Cloudflare “bug” reveals hundreds of secret domain prices
The secret wholesale prices for hundreds of TLDs have been leaked, due to an alleged “bug” at a registrar.
The registry fees for some 259 TLDs, including those managed by Donuts, Verisign and Afilias, are currently publicly available online, after a programmer used what they called a “bug” in Cloudflare’s API to scrape together price lists without actually buying anything.
Cloudflare famously busted into the domain registrar market last September by announcing that it would sell domains at cost, thumbing its nose at other registrars by suggesting that all they’re doing is “pinging an API”.
But because most TLD registries have confidentiality clauses in their Registry-Registrar Agreements, accredited registrars are not actually allowed to reveal the wholesale prices.
That’s kind of a problem if you’re a registrar that has announced that you will never charge a markup, ever.
Cloudflare has tried to get around this by not listing its prices publicly.
Currently, it does not sell new registrations, instead only accepting inbound transfers from other registrars. Registry transaction reports reveal that it has had tens of thousands of names transferred in, but has not created a significant number of new domains.
(As an aside, it’s difficult to see how it could ever sell a new reg without first revealing its price and therefore breaking its NDAs.).
It appears that the only way to manually ascertain the wholesale prices of all of the TLDs it supports would be to buy one of each at a different registrar, then transfer them to Cloudflare, thereby revealing the “at cost” price.
This would cost over $9,500, at Cloudflare’s prices, and it’s difficult to see what the ROI would be.
However, one enterprising individual discovered via the Cloudflare API that the registrar was not actually checking whether they owned a domain before revealing its price.
They were therefore able to compile a list of Cloudflare’s prices and therefore the wholesale prices registries charge.
The list, and the script used to compile it, are both currently available on code repository Github.
The bulk of the list comprises Donuts’ vast portfolio, but most TLDs belonging to Afilias (including the ccTLD .io), XYZ.com and Radix are also on there.
It’s not possible for me to verify that all of the prices are correct, but the ones that are comparable to already public information (such as .com and .net) match, and the rest are all in the ballpark of what I’ve always assumed or have been privately told they were.
The data was last refreshed in April, so without updates its shelf life is likely limited. Donuts, for example, is introducing price increases across most of its portfolio this year.
DI implicated in .sucks “gag order” fight
Vox Populi, the .sucks registry, terminated Com Laude’s accreditation last week due to its belief that the brand protection registrar had leaked a “confidential” document to Domain Incite.
Vox Pop CEO John Berard tonight denied that the company he works for was carrying out a “grudge” against Com Laude, which in January led a charge against a Vox “gag order” on registrars.
As we reported on Friday, Vox terminated Com Laude‘s ability to sell .sucks domains directly, due to a then-unspecified alleged breach of the Registry-Registrar Agreement that binds all .sucks domain registrars.
It now turns out the “breach” was of the part of the .sucks RRA that states that Vox registrars “shall make no disclosures whatsoever” of “confidential informational”, where such confidential information is marked as such.
Berard told DI of the termination: “It was a specific act, violating a specific clause of the contract that had to do with breaching confidentiality, and that’s why the action was taken.”
The specific act was Com Laude allegedly sending DI — me, for avoidance of doubt — a confidential document.
“They have not said they didn’t do it,” Berard said.
He said that, given the amount of scrutiny Vox is under (due to the controversy it has created with its pricing and policies), “it would be crazy of us to ignore a contract breach”.
He declined to identify the document in question.
He said that Vox Pop deployed “forensic research” to discover the identity of the alleged leak.
“It was clear that something that was confidential was distributed, we wanted to know who distributed it,” he said. “We wanted to know who breached confidentiality.”
DI has only published one third-party document related to .sucks this year.
This is it (pdf). It’s a letter drafted by the Registrars Stakeholder Group and sent to ICANN. Here it is (pdf) as published on the ICANN web site.
DI has received other documents related to Vox Pop and .sucks from various parties that I have not published, but I’ve been unable to find any that contained the word “confidential” or that were marked as “confidential”.
According to the .sucks RRA (pdf), “confidential information” is documentation marked or identified “confidential”.
Everything I’ve ever written about .sucks can be found with this search.
.sucks terminates Com Laude as “gag order” row escalates
Vox Populi, the .sucks gTLD registry, has terminated the accreditation of brand protection registrar Com Laude as part of an ongoing dispute between the two companies.
Com Laude won’t be able to sell defensive .sucks registrations to its clients any more, at least not on its own accreditation, in other words.
The London-based registrar is transferring all of its .sucks domains to EnCirca as a result of the termination and says it is considering its options in how to proceed.
The shock move, which I believe to be unprecedented, is being linked to Com Laude’s long-time criticisms of Vox Populi’s pricing and policies.
The registrar today had some rather stern words for Vox Pop. Managing director Nick Wood said in a statement:
We have always been critical of this registry and particularly its sunrise pricing model which we regard as predatory. We have advised clients where possible to consider not registering such names. We hope that all brand owners will think twice before buying or renewing a .sucks domain. After all, it is not possible to block out every variation of a trademark under .sucks. In our view, fair criticism is preferable to dealing with Vox Populi.
Ouch!
The termination is believed to be linked to controversial changes to the .sucks Registry-Registrar Agreement, which Vox Pop managed to sneak past ICANN over Christmas.
One of the changes, some registrars believed, would prevent brand protection registrars from openly criticizing .sucks pricing and policies. They called it a “gag order”.
Com Laude SVP Jeff Neuman was one of the strongest critics. I believe he was a key influence on a Registrar Stakeholder Group letter (pdf) in January which essentially said registrars would boycott the new RRA.
That letter said:
It’s ironic for a Registry whose slogan is “Foster debate, Share opinions” has now essentially proposed implementing a gag order on the registrars that sell the .sucks TLD by preventing them from doing just that
While the RRA dispute was resolved more or less amicably following ICANN mediation, with Vox Pop backpedaling somewhat on its proposed changes, Com Laude now believes the registry has held a grudge.
Its statement does not say what part of the .sucks RRA it is alleged to have breached.
Vox Pop has not yet returned a request for comment. I’ll provide an update should I receive further information.
Com Laude said in a statement today:
Jeff Neuman, our SVP of our North American business, Com Laude USA, led the effort in the Registrar Stakeholder Group to quash proposed changes to Vox Populi’s registry-registrar agreement, in order to protect the interests of brand owners and the registrars who work with them. Since then, Vox Populi has accused Com Laude of breaching the terms of the registry-registrar agreement, a claim we take seriously and refute in its entirety. We are now considering our further options.
Wood added:
We have informed our clients of the action being taken and all have expressed their support for the manner in which we have handled it. We are pleased to have received messages of support from across the ICANN community including other registry operators. Clearly there is strong distaste at the practices of Vox Populi.
Strong stuff.
.sucks “gag order” dropped, approved
Vox Populi, the .sucks registry, has had controversial changes to its registrar contract approved after it softened language some had compared to a “gag order”.
ICANN approved changes to the .suck Registry-Registrar Agreement last week, after receiving no further complaints from registrar stakeholders.
Registrars had been upset by a proposed change that they said would prevent brand-protection registrars from publicly criticizing .sucks:
The purpose of this Agreement is to permit and promote the registration of domain names in the Vox Populi TLDs and to allow Registrar to offer the registration of the Vox Populi TLDs in partnership with Vox Populi. Neither party shall take action to frustrate or impair the purpose of this Agreement.
But Vox has now “clarified” the language to remove the requirement that registrars “promote” .sucks names. The new RRA will say “offer” instead.
Registrars had also complained that the new RRA would have allowed Vox to unilaterally impose new contractual terms with only 15 days notice.
Vox has amended that proposal too, to clarify that changes would come into effect 15 days after ICANN has given its approval.
Vox CEO John Berard told ICANN in a March 18 letter:
VoxPop’s intent was never to alter any material aspect of the Registry Registrar Agreement. Our intent was to clarify legal obligations that already exist in the Agreement, and conform the timeframes for any future amendments with those specified in our ICANN registry contract.
Registrars object to “unreasonable” .bank demands
Registrars are upset with fTLD Registry Services for trying to impose new rules on selling .bank domains that they say are “unreasonable”.
The Registrar Stakeholder Group formally relayed its concerns about a proposed revision of the .bank Registry-Registrar Agreement to ICANN at the weekend.
A key sticking point is fTLD’s demand that each registrar selling .bank domains have a dedicated .bank-branded web page.
Some registrars are not happy about this, saying it will “require extensive changes to the normal operation of the registrar.”
“Registrars should not be required to establish or maintain a “branded webpage” for any extension in order to offer said extension to its clients,” they told ICANN.
i gather that registrars without a full retail presence, such as corporate registrars that sell mainly offline, have a problem with this.
There’s also a slippery slope argument — if every gTLD required a branded web page, registrars would have hundreds of new storefronts to develop and maintain.
fTLD also wants registrars to more closely align their sales practices with its own, by submitting all registration requests from a single client in a single day via a bulk registration form, rather than live, or pay an extra $125 per-name fee.
This is to cut down on duplicate verification work at the registry, but registrars say it would put a “severe operational strain” on them.
There’s also a worry about a proposed change that would make registrars police the .bank namespace.
The new RRA says: “Registrar shall not enable, contribute to or willing aid any third party in violating Registry Operator’s standards, policies, procedures, or practices, and shall notify Registry Operator immediately upon becoming aware of any such violation.”
But registrars say this “will create a high liability risk for registrars” due to the possibility of accidentally overlooking abuse reports they receive.
The registrars’ complaints have been submitted to ICANN, which will have to decide whether fTLD is allowed to impose its new RRA or not.
The RrSG’s submission is not unanimously backed, however. One niche-specializing registrar, EnCirca, expressed strong support for the changes.
In a letter also sent to ICANN, it said that none of the proposed changes are “burdensome”, writing:
EnCirca fully supports the .BANK Registry’s efforts to ensure potential registrants are fully informed by Registrars of their obligations and limitations for .BANK. This helps avoid confusion and mis‐use by registrants, which can cause a loss of trust in the Registry’s stated mission and commitments to the banking community.
fTLD says the proposed changes would bring the .bank RRA in line with the RRA for .insurance, which it also operates.
The .insurance contract has already been signed by several registrars, it told ICANN.
Registrars boycotting “gag order” .sucks contract
Registrars are ignoring new provisions in their .sucks contracts that they say amount to a “gag order”.
In a letter (pdf) to ICANN from its Registrars Stakeholder Group, the registrars ask for ICANN to convene a face-to-face negotiation between themselves and .sucks registry Vox Populi, adding:
Until such time, the Registrars believe that the amendments are not yet in effect and will continue to operate under Vox Populi’s existing RRA.
That means they’re working on the assumption that the controversial changes to the .sucks Registry-Registrar Agreement, sent to ICANN by Vox in December, have not yet been approved.
Vox Pop, on the other hand, has told ICANN that the changes came into effect January 6.
As we reported at the weekend, the registry is taking ICANN to formal mediation, saying ICANN breached the .sucks Registry Agreement by failing to block the changes within the permitted 15-day window.
The registrars’ letter was sent January 20, one day before Vox Pop’s mediation demand. The Vox letter should probably be read in that context.
The registrars have a problem with two aspects of the changed RRA.
First, there’s a clause that allows Vox to change the contract unilaterally in future. Registrars say this makes it a contract of “adhesion”.
Second, there’s a clause forbidding registrars taking “action to frustrate or impair the purpose of this Agreement”. Registrars read this as a “gag order”, writing:
Many Registrars not only serve as retail outlets for the purchase of domain names, but also provide consultative services to their clients on TLD extensions and their domain name portfolios. In conjunction with the provision of those services, registrars often opine on new gTLD and ccTLD extensions, the TLDs policies, pricing methodologies, security provisions and overall utility. These provisions could easily be read to inhibit such activities and restrict a registrar’s ability to offer those valuable services.
That’s referring primarily to corporate registrars working in the brand protection space, which are kinda obliged to offer .sucks for their clients’ defensive purposes, but still want to be able to criticize its policies and pricing in public.
ICANN has yet to respond to the request for a sit-down meeting between the registry and registrars.
However, given that Vox has invoked its right to mediation, it seems likely that that process will be the focus for now.
Mediation lasts a maximum of 90 days, which means the problem could be sorted out before April 20.
.sucks sends in the lawyers in “gag order” fight
Vox Populi is taking ICANN to mediation over a row about what some of its registrars call a “gag order” against them.
Its lawyers have sent ICANN a letter demanding mediation and claiming ICANN has breached the .sucks Registry Agreement.
I believe it’s the first time a new gTLD registry has done such a thing.
The clash concerns changes that Vox Populi proposed for its Registry-Registrar Agreement late last year.
Some registrars believe that the changes unfairly give the registry the unilateral right to amend the RRA in future, and that they prevent registrars opposed to .sucks in principle from criticizing the gTLD in public.
I understand that a draft letter that characterizes the latter change as a “gag order” has picked up quite a bit of support among registrars.
ICANN has referred the amended draft of the .sucks RRA to its Registrars Stakeholder Group for comment.
But Vox Pop now claims that it’s too late, that the new RRA has already come into force, and that this is merely the latest example of “a pattern on ICANN’s part to attempt to frustrate the purpose and intent of its contract with Vox Populi, and to prevent Vox Populi from operating reasonably”.
The registry claims that the changes are just intended to provide “clarity”.
Some legal commentators have said there’s nothing unusual or controversial about the “gag” clauses.
But the conflict between Vox and ICANN all basically boils down to a matter of timing.
Under the standard Registry Agreement for new gTLDs, registries such as Vox Pop are allowed to submit proposed RRA changes to ICANN whenever they like.
ICANN then has 15 calendar days to determine whether those changes are “immaterial, potentially material or material in nature.”
Changes are deemed to be “immaterial” by default, if ICANN does not rule otherwise within those 15 days.
If they’re deemed “material” or “potentially material”, a process called the RRA Amendment Procedure (pdf) kicks in.
That process gives the registrars an extra 21 days to review and potentially object to the changes, while ICANN conducts its own internal review.
In this case, there seems to be little doubt that ICANN missed the 15-day deadline imposed by the RA, but probably did so because of some clever timing by Vox.
Vox Pop submitted its changes on Friday, December 18. That meant 15 calendar days expired Monday, January 3.
However, ICANN was essentially closed for business for the Christmas and New Year holidays between December 24 and January 3, meaning there were only three business days — December 21 to 23 — in which its lawyers and staff could scrutinize Vox’s request.
Vox Pop’s timing could just be coincidental.
But if it had wanted to reduce the contractual 15 calendar days to as few business days as possible, then December 18 would be the absolute best day of the year to submit its changes.
As it transpired, January 3 came and went with no response from ICANN, so as far as Vox is concerned the new RRA with its controversial changes came into effect January 6.
However, on January 8, ICANN submitted the red-lined RRA to the RrSG, invoking the RRA Amendment Procedure and telling registrars they have until January 29 to provide feedback.
Vox Pop’s lawyer, demanding mediation, says the company was told January 9, six days after ICANN’s 15-day window was up, that its changes were “deemed material”.
Mediation is basically the least-suey dispute resolution process a registry can invoke under the RA.
The two parties now have a maximum of 90 days — until April 20 — to work out their differences more or less amicably via a mediator. If they fail to do so, they proceed to a slightly more-suey binding arbitration process.
In my opinion, ICANN finds itself in this position due to a combination of a) Vox Pop trying to sneak what it suspected could be controversial changes past its staff over Christmas, and b) ICANN staff, in the holiday spirit or off work entirely, dropping the ball by failing to react quickly enough.
While I believe this is the first time a 2012-round gTLD registry has gone to dispute resolution with ICANN, Vox did threaten to sue last year when ICANN referred its controversially “predatory” launch plans to US and Canadian trade regulators.
That ultimately came to nothing. The US Federal Trade Commission waffled and its Canadian counterpart just basically shrugged.
.sucks “gagging” registrar critics?
.sucks may be all about freedom of speech, but some registrars reckon the registry is trying to ban them from criticizing the new gTLD in public.
Vox Populi is proposing a change to its standard registrar contract that some say is an attempt to gag them.
A version of the Registry-Registrar Agreement dated December 18, seen by DI, contains the new section 2.1:
The purpose of this Agreement is to permit and promote the registration of domain names in the Vox Populi TLDs and to allow Registrar to offer the registration of the Vox Populi TLDs in partnership with Vox Populi. Neither party shall take action to frustrate or impair the purpose of this Agreement.
It’s broad and somewhat vague, but some registrars are reading it like a gagging order.
While many retail registrars are no doubt happy to sell .sucks domains as part of their catalogs, there is of course a subset of the registrar market that focuses on brand protection.
Brand protection registrars have been quite vocal in their criticism of .sucks.
MarkMonitor, for example, last year wrote about how it would refuse to make a profit on .sucks names, and was not keen on promoting the TLD to its clients.
Asked about the new RRA language, Vox Pop CEO John Berard told DI that it was merely an attempt to clarify the agreement but provided no additional detail.
Registrars are also angry about a second substantial change to the contract, which would allow the registry to unilaterally make binding changes to the deal at will.
The new text in section 8.4 reads:
Vox Populi shall have the right, at any time and from time to time, to amend any or all terms and conditions of this Agreement. Any such amendment shall be binding and effective 15 days after Vox Populi gives notice of such amendment to the Registrar by email.
That’s the kind of thing that ICANN sometimes gets away with, but some registrars are saying that such a change would let Vox Pop do whatever the hell it likes and would therefore be legally unenforceable.
Verisign demands 24/7 domain hijacking support
Verisign is causing a bit of a commotion among its registrar channel by demanding 24/7 support for customers whose .com domains have been hijacked.
The changes, we understand, are among a few being introduced into Verisign’s new registry-registrar agreement for .com, which coincides with the renewal of its registry agreement with ICANN.
New text in the RRA states that: “Registrar shall, consistent with ICANN policy, provide to Registered Name Holders emergency contact or 24/7 support information for critical situations such as domain name hijacking.”
From the perspective of registrants, this sounds like a pretty welcome move: who wouldn’t want 24/7 support?
While providing around the clock support might not be a problem for the Go Daddies of the world, some smaller registrars are annoyed.
For a registrar with a small headcount, perhaps servicing a single time zone, 24/7 support would probably mean needing to hire more staff.
Their annoyance has been magnified by the fact that Verisign seems to be asking for these new support commitments without a firm basis in ICANN policy, we hear.
The recently updated transfers policy calls for a 24/7 Transfer Emergency Action Contact — in many cases just a staff member who doesn’t mind being hassled about work at 2am — but that’s meant to be reserved for use by registrars, registries and ICANN.
Recent Comments