Latest news of the domain name industry

Recent Posts

ICANN says it WILL raise its domain taxes soon

Kevin Murphy, October 28, 2024, Domain Registrars

Prices in all gTLDs will go up after ICANN told registries and registrars last week that it plans to increase the fees it charges them, sometimes called its “tax”, next year.

The extra fee ICANN takes from registrars for each new domain registration and renewal will increase from $0.18 to $0.20, according to an email sent from ICANN VP Russ Weinstein to registrars Thursday evening.

This fee is typically passed on explicitly and directly to registrants in their registrar’s shopping cart.

Less-visible charges on registries will also go up. The fixed quarterly fee will go from $6,250 per quarter ($25,000 per year) to $6,450 per quarter ($25,800 per year) and the per-transaction fee will go up from $0.25 per year to $0.258 per year.

The registry fee changes will take effect January 1, but the registrar fee changes will not take effect until July 1, 2025, the start of ICANN’s next fiscal year, according to ICANN.

“After more than a decade of no changes to registry-level and registrar-level fees, ICANN would like to increase the fees it charges to both parties,” Weinstein wrote.

The two cents tax increase is big in percentage terms — about 11% — while the registry fee is more in line with US inflation at 3.20%.

The fixed registrar accreditation fee is to stay the same at $4,000 per year, while the variable accreditation fee, which is divided between registrars based on their transaction volume, is going up from a total of $3.42 million to $3.8 million per year.

The increases come as ICANN struggles to fill a $10 million hole in its budget — a situation that has already led to layoffs — and some back-of-the-envelope calculations suggest the combined fee increases are designed to raise annual revenue in that ball-park.

Due to the differences between the standard Registry Agreement and Registrar Accreditation Agreement, ICANN can push through the registry fee increases fairly quickly and unilaterally, while the registrar changes have some red tape.

The two-cent tax increase will be part of ICANN’s usual budget process, which includes a public comment period and consideration by the board of directors, while the variable fee increase will be subject to a registrar vote.

Note: an early, unfinished draft of this post was inadvertently published on Friday, for which I can only apologize.

Epik to reveal its owners soon

Kevin Murphy, February 1, 2024, Domain Registrars

The new Epik registrar has been asked to reveal the identities of its officers and owners shortly, I’ve learned.

The company last night revealed that it had passed through ICANN’s due diligence process, over six months after Epik LLC bought the assets of Epik Inc following a long financial mismanagement scandal, allowing it to take over its corporate predecessor’s accreditation.

Epik said the ICANN process had confirmed that Epik Inc founder Rob Monster and final CEO Brian Royce were not involved in Epik LLC in any way, but the company did not reveal who the owners or managers of the new company are.

I asked ICANN whether this was kosher under the Registrar Accreditation Agreement, which obliges all registrars to publish the names and positions of their officers, as well as the names of any ultimate parent entity, on their web sites.

“We are reminding them of that obligation and expect it to be addressed shortly,” ICANN vice president Russ Weinstein told us.

Breaches of the RAA can lead to suspension or termination of the contract, but I don’t believe ICANN has ever initiated public Compliance proceedings against a registrar based solely on a relatively minor infraction.

Regardless, it seems that after half a year of mystery, the speculation may very well come to an end soon.

ICANN approves domain takedown rules

Kevin Murphy, January 24, 2024, Domain Policy

ICANN’s board of directors has formally approved amendments to its standard registry and registrar contracts aimed at forcing companies to take action against domains involved in DNS abuse.

At its meeting last weekend, the board passed a resolution amending the Registrar Accreditation Agreement and Base gTLD Registry Agreement to include tougher rules on tackling abuse.

Registrars must now “promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse” when provided with evidence of such abuse.

Registries have a similar obligation to take action, but the action might be to refer the abusive domain to the appropriate registrar.

The rules follow the now industry-standard definition of DNS abuse: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed)”.

The changes were crafted by ICANN along with registries and registrars and voted through late last year by a hefty majority of both camps.

The two contracts are now in the hands of the ICANN CEO and her lawyers for final action before becoming enforceable.

Registries and registrars vote ‘Yes’ to new DNS abuse rules

Kevin Murphy, December 14, 2023, Domain Registrars

ICANN’s contracted registries and registrars have voted to accept new rules requiring them to take action on DNS abuse.

The new rules come after a vote lasting a few months with some quite high thresholds for success.

The current Registrar Accreditation Agreement merely requires registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which is pretty vague and barely enforceable.

The amendments, which still need to be rubber-stamped by the ICANN board, make it much clearer what registrars are expected to do in which circumstances. A new paragraph is added that reads:

3.18.2 When Registrar has actionable evidence that a Registered Name sponsored by Registrar is being used for DNS Abuse, Registrar must promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse. Action(s) may vary depending on the circumstances, taking into account the cause and severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

For registries, the new text for the base gTLD Registry Agreement is similar, but with a little more wiggle-room:

Where a Registry Operator reasonably determines, based on actionable evidence, that a registered domain name in the TLD is being used for DNS Abuse, Registry Operator must promptly take the appropriate mitigation action(s) that are reasonably necessary to contribute to stopping, or otherwise disrupting, the domain name from being used for DNS Abuse. Such action(s) shall, at a minimum, include: (i)the referral of the domains being used for the DNS Abuse, along with relevant evidence, to the sponsoring registrar; or (ii) the taking of direct action, by the Registry Operator, where the Registry Operator deems appropriate. Action(s) may vary depending on the circumstances of each case, taking into account the severity of the harm from the DNS Abuse and the possibility of associated collateral damage.

In both cases, DNS abuse is defined by the now industry standard line: “malware, botnets, phishing, pharming, and spam (when spam serves as a delivery mechanism for the other forms of DNS Abuse listed in this Section)”.

There are a few other quality of life updates, such as the requirement for registrars to acknowledge receipt of abuse reports and to have their abuse reporting mechanism “conspicuously and readily accessible from” their home pages.

ICANN needed registrars representing over 90% of registered gTLD domains (adjusted slightly to make GoDaddy’s voice less powerful). That threshold was passed last week, with 94% of domains voting in favor of the amendments.

For registries, ICANN required a simple majority of registries (counted by contract rather than company) and for all registries voting in favor to have been responsible for two thirds of all registry fees paid last year.

Judging by the financial thresholds, .com and .net, which are not on the base RA, were not involved.

ICANN signs Whois’ death warrant in new contracts

Kevin Murphy, May 3, 2023, Domain Policy

Whois as we have known it for decades will be phased out of gTLDs over the next couple of years, after ICANN approved changes to its contracts at the weekend.

The board of directors signed off on amendments to the base Registry Agreement and Registrar Accreditation Agreement after they were approved by the requisite majority of registries and registrars earlier this year.

The changes outline how registries and registrars must make the move away from Whois, the technical specification, toward the functionally similar RDAP, the Registration Data Access Protocol.

After the amendments go into effect, contracted parties will have about 18 months to make the migration. They’ll be allowed to run Whois services in parallel if they wish after the transition.

People will in all likelihood carry on referring to such services as “Whois”, regardless, rather than the official replacement term “Registration Data Directory Services” or RDDS.

The RAA amendment will also require registrars to provide full RDAP output, rather than relying on “thick” registries to do it for them.

None of the changes affect how much personal information is returned for domain ownership lookups.

Epik’s meltdown is a ticking time-bomb for ICANN

Kevin Murphy, April 18, 2023, Domain Registrars

There are many ways ICANN could eventually wind up shutting down flailing registrar Epik, but it might face a nightmare of its own when it does.

Epik appears to have been suffering from serious cash-flow problems for the last several months, with some customers still complaining this week that they haven’t been paid money owed as far back as September.

It’s facing a lawsuit by a customer who says he’s owed over $300,000 over a failed domain purchase, accusations that it’s been running its escrow service without the proper paperwork, and claims that current and former executives may have “embezzled” customer money.

It’s an absolute dumpster fire that so far shows little sign of being extinguished, but unfortunately there’s very little about the situation that appears to be in ICANN’s Compliance wheelhouse.

ICANN Compliance has the right to terminate a company’s accreditation — its ability to sell gTLD domains — if that registrar breaches the terms of the Registrar Accreditation Agreement that all registrars must sign.

The RAA does not cover the secondary market, or escrow or store credit services like Epik’s doomed “Masterbucks”.

Ironically, ICANN would stand a better chance of shutting Epik down if its Whois service crashed, or if the registrar for some reason failed to publish an abuse contact on its web site.

However, if Epik is treating its ICANN fees the same way customers say it’s treating their funds, it can expect a nastygram or six from Compliance, if it has not done so already.

Most cases where ICANN ultimately terminates a registrar’s accreditation begin when Compliance gets a note from the bean-counters that somebody hasn’t been paying their quarterly invoices.

Typically, this serves as a tip-off that the registrar is having problems, so Compliance audits the company to see where else it might be in breach, often discovering other minor or major infractions it can add to the docket.

Epik paid ICANN just shy of $150,000 in its last-reported fiscal year to June 30, 2022. If its current cash-flow problem has caused it to miss an ICANN payment in the three quarters since then, Compliance could be another very powerful creditor knocking at its door.

Another way ICANN could bring out the deaccreditation hammer is if Epik suffers unfavorable court rulings related to financial mismanagement. The RAA specifically allows termination if a court finds a registrar committed “fraud” or “a breach of fiduciary duty”.

The customer lawsuit Epik is currently facing could make such a finding, if it reaches trial and things don’t go Epik’s way.

Perhaps a more immediate concern is that the RAA contains another clause allowing termination if a registrar “is disciplined by the government of its domicile for conduct involving dishonesty or misuse of funds of others”.

I am not a lawyer, but I can see an argument being made that this might have happened already.

As Domain Name Wire reported in February, the Insurance Commissioner of Epik’s home state of Washington recently fined the company $10,000 for selling its DNProtect service as an “insurance” product without the proper licences.

Does this count as being “disciplined by the government of its domicile for conduct involving dishonesty”? Legally, I don’t know.

DNW reports in the same article that the Washington state attorney general has been tipped off about Epik’s escrow service, which is also a regulated industry in which Epik apparently does not have the necessary paperwork to operate.

I’m soothsaying here, of course, but any future disciplinary action from Epik’s local AG could well give ICANN Compliance another deaccreditation trigger to pull.

There are multiple excuses Compliance could find to shitcan Epik over the coming months, but let’s look at the downside for ICANN if it does.

Epik has built itself up in recent years as the go-to “free speech” registrar. It’s welcomed, even courted, multiple registrants that have had their domains banished from other registrars for their sites’ controversial content.

That pretty much always means “far-right” content, of course.

Most recently, it took the business of kiwifarms.net, a forum accused of allowing member to doxx and issue death threats against transgender rights activists.

It’s previously been associated with domains for similarly controversial registrants including Andrew Tate, Infowars, 8chan, Gab and The Daily Stormer.

When Monster was replaced by current CEO Brian Royce last September, the company made a big deal about how the new guy and the old guy were aligned on the free speech issue. Royce has subsequently echoed those thoughts.

Given the narrative Epik has created around itself, can you imagine how a certain section of the online public, namely the fringe of the American right-wing, would react if ICANN essentially shut down the “free speech registrar”?

ICANN has for many years faced misinformed criticism that it has the power to take down web sites it does not agree with, that it acts as a gatekeeper for the internet, that it is or risks becoming the internet’s “content police”.

If ICANN were to deaccredit Epik, removing its ability to sell most domain names, it would be incredibly easy to construct a narrative that a bunch of Californian liberals are trying to destroy “free speech” by taking down loads of right-leaning web sites.

It wouldn’t be true, of course, but the notion would only need to be propagated by a clueless Congressperson, a disingenuous podcast host, or a sustained social media campaign, before ICANN’s very raison d’être came under focus by people who don’t particularly care about facts.

Earthquake survivors given domain renewal holiday

Kevin Murphy, February 14, 2023, Domain Policy

ICANN has announced that registrants in earthquake-hit Türkiye and Syria could have their domains protected from expiration.

It’s triggered part of the Registrar Accreditation Agreement that permits registrars to avoid deleting names owned by registrants unable to renew due to “extenuating circumstances”.

ICANN has declared last week’s quakes, which have claimed tens of thousands of lives, such a circumstance.

The move requires registrar participation to be truly effective. There are nine registrars based in Türkiye, none in Syria, but the offer is valid to all accredited gTLD registrars.

ICANN has exercised this power three times before — after Hurricane Maria, during the Covid-19 outbreak, and last year’s Russian invasion of Ukraine.

Abuse crackdown likely in next gTLD registrar contract

Kevin Murphy, December 20, 2022, Domain Policy

ICANN and its accredited registries and registrars have formally kicked off contract renegotiations designed to better tackle DNS abuse.

The aim is to create a “baseline obligation” for contracted parties to “take reasonable and appropriate action to mitigate or disrupt malicious registrations engaged in DNS Abuse”, according to recent correspondence.

This may close the loophole in the contracts identified this year that hinder ICANN Compliance’s ability to take action against registrars that turn a blind eye to abuse.

The current contracts require registrars to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”, which lacks clarity because there’s no agreement on what an appropriate response is.

The registries and registrars stakeholder groups (RySG and RrSG) note that there won’t be an expansion of the term “DNS abuse” to expand into web site content, nor will the talks cover Whois policy.

As is the norm for contract negotiations, they’ll be bilateral between ICANN and a select group of representative contracted parties, and conducted in private.

Talks are expected to take three to six months and the resulting amendments to the Registrar Accreditation Agreement and base Registry Agreement will be published for 30 days of public comment.

It’s been almost 10 years since the RAA was last updated.

New ICANN contracts chart the death throes of Whois

Kevin Murphy, September 12, 2022, Domain Policy

Whois is on its death bed, and new versions of ICANN’s standard contracts put a timeline to its demise.

The Org has posted proposed updates to its Registrar Accreditation Agreement and Registry Agreement, and most of the changes focus on the industry-wide transition from the Whois standard to the newer Registration Data Access Protocol.

We’re only talking about a change in the technical spec and terminology here. There’ll still be query services you can use to look up the owner of a domain and get a bunch of redactions in response. People will probably still even refer to it as “Whois”.

But when the new RAA goes into effect, likely next year, registrars and registries will have roughly 18 months to make the transition from Whois to RDAP.

Following the contract’s effective date there’ll be an “RDAP Ramp-up Period” during which registrars will not be bound by RDAP service-level agreements. That runs for 180 days.

After the end of that phase, registrars will only have to keep their Whois functioning for another 360 days, until the “WHOIS Services Sunset Date”. After that, they’ll be free to turn Whois off or keep it running (still regulated by ICANN) as they please.

ICANN’s CEO and the chair of the Registrars Stakeholder Group will be able to delay this sunset date if necessary.

Most registrars already run an RDAP server, following an order from ICANN in 2019. IANA publishes a list of the service URLs. One registrar has already lost its accreditation in part because it did not deploy one.

There’ll be implementation work for some registrars, particularly smaller ones, to come into compliance with the new RAA, no doubt.

There’ll also be changes needed for third-party software and services that leverage Whois in some way, such as in the security field or even basic query services. Anyone not keeping track of ICANN rules could be in for a sharp shock in a couple of years.

The contracted parties have been negotiating these changes behind closed doors for almost three years. It’s been almost a decade since the last RAA was agreed.

The contracts are open for public comment until October 24.

ICANN’s Ukraine relief may extend to Russians too

Kevin Murphy, March 9, 2022, Domain Policy

Russian domain name registrants affected by sanctions could benefit from ICANN’s relaxation of its renewal rules.

ICANN on Monday announced that it was classifying the war in Ukraine as an “extenuating circumstance” under the terms of its standard Registrar Accreditation Agreement.

This means that Ukrainians cut off from the internet due to the invasion could be cut some slack, at their registrar’s discretion, when it comes to renewing their gTLD domains.

But ICANN’s executive team was asked, during a session at ICANN 73 later that day, whether the same benefits could be extended to Russian registrants, perhaps unable to pay due to Western sanctions on payment systems.

Visa, Mastercard, American Express and Paypal are among those to restrict Russian accounts in recent days.

ICANN mostly ducked the question.

Co-deputy CEO Theresa Swinehart responded by deferring to the original blog post, and general counsel John Jeffrey followed up by quoting some of the post’s language:

“I think we’re clear in that the events in Ukraine and the surrounding region are now considered by ICANN to be an extending circumstance under the Registrar Accreditation Agreement, under 3.7.5.1,” he said.

The words “surrounding region”, found in the original post alongside “affected region” and “affected area”, seem to be key here.

They could just as easily refer to Russia as they could to places such as Poland and Hungary, which are currently accepting hundreds of thousands of Ukrainian refugees.

It seems the registrars may have the discretion here; ICANN was apparently in no hurry to provide clarity.

The exchange came during a 90-minute session in which ICANN’s executive team were peppered with community questions, many related to the war and how ICANN might be affected by US-imposed sanctions.

Execs said that ICANN would comply with any US laws related to sanctions but that so far it had not seen anything that would affect its ability to contract with Russian companies.

A question apparently related to whether ICANN was reviewing its relationships with law firms and banks that may be involved with Russian oligarchs, much like Tucows is doing, was ducked.

They were also asked how the $1 million ICANN at the weekend earmarked to help keep Ukraine online might be spent, and while CEO Göran Marby alluded to a broad request from Ukraine for satellite terminals, he said it had been less than a day since the resolution was passed and it was too early to say.

“We obviously will focus on what we can do that makes the maximum impact as close to our mission as we possibly can,” added Sally Costerton, senior VP of stakeholder engagement.