Recent Posts
- Taylor Swift applies for her .post domain
- .ad domains to go global soon
- Single-letter .com case back in court
- ICANN to slash costs as Verisign’s magic money tree dries up
- Community revolts over ICANN’s auction proceeds power grab
- Two seats up for grabs on Nominet board
- War takes steep toll on .ua domains
- .de worst TLD for CSAM — report
- .com still shrinking because of China
- ICANN publishes its Woke Manifesto. Here’s my hot take
- Alibaba, Name.com among new RDRS opt-ins
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
New gTLDs continue growth trend, but can it last?
New gTLDs continued to bounce back following a year-long slump in registration volumes, according to Verisign data.
The company’s latest Domain Name Industry Brief, covering the third quarter, shows new gTLDs growing from 21.8 million names to 23.4 million names, a 1.6 million name increase.
New gTLDs also saw a 1.6 million-name sequential increase in the second quarter, which reversed five quarters of declines.
The sector has yet to surpass its peak of 25.6 million, which it reached in the fourth quarter of 2016.
It think it will take some time to get there, and that we’ll may well see a decline in next couple quarters.
The mid-point of the third quarter marked the end of deep discounting across the former Famous Four Media (now GRS Domains) portfolio (.men, .science, .loan, etc), but the expected downward pressure on volumes wasn’t greatly felt by the end of the period.
With GRS’s portfolio generally on the decline so far in Q4, we might expect it to have a tempering effect on gains elsewhere when the next DNIB is published.
Verisign’s data showed also that ccTLDs shrunk for the first time in a couple years, down by half a million names to 149.3 million. Both .uk and .de suffered six-figure losses.
Its own .net was flat at 14.1 million, showing no signs of recovery after several quarters of shrinkage, while .com increased by two million names to finish September with 137.6 under management.
No .web until 2021 after Afilias files ICANN appeal
Afilias has taken ICANN to arbitration to prevent .web being delegated to Verisign.
The company, which came second in the $135 million auction that Verisign won in 2016, filed Independent Review Process documents in late November.
The upshot of the filing is that .web, considered by many the best potential competitor for .com — Afilias describes it as “crown jewels of the New gTLD Program” — is very probably not going to hit the market for at least a couple more years.
Afilias says in in its filing that:
ICANN is enabling VeriSign to acquire the .WEB gTLD, the next closest competitor to VeriSign’s monopoly, and in so doing has eviscerated one of the central pillars of the New gTLD Program: to introduce and promote competition in the Internet namespace in order to break VeriSign’s monopoly
Its beef is that Verisign acquired the rights to .web by hiding behind a third-party proxy, Nu Dot Co, the shell corporation linked to the co-founders of .CO Internet that appears to have been set up in 2012 purely to make money by losing new gTLD auctions.
Afilias says NDC broke the rules of the new gTLD program by failing to notify ICANN that it had made an agreement with Verisign to sign over its rights to .web in advance of the auction.
The company says that NDC’s “obligation to immediately assign .WEB to VeriSign fundamentally changed the nature of NDC’s application” and that ICANN and the other .web applicants should have been told.
NDC’s application had stated that .web was going to compete with .com, and Verisign’s acquisition of the contract would make that claim false, Afilias says.
This means ICANN broke its bylaws commitment to apply its policies, “neutrally, objectively, and fairly”, Afilias claims.
Allowing Verisign to acquire its most significant potential competitor also breaks ICANN’s commitment to introduce competition to the gTLD market, the company reckons.
It will be up to a three-person panel of retired judges to decide whether these claims holds water.
The IRP filing was not unexpected. I noted that it seemed likely after a court threw out a Donuts lawsuit against ICANN which attempted to overturn the auction result for pretty much the same reasons.
The judge in that case ruled that new gTLD applicants’ covenant not to sue ICANN was valid, largely because alternatives such as IRP are available.
ICANN has a recent track record of performing poorly under IRP scrutiny, but this case is by no means a slam-dunk for Afilias.
ICANN could argue that the .web case was not unique, for starters.
The .blog contention set was won by an affiliate of WordPress maker Automattic under almost identical circumstances earlier in 2016, with Colombian-linked applicant Primer Nivel paying $19 million at private auction, secretly bankrolled by WordPress.
Nobody complained about that outcome, probably because it was a private auction so all the other .blog applicants got an even split of the winning bid.
Afilias wants the .web IRP panel to declare NDC’s bid invalid and award .web to Afilias at its final bid price.
For those champing at the bit to register .web domains, and there are some, the filing means they’ve likely got another couple years to wait.
I’ve never known an IRP to take under a year to complete, from filing to final declaration. We’re likely looking at something closer to 18 months.
Even after the declaration, we’d be looking at more months for ICANN’s board to figure out how to implement the decision, and more months still for the implementation itself.
Barring further appeals, I’d say it’s very unlikely .web will start being sold until 2021 at the very earliest, assuming the winning registry is actually motivated to bring it to market as quickly as possible.
The IRP is no skin off Verisign’s nose, of course. Its acquisition of .web was, in my opinion, more about restricting competition than expanding its revenue streams, so a delay simply plays into its hands.
ICANN urged to reject .com price increases
The Internet Commerce Association has asked ICANN to refuse to allow Verisign to raise its wholesale prices for .com domain names.
The domainer trade group wrote to ICANN last week to point out that just because the Trump administration has dropped the US government objection to controlled price increases, that doesn’t necessarily mean ICANN has to agree.
Verisign’s deal with the National Telecommunications and Information Administration “does not of course, compel ICANN to agree to any such increases. Any such decision regarding .com pricing
remains with ICANN” ICA general counsel Zak Muscovitch wrote.
The deal allows Verisign to increase the price of .com registrations, renewals and transfers by 7% per year in four of the next six years, leading to a compound 30% increase by the time it concludes.
The arguments put forth Muscovitch’s letter are pretty much the same as the arguments ICA made when it was lobbying NTIA to maintain the price freeze.
Namely: Verisign already makes a tonne of money from .com, it has a captive audience, it cannot claim credit for .com’s success, and .com is not constrained by competition.
“As NTIA makes clear, it is up to Verisign to request a fee increase and ICANN that may agree or disagree. ICANN should not agree. Indeed, it would be a dereliction of ICANN’s responsibilities to the ICANN community if Verisign were permitted to raise its fees when it is already very well paid for the services which it provides,” Muscovitch’s letter (pdf) concludes.
For many years ICANN has been reluctant to get involved in price regulation. It remains to be seen whether it will make an exception for .com.
Hebrew .com off to a slow start
The Hebrew transliteration of .com has only sold a couple hundred domains since it went into general availability.
Verisign took the new gTLD קום. (Hebrew is a right-to-left script, so the dot comes after the string) to market November 5, when it had about 3,200 domains in its zone file. It now stands around the 3,400 mark.
The pre-GA domains are a combination of a few hundred sunrise regs and a few thousand exact-match .coms that were grandfathered in during a special registration period.
It’s not a stellar performance out of the gates, but Hebrew is not a widely-spoken language and most of its speakers are also very familiar with the Latin script.
There are between seven and nine million Hebrew speakers in the world, according to Wikipedia. It doesn’t make the top 100 languages in the world.
The ccTLD for Israel, where most of these speakers live, reports that it currently has 246,795 .il domains under management. That’s a middling amount when compared to similarly sized countries such as Serbia (about 100,000 names) and Switzerland (over 2 million).
Verisign’s original application for this transliteration had to be corrected, from קום. to קוֹם. If you can tell the difference, you have better eyesight than me.
In the root, the gTLD is Punycoded as .xn--9dbq2a.
Wagner takes dig at Verisign as GoDaddy reports $310 million domain revenue
GoDaddy CEO Scott Wagner ducked a question about how the company will react to future .com price increases during its third-quarter earnings call yesterday, but used the opportunity to take a gentle swipe at Verisign.
Asked by an analyst whether the first 7% price increase, almost certainly coming in 2020, would have any effect on GoDaddy’s gross margins (ie, will they shrink as the company swallows increased costs, or swell as it increases its own prices above 7%), Wagner said:
the last time VeriSign took a price increase the industry passed that through to the end registrant.
.com and more importantly the software around bringing somebody’s .com to life is valuable and, modestly, we’re providing the value in that relationship around taking a domain name and actually turning it into something that somebody cares about.
I’m interpreting that as a pop at the idea that Verisign enjoys the fat registration margins while GoDaddy is the one that actually has to market domains, up-sell, innovate, deal with customers, and so on.
The remarks came just a few days after Verisign, in a blog post, branded GoDaddy and other secondary-market players “scalpers”, infuriating domainers.
Wagner was talking to analysts as the market-leading registrar reported revenue for Q3 of $679.5 million, up 16.7% year over year.
Revenue from domains, still the biggest of its three reporting business segments, was $309.5 million, up 14.0% compared to the year-ago quarter. GoDaddy now has 18 million customers and over 77 million domains under management.
Overall net income was down to $13.2 million from $22.4 million, as operating expenses rose over 16% to hit $642 million, after the company invested more in marketing, development and so on. Its operating income was $37.5 million.
Contrast this with Verisign’s performance for the same quarter, reported two weeks ago.
It saw revenue about the same as GoDaddy’s domains revenue — $306 million — but net income of $138 million and operating income of $195 million.
GoDaddy and Verisign could find themselves competing before long. As part of its deal with the US government to allow it to raise .com wholesale prices once more, the government also lifted its objection to Verisign becoming a registrar, just as long as it does not deal in .com names.
Will ICANN take a bigger slice of the .com pie, or will .domainers get URS?
Will ICANN try to get its paws on some of Verisign’s .com windfall? Or might domainers get a second slap in the face by seeing URS imposed in .com?
With Verisign set to receive hundreds of millions of extra dollars due to the imminent lifting of .com price caps, it’s been suggested that ICANN may also financially benefit from the arrangement.
In a couple of blog posts Friday, filthy domain scalper Andrew Allemann said that ICANN will likely demand higher fees from Verisign in the new .com registry agreement.
Will it though? I guess it’s not impossible, but I wouldn’t say it’s a certainty by any means.
Verisign currently pays ICANN $0.25 per transaction, the same as almost all other gTLDs. Technically, there’s no reason this could not be renegotiated.
Putting aside some of the legacy gTLD contracts, I can only think of two significant cases of ICANN imposing higher fees on a registry.
The first was .xxx, which was signed in 2011. That called for ICM Registry, now part of MMX, to pay $2 per transaction, eight times the norm.
The rationale for this was that ICANN thought (or at least said it thought) that .xxx was going to be a legal and compliance minefield. It said it envisaged higher costs for overseeing the then-controversial TLD.
There was a school of thought that ICANN was just interested in opportunistically boosting its own coffers, given that ICM was due to charge over $60 per domain per year — at the time a ludicrously high amount.
But risk largely failed to materialize, and the two parties last year renegotiated the fees down to $0.25.
The second instance was .sucks, another controversial TLD. In that case, ICANN charged registry Vox Populi a $100,000 upfront fee and per-transaction fees of $1 per domain for the first 900,000 transactions, four times more than the norm.
While some saw this as a repeat of the .xxx legal arse-covering tactic, ICANN said it was actually in place to recoup a bunch of money that Vox Pop owner Momentous still owed when it let a bunch of its drop-catch registrars go out of business a couple years earlier.
While the .sucks example clearly doesn’t apply to Verisign, one could make the case that the .xxx example might.
It’s possible, I guess, that ICANN could make the case that Verisign’s newly regained ability to raise prices opens it up to litigation risk — something I reckon is certainly true — and that it needs to increase its fees to cover that risk.
It might be tempting. ICANN has a bit of a budget crunch at the moment, and a bottomless cash pit like Verisign would be an easy source of funds. A transaction fee increase of four cents would have been enough to cover the $5 million budget shortfall it had to deal with earlier this year.
On the other hand, it could be argued that ICANN demanding more money from Verisign would unlevel the playing field, inviting endless litigation from Verisign itself.
ICANN’s track record with legacy gTLDs has been to reduce, rather than increase, their transaction fees.
Pre-2012 gTLDs such as .mobi, .jobs, .cat and .travel have all seen their fees reduced to the $0.25 baseline in recent years, sometimes from as high as $2.
In each of these cases, the registries concerned had to adopt many provisions of the standard 2012 new gTLD registry agreement including, controversially, the Uniform Rapid Suspension service.
Domainers hate the URS, which gives trademark owners greater powers to take away their domains, and the Internet Commerce Association (under the previous stewardship of general counsel Phil Corwin, since hired by Verisign) unsuccessfully fought against URS being added to .mobi et al over the last several years, on the basis that eventually it could worm its way into .com.
I’m not suggesting for a moment that ICANN might reduce Verisign’s fees, but what if URS is the price the registry has to pay for its massive .com windfall?
It’s not as if Verisign has any love for domainers, despite the substantial contribution they make to its top line.
Since the NTIA deal was announced, it’s already calling them “scalpers” and driving them crazy.
ICA lost the .com price freeze fight last week, could it also be about to lose the URS fight?
Trump gives Verisign almost $1 billion in free money
The Trump administration may have just handed Verisign close to $1 billion in free money.
That’s according to the back of the envelope I’m looking at right now, following the announcement that the National Telecommunications and Information Administration is reinstating Verisign’s right to increase .com registry fees.
As you may have read elsewhere already (I was off sick last week, sorry about that) a new amendment to the Verisign-NTIA Cooperative Agreement restores Verisign’s ability to raise prices by 7% per year in four of the six years of the deal.
The removal of the Obama-era price freeze still needs to be incorporated into Verisign’s ICANN contract, but it’s hard to imagine ICANN, which is generally loathe to get into pricing regulation, declining to take its lead from NTIA.
Verisign would also have to choose to exercise its option to increase prices in each of the four years. I think the probability of this happening is 1 in 1.
Layering this and a bunch of other assumptions into a spreadsheet, I’m coming up with a figure of roughly an extra $920 million that Verisign will get to add to its top line over the next six years.
Again, this isn’t an in-depth study. Just back-of-the-envelope stuff. I’ll talk you through my thinking.
Not counting its occasional promotions, Verisign currently makes $7.85 for every year that a .com domain is added or renewed, and for every inter-registrar transfer.
In 2017, .com saw 40.89 million add-years, 84.64 million renew-years and 3.79 million transfers, according to official registry reports.
This all adds up to 129,334,643 revenue events for Verisign, or just a tad over $1 billion at $7.85 a pop.
Over the four-year period of the price increases transaction fees will go up to $8.40, then $8.99, then $9.62, then $10.29. I’m rounding up to the nearest penny here, it’s possible Verisign may round down.
If we assume zero transaction growth, that’s already an extra $762.2 million into Verisign’s coffers over the period of the contract.
But the number of transactions inevitably grows each year — more new domains are added, and some percentage of them renew.
Between 2016 and 2017, transaction growth was 3.16%.
If we assume the same growth each year for the next six years, the difference between Verisign’s total revenue at $7.85 and at the new pricing comes to $920 million.
Verisign doesn’t have to do anything for this extra cash, it just gets it.
Indeed, the new NTIA deal is actually less restrictive on the company. It allows Verisign to acquire or start up an ICANN-accredited gTLD registrar, something it is currently banned from doing, just as long as that registrar does not sell .com domains.
Verisign’s .net contract also currently bans the company from owning more than 15% of a registrar, so presumably that agreement would also need to be amended in order for Verisign to get into the registrar business.
I say again that my math here is speculative; I’m a blogger, not a financial analyst. There may be some incorrect assumptions — I’ve not accounted for promotions at all, for example, and the 3.16% growth assumption might not be fair — and there are of course many variables that could move the needle.
But the financial markets know a sweetheart deal when they see one, and Verisign’s share price went up 17.2% following the news, reportedly reaching heights not seen since since the dwindling days of the dot-com bubble 18 years ago.
The reason given for the lifting of the price freeze was, for want of a better word, bullshit. From the NTIA’s amendment:
In recognition that ccTLDs, new gTLDs, and the use of social media have created a more dynamic DNS marketplace, the parties agree that the yearly price for the registration and renewal of domain names in the .com registry may be changed
Huh?
This seems to imply that Verisign has somehow been disproportionately harmed by the rise of social media, the appearance of new gTLDs and some unspecified change in the ccTLD marketplace.
While it’s almost certainly true that .net has taken a whack due to competition from new gTLDs, and that the domain marketplace overall may have been diminished by many small businesses spurning domains by choosing to set up shop on, say, Facebook, .com is still a growing money-printing machine with some of the fattest margins seen anywhere in the business world and about a 40% global market share.
If the Trump administration’s goal here is to make some kind of ideological statement about free markets, then why not just lift the price caps altogether? Give Verisign the right to price .com however it pleases?
Or maybe Trump just wants to flip the bird to Obama once more by reversing yet another of his policies?
Who knows? It doesn’t make a lot of sense to me.
Donuts loses to ICANN in $135 million .web auction appeal
Donuts has lost a legal appeal against ICANN in its fight to prevent Verisign running the .web gTLD.
A California court ruled yesterday that a lower court was correct when it ruled almost two years ago that Donuts had signed away its right to sue ICANN, like all gTLD applicants.
The judges ruled that the lower District Court had “properly dismissed” Donuts’ complaint, and that the covenant not to sue in the Applicant Guidebook is not “unconscionable”.
Key in their thinking was the fact that ICANN has an Independent Review Process in place that Donuts could use to continue its fight against the .web outcome.
The lawsuit was filed by Donuts subsidiary Ruby Glen in July 2016, shortly before .web was due to go to an ICANN-managed last-resort auction.
Donuts and many others believed at the time that one applicant, Nu Dot Co, was being secretly bankrolled by a player with much deeper pockets, and it wanted the auction postponed and ICANN to reveal the identity of this backer.
Donuts lost its request for a restraining order.
The auction went ahead, and NDC won with a bid of $135 million, which subsequently was confirmed to have been covertly funded by Verisign.
Donuts then quickly amended its complaint to include claims of negligence, breach of contract and other violations, as it sought $22.5 million from ICANN.
That’s roughly how much it would have received as a losing bidder had the .web contention set been settled privately and NDC still submitted a $135 million bid.
As it stands, ICANN has the $135 million.
That complaint was also rejected, with the District Court disagreeing with earlier precedent in the .africa case and saying that the covenant not to sue is enforceable.
The Appeals Court has now agreed, so unless Donuts has other legal appeals open to it, the .web fight will be settled using ICANN mechanisms.
The ruling does not mean ICANN can go ahead and delegate .web to Verisign.
The .web contention set is currently “on-hold” because Afilias, the second-place bidder in the auction, has since June been in a so-called Cooperative Engagement Process with ICANN.
CEP is a semi-formal negotiation-phase precursor to a full-blown IRP filing, which now seems much more likely to go ahead following the court’s ruling.
The appeals court ruling has not yet been published by ICANN, but it can be viewed here (pdf).
The court heard arguments from Donuts and ICANN lawyers on October 9, the same day that DI revealed that ICANN Global Domains Division president Akram Atallah had been hired by Donuts as its new CEO.
A recording of the 32-minute hearing can be viewed on YouTube here or embedded below.
KSK vote was NOT unanimous
ICANN’s board of directors on Sunday voted to approve the forthcoming security key change at the DNS root, but there was some dissent.
Director Avri Doria, a Nominating Committee appointee, said today that she provided the lone vote against the DNSSEC KSK rollover, which is expected to cause temporary internet access problems for potentially a couple million people next month.
I understand there was also a single abstention to Sunday’s vote.
Doria has released a dissenting statement, in which she said the absence of an external, peer-reviewed study of the risks could prove a problem.
The greatest risk is that out of the millions that will fail after the roll over, some that are serious and may even be critical, may occur; if this happens the lack of peer reviewed studies may be a liability for ICANN, perhaps not legal, but in terms of our reputation as protectors of the stability & security of internet system of names.
She added that she was concerned about the extent that the public has been notified of the rollover plan, and questioned whether the current risk mitigation plan is sufficient.
Doria said she found comments filed by Verisign (pdf) particularly informative to her eventual vote, as well as comments from the At-Large Advisory Committee (pdf), Business Constituency (pdf) and Registries Stakeholder Group (pdf).
These groups had called for more study and data, better outreach, more clearly defined success/failure benchmarks, and more delay.
Doria noted in her dissenting statement that the ICANN board did not have a chance to quiz any of the minority of the members of the Security and Stability Advisory Committee who had called for further delay.
The board’s resolution, apparently arrived at after two hours of formal in-person discussions in Brussels at the weekend, is expected to be published shortly.
The rollover, which has already been delayed a year, is now scheduled to go ahead October 11.
Any impact is expected to be felt within a couple of days, as the change ripples out across the DNS.
ICANN says that any network operator impacted by the change has a simple fix: turn off DNSSEC. Then, if they want, they can update their keys and turn it back on again.
ICANN faces critical choice as security experts warn against key rollover
Members of ICANN’s top security body have advised the organization to further delay plans to change the domain name system’s top cryptographic key.
Five dissenting members of the influential, 22-member Security and Stability Advisory Committee said they believe “the risks of rolling in accordance with the current schedule are larger than the risks of postponing”.
Their comments relate to the so-called KSK rollover, which would see ICANN for the first time ever change the key-signing key that acts as the trust anchor for all DNSSEC queries on the internet.
ICANN is fairly certain rolling the key will cause DNS resolution problems for some — possibly as much as 0.05% of the internet or a couple million people — but it currently lacks the data to be absolutely certain of the scale of the impact.
What it does know — explained fairly succinctly in this newly published guide (pdf) — is that within 48 hours of the roll, a certain small percentage of internet users will start to see DNS resolution fail.
But there’s a prevailing school of thought that believes the longer the rollover is postponed, the bigger that number of affected users will become.
The rollover is currently penciled in for October 11, but the ultimate decision on whether to go ahead rests with the ICANN board of directors.
David Conrad, the organization’s CTO, told us last week that his office has already decided to recommend that the roll should proceed as planned. At the time, he noted that SSAC was a few days late in delivering its own verdict.
Now, after some apparently divisive discussions, that verdict is in (pdf).
SSAC’s majority consensus is that it “has not identified any reason within the SSAC’s scope why the rollover should not proceed as currently planned.”
That’s in line with what Conrad, and the Root Server System Advisory Committee have said. But SSAC noted:
The assessment of risk in this particular area has some uncertainty and therefore includes a component of subjective judgement. Individuals (including some members of the SSAC) have different assessments of the overall balance of risk of the resumption of this plan.
It added that it’s up to the ICANN board (comprised largely of non-security people) to make the final call on what the acceptable level of risk is.
The minority, dissenting opinion gets into slightly more detail:
The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc.
While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties.
We would like to reiterate that we understand our colleagues’ position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision.
SSAC members are no slouches when it comes to security expertise, and the dissenting members are no exception. They are:
- Lyman Chapin, co-owner of Interisle Consulting, a regular ICANN contractor perhaps best-known to DI readers for carrying out a study into new gTLD name collisions five years ago.
- Kimberly “kc claffy” Claffy, head of the Center for Applied Internet Data Analysis at the University of California in San Diego. CAIDA does nothing but map and measure the internet.
- Jay Daley, a registry executive with a technical background whose career includes senior stints at .uk and .nz. He’s currently keeping the CEO’s chair warm at .org manager Public Interest Registry.
- Warren Kumari, a senior network security engineer at Google, which is probably the largest early adopter of DNSSEC on the resolution side.
- Danny McPherson, Verisign’s chief security officer. As well as .com, Verisign runs the two of the 13 root servers, including the master A-root. It’s running the boxes that sit at the top of the DNSSEC hierarchy.
It may be the first time SSAC has failed to reach a full-consensus opinion on a security matter. If it has ever published a dissenting opinion before, I certainly cannot recall it.
The big decision about whether to proceed or delay is expected to be made by the ICANN board during its retreat in Brussels, a three-day meeting that starts September 14.
Given that ICANN’s primary mission is “to ensure the stable and secure operation of the Internet’s unique identifier systems”, it could turn out to be one of ICANN’s biggest decisions to date.
Recent Comments