah, president of ICANN’s Generic Domains Division, about this yesterday and he said that ICANN basically doesn’t know, and that it might have to refer back to the community for advice.
Read the Atallah interview here and the .pets decision (pdf) here.