Latest news of the domain name industry

Recent Posts

ICANN says it WILL raise its domain taxes soon

Kevin Murphy, October 28, 2024, Domain Registrars

Prices in all gTLDs will go up after ICANN told registries and registrars last week that it plans to increase the fees it charges them, sometimes called its “tax”, next year.

The extra fee ICANN takes from registrars for each new domain registration and renewal will increase from $0.18 to $0.20, according to an email sent from ICANN VP Russ Weinstein to registrars Thursday evening.

This fee is typically passed on explicitly and directly to registrants in their registrar’s shopping cart.

Less-visible charges on registries will also go up. The fixed quarterly fee will go from $6,250 per quarter ($25,000 per year) to $6,450 per quarter ($25,800 per year) and the per-transaction fee will go up from $0.25 per year to $0.258 per year.

The registry fee changes will take effect January 1, but the registrar fee changes will not take effect until July 1, 2025, the start of ICANN’s next fiscal year, according to ICANN.

“After more than a decade of no changes to registry-level and registrar-level fees, ICANN would like to increase the fees it charges to both parties,” Weinstein wrote.

The two cents tax increase is big in percentage terms — about 11% — while the registry fee is more in line with US inflation at 3.20%.

The fixed registrar accreditation fee is to stay the same at $4,000 per year, while the variable accreditation fee, which is divided between registrars based on their transaction volume, is going up from a total of $3.42 million to $3.8 million per year.

The increases come as ICANN struggles to fill a $10 million hole in its budget — a situation that has already led to layoffs — and some back-of-the-envelope calculations suggest the combined fee increases are designed to raise annual revenue in that ball-park.

Due to the differences between the standard Registry Agreement and Registrar Accreditation Agreement, ICANN can push through the registry fee increases fairly quickly and unilaterally, while the registrar changes have some red tape.

The two-cent tax increase will be part of ICANN’s usual budget process, which includes a public comment period and consideration by the board of directors, while the variable fee increase will be subject to a registrar vote.

Note: an early, unfinished draft of this post was inadvertently published on Friday, for which I can only apologize.

Verisign agrees to .com takedown rules

Kevin Murphy, September 27, 2024, Domain Registries

Verisign has agreed to take down abusive .com domains under the next version of its registry contract with ICANN.

The proposed deal, published for public comment yesterday, could have financial implications for the entire domain industry, but it also contains a range of changes covering the technical management of .com.

Key among them is the addition of new rules on “DNS Abuse” that require Verisign to respond to abuse reports, either by referring the domain to its registrar or by taking direct action

Abuse is defined with the now industry-standard “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this definition)”.

The language is virtually identical to the strengthened DNS abuse language in the base Registry Agreement that almost all other gTLD registries have been committed to since their contracts were updated this April. It reads:

Where Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i) the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by Registry Operator, where Registry Operator deems appropriate.

The current version of the .com contract only requires Verisign to publish an abuse contact on its web site. It doesn’t even oblige the company to respond to abuse reports.

In domain volume terms, .com is regularly judged one of the most-abused TLDs on the internet, though newer, cheaper gTLDs usually have worse numbers in terms of the percentage of registrations that are abusive.

Verisign will also get an obligation that other registries don’t have — to report to ICANN “any cyber incident, physical intrusion or infrastructure damages” that affects the .com registry.

ICANN won’t be able to reveal the details of such incidents publicly unless Verisign gives its permission, but in a side deal (pdf) the two parties promise to work together on a process for public disclosure.

Verisign will also have to implement two 20-year-old IETF standards on “Network Ingress Filtering” that describe methods of mitigating denial-of-service attacks by blocking traffic from forged IP addresses.

The contract is open for public comment.

GoDaddy’s next .xxx contract may not be a done deal

Kevin Murphy, March 18, 2024, Domain Policy

ICANN has published what could be the next version of GoDaddy’s .xxx registry contract, and is framing it as very much open to challenge.

The proposed Registry Agreement would scrap the “sponsored” designation from .xxx, substantially reduce GoDaddy’s ICANN fees, and implement the strictest child-protection measures of any gTLD, as well as make ICANN Compliance’s job a lot easier by standardizing terms on the new gTLD program’s Base RA.

But, as eager as ICANN usually is to shift legacy, pre-2012 gTLDs to the Base RA, this time it’s published the contract for public comment as if it’s something GoDaddy is unilaterally proposing.

It’s “ICM’s proposal”, according to ICANN’s public comment announcement, referring to GoDaddy subsidiary ICM Registry, and “ICM has requested to use the Base Registry Agreement form, as well as to remove the sponsorship designation of the .XXX TLD”.

This is not the language ICANN usually uses when it publishes RA renewals for public comment. Normally, the proposed contracts are presented as the result of bilateral negotiations. In this case, ICANN and ICM have been in renewal discussions for at least three years, but the contract is being presented as something GoDaddy alone has asked for.

The new RA would remove almost all references to sponsorship and to IFFOR, the pretty much toothless “sponsor” organization ICM created to get its .xxx application over the line under the rules of the Sponsored TLD application round that kicked off back in 2003.

Instead, it loads a bunch of Public Interest Commitments, aimed at replicating some of the safeguards IFFOR oversight was supposed to provide, into the Base RA.

GoDaddy would have to ban and proactively seek out and report child sexual abuse material. It would also prohibit practices that suggest the presence of CSAM, such as the inclusion of certain unspecified keywords in .xxx domains or in the corresponding web site’s content or meta-content.

(ICANN notes that these PICs may become unenforceable, depending on the outcome of current discussions about its ability to enforce content-related terms of its contracts).

GoDaddy and IFFOR have both submitted letters arguing that sponsorship is no longer required. The existence of sister gTLDs .adult, .sex, and .porn as unsponsored gTLDs, also in the GoDaddy Registry stable, proves the extra oversight is not needed, they say. Registrants polled do not object to the changes, they say.

GoDaddy’s cost structure would also change under the new deal. Not only would it save $100,000 a year by cutting off IFFOR, but it would also inherit the Base RA’s 50,000-domain threshold for paying ICANN transaction fees.

This likely means it won’t pay the $0.25 transaction fee for a while — .xxx was at about 47,500 domains under management and shrinking at the last count. It hasn’t reported DUM over 50,000 since January 2023.

While the renewal terms may seem pragmatic and not especially unreasonable, they’ve already received at least one public objection.

Consultant Michael Palage, who was on the ICANN board for the first three years of .xxx’s agonizing eight-year path to approval, took to the mic at the ICANN 79 Public Forum earlier this month to urge the board to reject GoDaddy’s request.

Palage said there have been “material violations of the Registry Agreement” that he planned to inform ICANN Compliance about. He added that approving the new deal would set a bad precedent for all the other “community” registries ICANN has contracts with.

The situation has some things in common with the controversy over the proposed acquisition of Public Internet Registry and .org a few years ago, in that the proposal entails ignoring promises made by a registry two decades ago.

Whether .xxx will attract the same level of outrage is debatable — this deal doesn’t involve nearly as many domains and does not talk to the price registrants pay — but it could attract noise from those who believe ICANN should not throw out its principles for the sake of a quieter life.

One place we might look for comment is the Governmental Advisory Committee, which was the biggest reason .xxx took so long to get approved in the first place.

But the timing of the comment period opening is interesting, coming a week after ICANN 79 closed. It will end April 29, about six weeks before the full GAC next meets en masse, at ICANN 80.

It’s not impossible that the new contract could be approved and signed before the governments get a chance to publicly haul ICANN’s board over the coals.

ICANN approves domain takedown rules

Kevin Murphy, January 24, 2024, Domain Policy

ICANN’s board of directors has formally approved amendments to its standard registry and registrar contracts aimed at forcing companies to take action against domains involved in DNS abuse.

At its meeting last weekend, the board passed a resolution amending the Registrar Accreditation Agreement and Base gTLD Registry Agreement to include tougher rules on tackling abuse.

Registrars must now “promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse” when provided with evidence of such abuse.

Registries have a similar obligation to take action, but the action might be to refer the abusive domain to the appropriate registrar.

The rules follow the now industry-standard definition of DNS abuse: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed)”.

The changes were crafted by ICANN along with registries and registrars and voted through late last year by a hefty majority of both camps.

The two contracts are now in the hands of the ICANN CEO and her lawyers for final action before becoming enforceable.

Registries and registrars vote ‘Yes’ to new DNS abuse rules

Kevin Murphy, December 14, 2023, Domain Registrars

ICANN’s contracted registries and registrars have voted to accept new rules requiring them to take action on DNS abuse.

The new rules come after a vote lasting a few months with some quite high thresholds for success.

The current Registrar Accreditation Agreement merely requires registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which is pretty vague and barely enforceable.

The amendments, which still need to be rubber-stamped by the ICANN board, make it much clearer what registrars are expected to do in which circumstances. A new paragraph is added that reads:

3.18.2 When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

For registries, the new text for the base gTLD Registry Agreement is similar, but with a little more wiggle-room:

Where a Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i)the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by the Registry Operator, where the Registry Operator deems appropriate. Action(s) may vary depending on the circumstances of each case, taking into account the severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

In both cases, DNS abuse is defined by the now industry standard line: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this Section)”.

There are a few other quality of life updates, such as the requirement for registrars to acknowledge receipt of abuse reports and to have their abuse reporting mechanism “conspicuously and readily accessible from” their home pages.

ICANN needed registrars representing over 90% of registered gTLD domains (adjusted slightly to make GoDaddy’s voice less powerful). That threshold was passed last week, with 94% of domains voting in favor of the amendments.

For registries, ICANN required a simple majority of registries (counted by contract rather than company) and for all registries voting in favor to have been responsible for two thirds of all registry fees paid last year.

Judging by the financial thresholds, .com and .net, which are not on the base RA, were not involved.

Everyone hates Verisign’s new .net deal

Kevin Murphy, May 26, 2023, Domain Policy

The public has commented: Verisign’s .net registry contract should not be renewed in its currently proposed form.

ICANN’s public comment period for the renewal closed yesterday and attracted 57 submissions, most of which either complained about Verisign being allowed to raise its prices or expressed fears about domains being seized by governments.

The proposed contract retains the current pricing structure, in which Verisign is allowed to raise the price of a .net domain by 10% a year. They currently cost $9.92, meaning they could reach $17.57 by the time the contract ends.

The Internet Commerce Association, some of its supporters, Namecheap, the Registrars Stakeholder Group, the Cross-Community Working Party on ICANN and Human Rights (CCWP-HR), and TurnCommerce all oppose the price increases.

The RrSG said the price provisions “are without sufficient justification or an analysis of its potentially substantial impact on the DNS”.

These commenters and others who did not directly oppose the increases, including the At-Large Advisory Committee and consultant Michael Palage, called for ICANN to conduct an economic analysis of the domain name market.

The Business Constituency was the only commenter to openly support the increases, though its comment noted that it is opposed in principle to ICANN capping prices at all.

The Intellectual Property Constituency did not express a view on pricing, but called for greater transparency into the side-deal that sees ICANN get an extra $4 million a year for unspecified security-related work. ICANN has never revealed publicly how this money is spent.

In terms of the number of submissions, the biggest concern people seem to have is that the proposed contract contains language obliging Verisign to take down domains to comply with “applicable law, government rules or regulations, or pursuant to any legal order or subpoena of any government, administrative or governmental authority, or court of competent jurisdiction”.

This language is already in the .com contract, but before ICANN clarified this on April 26 several concerned registrants had made comments opposing its inclusion.

Notably, the founder of the controversial troll forum kiwifarms.net, which has been kicked out of registrars after being linked to suicides, submitted his own “ICANN should be destroyed” comment.

Several commenters also noted that the definition of “security and stability” in the .net contract differs to the Base Registry Agreement that almost all other registries have signed in such a way that it is feared that Verisign would not have to abide by future ICANN Consensus Policies under certain circumstances.

As several commenters note, the usual protocol following an ICANN public comment period is for ICANN to issue a summary report, pay lip service to having “considered” the input, and then make absolutely no changes at all.

This time, some commenters held out some hope that ICANN’s new, surprisingly sprightly and accommodating leadership may have a different approach.

The comments can be read here.

ICANN signs Whois’ death warrant in new contracts

Kevin Murphy, May 3, 2023, Domain Policy

Whois as we have known it for decades will be phased out of gTLDs over the next couple of years, after ICANN approved changes to its contracts at the weekend.

The board of directors signed off on amendments to the base Registry Agreement and Registrar Accreditation Agreement after they were approved by the requisite majority of registries and registrars earlier this year.

The changes outline how registries and registrars must make the move away from Whois, the technical specification, toward the functionally similar RDAP, the Registration Data Access Protocol.

After the amendments go into effect, contracted parties will have about 18 months to make the migration. They’ll be allowed to run Whois services in parallel if they wish after the transition.

People will in all likelihood carry on referring to such services as “Whois”, regardless, rather than the official replacement term “Registration Data Directory Services” or RDDS.

The RAA amendment will also require registrars to provide full RDAP output, rather than relying on “thick” registries to do it for them.

None of the changes affect how much personal information is returned for domain ownership lookups.

Verisign’s .net contract up for public comment

Kevin Murphy, April 13, 2023, Domain Registries

ICANN intends to renew Verisign’s contract to run the .net gTLD and has opened the revised deal for public comment.

At first glance, there doesn’t appear to be anything massively controversial about the proposed changes, so we probably shouldn’t expect the same kind of outrage similar contract renewals have solicited in the past.

A great deal of the changes relate to the sunsetting of the Whois protocol and its replacement with the functionally similar RDAP, something set to become part of all gTLD contracts, legacy and new, soon.

The only money-related change of note is the agreement that Verisign will pay pro-rated portions of the $0.75 annual ICANN transaction fee when it sells its Consolidate service, which allows registrants to synchronize their expiry dates for convenience.

That provision is already in the .com contract, and Verisign has agreed to back-date the payments to May 1, 2020, around about the same time the .com contract was signed.

The controversial side-deal under which Verisign agreed to pay ICANN $4 million a year for five years is also being amended, but the duration and amount of money do not appear to be changing.

The new Registry Agreement also includes Public Interest Commitments for the first time. Verisign has agreed to two PICs common to all new gTLD RAs governing prohibitions on abusive behaviors.

The deal would extend Verisign’s oversight for six years, to June 30, 2029. It’s open for public comment until May 25.

Abuse crackdown likely in next gTLD registrar contract

Kevin Murphy, December 20, 2022, Domain Policy

ICANN and its accredited registries and registrars have formally kicked off contract renegotiations designed to better tackle DNS abuse.

The aim is to create a “baseline obligation” for contracted parties to “take reasonable and appropriate action to mitigate or disrupt malicious registrations engaged in DNS Abuse”, according to recent correspondence.

This may close the loophole in the contracts identified this year that hinder ICANN Compliance’s ability to take action against registrars that turn a blind eye to abuse.

The current contracts require registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which lacks clarity because there’s no agreement on what an appropriate response is.

The registries and registrars stakeholder groups (RySG and RrSG) note that there won’t be an expansion of the term “DNS abuse” to expand into web site content, nor will the talks cover Whois policy.

As is the norm for contract negotiations, they’ll be bilateral between ICANN and a select group of representative contracted parties, and conducted in private.

Talks are expected to take three to six months and the resulting amendments to the Registrar Accreditation Agreement and base Registry Agreement will be published for 30 days of public comment.

It’s been almost 10 years since the RAA was last updated.

New ICANN contracts chart the death throes of Whois

Kevin Murphy, September 12, 2022, Domain Policy

Whois is on its death bed, and new versions of ICANN’s standard contracts put a timeline to its demise.

The Org has posted proposed updates to its Registrar Accreditation Agreement and Registry Agreement, and most of the changes focus on the industry-wide transition from the Whois standard to the newer Registration Data Access Protocol.

We’re only talking about a change in the technical spec and terminology here. There’ll still be query services you can use to look up the owner of a domain and get a bunch of redactions in response. People will probably still even refer to it as “Whois”.

But when the new RAA goes into effect, likely next year, registrars and registries will have roughly 18 months to make the transition from Whois to RDAP.

Following the contract’s effective date there’ll be an “RDAP Ramp-up Period” during which registrars will not be bound by RDAP service-level agreements. That runs for 180 days.

After the end of that phase, registrars will only have to keep their Whois functioning for another 360 days, until the “WHOIS Services Sunset Date”. After that, they’ll be free to turn Whois off or keep it running (still regulated by ICANN) as they please.

ICANN’s CEO and the chair of the Registrars Stakeholder Group will be able to delay this sunset date if necessary.

Most registrars already run an RDAP server, following an order from ICANN in 2019. IANA publishes a list of the service URLs. One registrar has already lost its accreditation in part because it did not deploy one.

There’ll be implementation work for some registrars, particularly smaller ones, to come into compliance with the new RAA, no doubt.

There’ll also be changes needed for third-party software and services that leverage Whois in some way, such as in the security field or even basic query services. Anyone not keeping track of ICANN rules could be in for a sharp shock in a couple of years.

The contracted parties have been negotiating these changes behind closed doors for almost three years. It’s been almost a decade since the last RAA was agreed.

The contracts are open for public comment until October 24.