Latest news of the domain name industry

Recent Posts

ICANN approves domain takedown rules

Kevin Murphy, January 24, 2024, Domain Policy

ICANN’s board of directors has formally approved amendments to its standard registry and registrar contracts aimed at forcing companies to take action against domains involved in DNS abuse.

At its meeting last weekend, the board passed a resolution amending the Registrar Accreditation Agreement and Base gTLD Registry Agreement to include tougher rules on tackling abuse.

Registrars must now “promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse” when provided with evidence of such abuse.

Registries have a similar obligation to take action, but the action might be to refer the abusive domain to the appropriate registrar.

The rules follow the now industry-standard definition of DNS abuse: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed)”.

The changes were crafted by ICANN along with registries and registrars and voted through late last year by a hefty majority of both camps.

The two contracts are now in the hands of the ICANN CEO and her lawyers for final action before becoming enforceable.

Registries and registrars vote ‘Yes’ to new DNS abuse rules

Kevin Murphy, December 14, 2023, Domain Registrars

ICANN’s contracted registries and registrars have voted to accept new rules requiring them to take action on DNS abuse.

The new rules come after a vote lasting a few months with some quite high thresholds for success.

The current Registrar Accreditation Agreement merely requires registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which is pretty vague and barely enforceable.

The amendments, which still need to be rubber-stamped by the ICANN board, make it much clearer what registrars are expected to do in which circumstances. A new paragraph is added that reads:

3.18.2 When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

For registries, the new text for the base gTLD Registry Agreement is similar, but with a little more wiggle-room:

Where a Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i)the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by the Registry Operator, where the Registry Operator deems appropriate. Action(s) may vary depending on the circumstances of each case, taking into account the severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

In both cases, DNS abuse is defined by the now industry standard line: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this Section)”.

There are a few other quality of life updates, such as the requirement for registrars to acknowledge receipt of abuse reports and to have their abuse reporting mechanism “conspicuously and readily accessible from” their home pages.

ICANN needed registrars representing over 90% of registered gTLD domains (adjusted slightly to make GoDaddy’s voice less powerful). That threshold was passed last week, with 94% of domains voting in favor of the amendments.

For registries, ICANN required a simple majority of registries (counted by contract rather than company) and for all registries voting in favor to have been responsible for two thirds of all registry fees paid last year.

Judging by the financial thresholds, .com and .net, which are not on the base RA, were not involved.

Everyone hates Verisign’s new .net deal

Kevin Murphy, May 26, 2023, Domain Policy

The public has commented: Verisign’s .net registry contract should not be renewed in its currently proposed form.

ICANN’s public comment period for the renewal closed yesterday and attracted 57 submissions, most of which either complained about Verisign being allowed to raise its prices or expressed fears about domains being seized by governments.

The proposed contract retains the current pricing structure, in which Verisign is allowed to raise the price of a .net domain by 10% a year. They currently cost $9.92, meaning they could reach $17.57 by the time the contract ends.

The Internet Commerce Association, some of its supporters, Namecheap, the Registrars Stakeholder Group, the Cross-Community Working Party on ICANN and Human Rights (CCWP-HR), and TurnCommerce all oppose the price increases.

The RrSG said the price provisions “are without sufficient justification or an analysis of its potentially substantial impact on the DNS”.

These commenters and others who did not directly oppose the increases, including the At-Large Advisory Committee and consultant Michael Palage, called for ICANN to conduct an economic analysis of the domain name market.

The Business Constituency was the only commenter to openly support the increases, though its comment noted that it is opposed in principle to ICANN capping prices at all.

The Intellectual Property Constituency did not express a view on pricing, but called for greater transparency into the side-deal that sees ICANN get an extra $4 million a year for unspecified security-related work. ICANN has never revealed publicly how this money is spent.

In terms of the number of submissions, the biggest concern people seem to have is that the proposed contract contains language obliging Verisign to take down domains to comply with “applicable law, government rules or regulations, or pursuant to any legal order or subpoena of any government, administrative or governmental authority, or court of competent jurisdiction”.

This language is already in the .com contract, but before ICANN clarified this on April 26 several concerned registrants had made comments opposing its inclusion.

Notably, the founder of the controversial troll forum kiwifarms.net, which has been kicked out of registrars after being linked to suicides, submitted his own “ICANN should be destroyed” comment.

Several commenters also noted that the definition of “security and stability” in the .net contract differs to the Base Registry Agreement that almost all other registries have signed in such a way that it is feared that Verisign would not have to abide by future ICANN Consensus Policies under certain circumstances.

As several commenters note, the usual protocol following an ICANN public comment period is for ICANN to issue a summary report, pay lip service to having “considered” the input, and then make absolutely no changes at all.

This time, some commenters held out some hope that ICANN’s new, surprisingly sprightly and accommodating leadership may have a different approach.

The comments can be read here.

ICANN signs Whois’ death warrant in new contracts

Kevin Murphy, May 3, 2023, Domain Policy

Whois as we have known it for decades will be phased out of gTLDs over the next couple of years, after ICANN approved changes to its contracts at the weekend.

The board of directors signed off on amendments to the base Registry Agreement and Registrar Accreditation Agreement after they were approved by the requisite majority of registries and registrars earlier this year.

The changes outline how registries and registrars must make the move away from Whois, the technical specification, toward the functionally similar RDAP, the Registration Data Access Protocol.

After the amendments go into effect, contracted parties will have about 18 months to make the migration. They’ll be allowed to run Whois services in parallel if they wish after the transition.

People will in all likelihood carry on referring to such services as “Whois”, regardless, rather than the official replacement term “Registration Data Directory Services” or RDDS.

The RAA amendment will also require registrars to provide full RDAP output, rather than relying on “thick” registries to do it for them.

None of the changes affect how much personal information is returned for domain ownership lookups.

Verisign’s .net contract up for public comment

Kevin Murphy, April 13, 2023, Domain Registries

ICANN intends to renew Verisign’s contract to run the .net gTLD and has opened the revised deal for public comment.

At first glance, there doesn’t appear to be anything massively controversial about the proposed changes, so we probably shouldn’t expect the same kind of outrage similar contract renewals have solicited in the past.

A great deal of the changes relate to the sunsetting of the Whois protocol and its replacement with the functionally similar RDAP, something set to become part of all gTLD contracts, legacy and new, soon.

The only money-related change of note is the agreement that Verisign will pay pro-rated portions of the $0.75 annual ICANN transaction fee when it sells its Consolidate service, which allows registrants to synchronize their expiry dates for convenience.

That provision is already in the .com contract, and Verisign has agreed to back-date the payments to May 1, 2020, around about the same time the .com contract was signed.

The controversial side-deal under which Verisign agreed to pay ICANN $4 million a year for five years is also being amended, but the duration and amount of money do not appear to be changing.

The new Registry Agreement also includes Public Interest Commitments for the first time. Verisign has agreed to two PICs common to all new gTLD RAs governing prohibitions on abusive behaviors.

The deal would extend Verisign’s oversight for six years, to June 30, 2029. It’s open for public comment until May 25.

Abuse crackdown likely in next gTLD registrar contract

Kevin Murphy, December 20, 2022, Domain Policy

ICANN and its accredited registries and registrars have formally kicked off contract renegotiations designed to better tackle DNS abuse.

The aim is to create a “baseline obligation” for contracted parties to “take reasonable and appropriate action to mitigate or disrupt malicious registrations engaged in DNS Abuse”, according to recent correspondence.

This may close the loophole in the contracts identified this year that hinder ICANN Compliance’s ability to take action against registrars that turn a blind eye to abuse.

The current contracts require registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which lacks clarity because there’s no agreement on what an appropriate response is.

The registries and registrars stakeholder groups (RySG and RrSG) note that there won’t be an expansion of the term “DNS abuse” to expand into web site content, nor will the talks cover Whois policy.

As is the norm for contract negotiations, they’ll be bilateral between ICANN and a select group of representative contracted parties, and conducted in private.

Talks are expected to take three to six months and the resulting amendments to the Registrar Accreditation Agreement and base Registry Agreement will be published for 30 days of public comment.

It’s been almost 10 years since the RAA was last updated.

New ICANN contracts chart the death throes of Whois

Kevin Murphy, September 12, 2022, Domain Policy

Whois is on its death bed, and new versions of ICANN’s standard contracts put a timeline to its demise.

The Org has posted proposed updates to its Registrar Accreditation Agreement and Registry Agreement, and most of the changes focus on the industry-wide transition from the Whois standard to the newer Registration Data Access Protocol.

We’re only talking about a change in the technical spec and terminology here. There’ll still be query services you can use to look up the owner of a domain and get a bunch of redactions in response. People will probably still even refer to it as “Whois”.

But when the new RAA goes into effect, likely next year, registrars and registries will have roughly 18 months to make the transition from Whois to RDAP.

Following the contract’s effective date there’ll be an “RDAP Ramp-up Period” during which registrars will not be bound by RDAP service-level agreements. That runs for 180 days.

After the end of that phase, registrars will only have to keep their Whois functioning for another 360 days, until the “WHOIS Services Sunset Date”. After that, they’ll be free to turn Whois off or keep it running (still regulated by ICANN) as they please.

ICANN’s CEO and the chair of the Registrars Stakeholder Group will be able to delay this sunset date if necessary.

Most registrars already run an RDAP server, following an order from ICANN in 2019. IANA publishes a list of the service URLs. One registrar has already lost its accreditation in part because it did not deploy one.

There’ll be implementation work for some registrars, particularly smaller ones, to come into compliance with the new RAA, no doubt.

There’ll also be changes needed for third-party software and services that leverage Whois in some way, such as in the security field or even basic query services. Anyone not keeping track of ICANN rules could be in for a sharp shock in a couple of years.

The contracted parties have been negotiating these changes behind closed doors for almost three years. It’s been almost a decade since the last RAA was agreed.

The contracts are open for public comment until October 24.

Verisign likely to get its billion-dollar .com pricing windfall

Kevin Murphy, October 28, 2019, Domain Registries

Verisign and ICANN appear to be on the verge of signing a new .com registry contract that could prove extremely lucrative for the legacy gTLD company.
Speaking to analysts following the announcement of Verisign’s third-quarter results late last week, CEO Jim Bidzos said talks with ICANN, which have their first anniversary this week, are “nearly complete”.
The new contract will take on the terms of the Cooperative Agreement between Verisign and the US Department of Commerce, which was amended a year ago to scrap an Obama-era price freeze.
Under the future contract, Verisign is expected to be able to raise its .com fee from its current $7.85 by 7% in four of the six years of the deal. As I wrote at the time, this could be worth close to a billion dollars.
This, for a company that already enjoys profit margins so generous that I regularly receive phone calls from perplexed analysts asking me to help explain how they get away with it.
Bidzos said on Thursday night:

let me remind you that under the 2016 amendment to our .com registry agreement with ICANN, which extended the term of the agreement, we and ICANN also agree to negotiate in good faith to do two things; first, we agree to reflect changes to the Cooperative Agreement in the com agreement, including pricing terms. Second, we agree to amend the com agreement to include terms to preserve and enhance the security and stability of the com registry or the internet.
We believe these discussions with ICANN are nearly complete. While it will be inappropriate at this time to provide more details, I can say that we were satisfied with the results so far. As noted, this is an ICANN process and we expect that before long ICANN will be publishing for public comment the documents we have been discussing.

The Cooperative Agreement also allows Verisign to launch a registrar business, just as long as that registrar does not sell .com domains.
Potentially, Verisign could get the right to launch a customer-facing registrar focused on selling .net, .org and newer gTLDs and ccTLDs.
Given we already pretty much know what the new pricing regime is going to be, the big mystery right now is why it’s taken ICANN and Verisign so long to renegotiate the contract.
One analyst asked Bidzos on Thursday whether ICANN has talked its way into getting a bigger slice of the registry fee, currently set at $0.25 per annual domain transaction.
That’s in-line with what almost all the other gTLD registries pay, and I can’t see ICANN demanding more without attracting a tonne of criticism. Verisign is already by some margin its biggest funding source.
Could ICANN have demanded that Verisign adopt the Uniform Rapid Suspension anti-cybersquatting policy, which would be guaranteed to enrage domain investors?
Whatever else is to be added to the contract, it appears to be related to that amorphous term “security and stability”, which could mean basically anything.
When ICANN and Verisign agreed to talk about new terms “to preserve and enhance the security and stability of the Internet or the TLD”, what on Earth where they talking about?
It looks like we won’t have to wait too much longer to find out.

ICANN enters talks to kill off Whois for good

Kevin Murphy, October 23, 2019, Domain Tech

Whois’ days are numbered.
ICANN is to soon enter talks with accredited registrars and contracted gTLD registries with the aim of naming a date to finally “sunset” the aging protocol.
It wants to negotiate amendments to the Registrar Accreditation Agreement and Registry Agreement with a view to replacing obligations to publish Whois with obligations to publish Registration Data Access Protocol data.
In letters to the chairs of its registrar and registry constituencies this week, ICANN CEO Göran Marby wrote:

The primary focus of the amendment is to incorporate contractual requirements for the Registration Data Access Protocol (RDAP) into the Registration Data Directory Services. This should include definition of the plan and provisions to sunset the obligations related to the WHOIS protocol as we transition Registration Data Services to RDAP.

For avoidance of doubt, people will still be able to look up the contact information for domain name owners after the change, but the data they see (very likely redacted for privacy reasons nowadays) will be delivered over a different protocol.
The contract amendment processes involve both registry and registrar constituencies to nominate a few people to engage in talks with ICANN negotiators, which is expected to conclude within 90 days.
When they come up with mutually acceptable language, the amendments will be open for both public comment and a vote of registries and registrars, before going to the ICANN board of directors for final approval.
The voting process is complex, designed to avoid capture by the largest registrars, and based on a balance of the number of voting registrars and the number of domains they collectively manage.
The contractual changes will come as no surprise to contracted parties, which have been on-notice for years that Whois is on its way out in favor of RDAP.
Most registrars already operate an RDAP server in parallel to their old Whois service, following an ICANN deadline in August.
We could be looking at the death of Whois within a year.

Spam is not our problem, major domain firms say ahead of ICANN 66

Kevin Murphy, October 21, 2019, Domain Policy

Eleven of the largest domain name registries and registrars have denied that spam is something they should have to deal with, unless it’s used to proliferate other types of abuse such as phishing or malware.
In a newly published “Framework to Address Abuse” (pdf), the companies attempt to define the term “DNS abuse” narrowly to capture only five (arguably only four and a half) specific types of online threat.
That abuse comprises malware, phishing, botnets, pharming and spam.
The companies agree that these are activities which registrars and registries “must” act upon.
But the document notes that not all spam is its responsibility, stating:

While Spam alone is not DNS Abuse, we include it in the five key forms of DNS Abuse when it is used as a delivery mechanism for the other four forms of DNS Abuse. In other words, generic unsolicited e-mail alone does not constitute DNS Abuse, but it would constitute DNS Abuse if that e-mail is part of a phishing scheme.

In other words, registrars and registries should not feel responsible for the billions of spams sent every day using their domains, unless the spam runs further malware, phishing, pharming or botnet abuse.
The signatories of the framework are Public Interest Registry, GoDaddy, Donuts, Tucows, Amazon Registry Services, Blacknight, Afilias, Name.com, Amazon Registrar, Neustar, and Nominet UK.
It may seem like they’ve presented a surprisingly narrow definition, but it’s in line with what current ICANN contracts dictate.
Neither the standard Registry Agreement nor Registrar Accreditation Agreement mention spam at all. Six years ago, ICANN specifically said that spam is “outside of ICANN’s scope and authority”.
Under the RA, registries have to oblige their registrars to ban registrants from “distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law”.
They also have to maintain statistical reports on the amount of “pharming, phishing, malware, and botnets” in their zones, and provide those reports to ICANN upon demand. A recent audit found that 5% of registries, mainly dot-brands, were not doing this.
However, ICANN’s Domain Abuse Activity Reporting system, an effort to provide some transparency into how gTLDs are being abused, does in fact track spam. It does not track pharming, which is a fairly obscure and little-used form of DNS attack.
The DAAR report for September shows that spam constituted 73% of all tracked abuse.
The ICANN board of directors today identified DAAR as one of a few dozen priorities for the coming year.
Similarly, the cross-community working group known as the CCT Review Team, which was tasked with looking into how the new gTLD program has impacted competition and consumer trust, had harsh words for spam-friendly registries, and provided a definition of “DNS Security Abuse” that specifically included “high volume spam”.
The review recommended that ICANN introduce more measures to force contracted parties to deal with this type of abuse. This could include incentives for registries to clean up their zones and abuse volume thresholds that would automatically trigger compliance actions.
The new framework document comes in the context of an ongoing debate within the ICANN community about what “DNS abuse” is.
Two partners at Interisle, a security consultancy that often works for ICANN, recently guest-posted on DI to say that this term has become meaningless and should be abandoned in favor of “security threat”.
They argued that the definition should include not only spam, but also stuff like IP infringement, election interference, and terrorism.
But the main threat to contracted parties probably comes from the Governmental Advisory Committee, backed by law enforcement, which is pushing for stronger rules covering abusive content.
During a webinar last week, the US Federal Trade Commission, the FBI, and Europol argued that registries and registrars should be obliged to do more to combat abuse, specifically including spam.
“Whether or not you call it phishing or spam or whether it has a malware payload or not, ultimately it’s all email, and email remains the most common tool of cybercriminals to ensnare their victims, and that’s why we in law enforcement care about the domains used to send emails,” said Gabriel Andrews of the FBI’s Cyber Initiative Resource Fusion Unit, on the call.
Registries and registrars countered, using the same language found in the new framework, that generic spam is a content issue, and outside of their remit.
The two sides are set to clash again at ICANN’s annual general meeting in Montreal next month, in a November 6 face-to-face session.
While 11 entities signed the new framework, it’s arguably only nine companies. Name.com is owned by Donuts and both Amazon firms obviously have the same parent.
But it does include the two largest registrars, and registries responsible for running several hundred commercial gTLDs, dot-brands and ccTLDs.
While none of the signatories of the framework have a particular reputation for being spam-friendly, other companies in the industry — particularly some of the newest and cheapest new gTLDs — tend to attract spammers like flies to a turd.
Some of the signatories are perhaps surprising, given their past or ongoing behavior to tackle content-based abuse in their own zones.
Nominet, notably, takes down tens of thousands of domains ever year based on little more than police assurances that the domains are being used to sell counterfeit merchandise or infringe copyright.
The .uk registry also preemptively suspends domains based on algorithms that guess whether they’re likely to be seen as encouraging sexual violence or could be used in phishing attacks.
Donuts also has a trusted notifier relationship with the movie and music industries that has seen it take down dozens of names being used for mass copyright infringement.
PIR has previous endorsed, then unendorsed, the principal of a “UDRP for copyright”, a method of giving Big Content a way of going through due process to have domains taken or suspended.
Outside the spam issue, while the new registry-registrar framework says that registries and registrars should not get involved in matters related to web site content, it also says they nevertheless “should” (as opposed, one assumes based on the jargon usually found in internet standards, to “must”) suspend domains when they’re being used to distribute:

(1) child sexual abuse materials (“CSAM”); (2) illegal distribution of opioids online; (3) human trafficking; and (4) specific and credible incitements to violence.

These are exceptions because they constitute “the physical and often irreversible threat to human life”, the framework says.
Ultimately, this all boils down to a religious debate about where the line is drawn between “DNS” and “content”, it seems to me.
The contracted parties draw the line at threats to human life, whereas others want action on other forms of abuse largely because registries and registrars are in the best position to help.