Tag Archives: registry_services

Oh, Those Wild and Crazy New TLDs

Among the many issues affecting ICANN’s thousand new TLDs is collisions, that is, the same name already used elsewhere. The other uses are non-standard and unofficial, but some names turn out to have been used a lot. One approach to see how bad the collisions are is controlled interruption, in which the TLD publishes wildcard records with obvious impossible values, in the hope that systems that use colliding names see them and do something about it.

The process is pretty simple. For 90 days the domain publishes records like these currently in the new .hotels TLD:

hotels. 3600 in a 127.0.53.53

hotels. 3600 in mx 10 your-dns-needs-immediate-attention.hotels.

hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"

hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.

*.hotels. 3600 in a 127.0.53.53

*.hotels. 3600 in mx 10 your-dns-needs-immediate-attention.hotels.

*.hotels. 3600 in txt "Your DNS configuration needs immediate attention see https://icann.org/namecollision"

*.hotels. 3600 in srv 10 10 0 your-dns-needs-immediate-attention.hotels.

When the 90 days are up, the domain takes out the interruption records, and starts putting in real ones. That’s the theory, and what the ICANN registry agreements require. The practice turns out to be different.

A surprising number of domains just forgot to take out the interruption records, so the wildcards are there along with the real registered names. There are still wildcards in .STORE, .XN–P1ACF (.рус), .XN–HXT814E (.网店), .XN–3DS443G (.在线), .XN–FIQ228C5HS (.中文网), .XN–45Q11C (.八卦), .FUN, and .FIRMDALE, all along with delegated real domains.

For some reason, a few domains expanded the collision wildcards to large numbers of specific names. The .XN–55QX5D (.公司) zone has SRV, MX, and TXT records for about 14,000 plausible looking domain names, like 101trader.xn--55qx5d and alibaba.xn--55qx5d, along with the delegated names. Similarly the .XN–IO0A7I (.网络) zone has about 10,000 sets of SRV, MX, and TXT, again plausible looking names like poker.xn--io0a7i and memory.xn--io0a7i. I have no idea where the sets of names came from, or why someone would do that.

There are also many TLDs that have had wildcards for a lot longer than 90 days but don’t have anything else. For example, .CREDITUNION was delegated in late 2015 but still has nothing but a few required records and the controlled interruption records.

While these wildcards and other extra SRV, TXT, and MX records in TLD zone files are largely harmless, it is rather odd that they’ve been there for a year or more and nobody noticed until now. It’s not like they’re hard to find — once I heard that one zone had them, it took under an hour to run a one line script over downloaded zone files and find the rest of them. Even though ICANN does a lot of automated scanning of gTLDs, it apparently didn’t occur to them to look for forbidden records in the zone files. (In fairness, it didn’t occur to me either.)

Running a registry is apparently harder than it looks, but fortunately, so few people care about new TLDs that mistakes don’t matter.

Written by John Levine, Author, Consultant & Speaker

Follow CircleID on Twitter

More under: Registry Services, ICANN, Top-Level Domains

Continue reading

Posted in circleid | Tagged , , | Comments Off on Oh, Those Wild and Crazy New TLDs

Operator of .feedback Says Breach Cured, Threatens MarkMonitor for Disclosure of Confidential Info

It has been reported that Jay Westerdal, CEO of ‘.feedback’, has confirmed the registry has cured the breached in response to ICANN ruling reported last month. In addition, Trevor Little of World Trademark Review reports that Westerdal has also “fired back at MarkMonitor, one of the parties to the PICDRP [public interest commitment dispute resolution procedure] … [alleging] that the PICDRP disclosed confidential information and gives MarkMonitor 30 days to cure that breach or face being de-accredited as a registrar for the string. … He adds that the RAA [Registrar Accreditation Agreement] as submitted also wasn’t the full agreement and ‘omitted Schedule B of the Registry-Registrar Agreement which transparently disclosed our pricing. As a result, the panel believed we were not being transparent on pricing’. … What is clear [says Little] is that the bitter battle between ‘.feedback’ and its opponents in the trademark community is not yet over.” Also see additional report provided by Kevin Murphy in Domain Incite.

Follow CircleID on Twitter

More under: Registry Services, Law, Policy & Regulation, Top-Level Domains

Continue reading

Posted in circleid | Tagged , , , | Comments Off on Operator of .feedback Says Breach Cured, Threatens MarkMonitor for Disclosure of Confidential Info

Kelly’s Case Updated: A Need for Further DNS Registrar Industry (Self-)Regulation

After ten hectic days, the young Clemson civil engineer turned MBA entrepreneur — who turned a passion for helping equestrians care for their horses into a website enterprise — had the HorseDVM.com domain, and its IPR returned to HorseDVM LLC. Ultimately, however, it was the registrant who realized the registrar had wrongfully sold him the domain and the unfairness of what had occurred, who facilitated the return. The culpable registrar ultimately did nothing but unfailingly support its auction subsidiary’s sale of a fully paid, established business domain without notice or approval, notwithstanding the facts and terms of the customer contracts. The terse self-serving answer after several engagements in their unfriendly review process was to “get a court order or go to ICANN.” The registrar “alt-truth” behavior was so incredulous that the only plausible explanation was they wanted to limit their exposure to potential litigation for damages.

Kelly taking this on was forgone. Having helped lead the engineering design efforts for Dubai infrastructure, when wrongfully denied layoff compensation, she learned UAE labor law, donned a burka and successfully argued her own case before a local administrative court. Here in a new career, she got the domain returned. So what now? What was learned? What can be done going forward?

Over these past ten days, the incident — via the previous CircleID article, extensive social media, eMails, old-boy networking, and teleconferences — catalyzed a considerable array of research, dialogue, advocacy, attorney conferences and law enforcement contacts. The CircleID article alone has generated more than 4000 views and 21 comments. John Berryhill in particular graciously provided sage counsel. The equivalent of a DNS Ralph Nader, Charles Christopher, helped with research but concedes that “Name and Shame” is the only corrective action. However, the discovered reality also caused a reflection on the nearly twenty years of the so-called Internet self-governance regime contained in my Congressional testimony before Congress in 1997 and 1998 (one of which is still available thanks to Brewster Kahle’s repository).

It became apparent that the decision to go the self-governance route for internet names has engendered a veritable cesspool of bad, if not criminal behavior that everyone seems to decry and no one is able to solve. Allowing registrars to run domain name gambling operation subsidiaries is a patent structural flaw long recognized in other industries and prohibited by regulation. As the FTC has noted and a simple search confirms, there appears to be near zero advocacy for the interests and protection of the domain services consumer. Registrar cyber security seems like an oxymoron. Oft heard at the end of some litany of incidents is the remark that there are no government regulation or enforcement powers, so ICANN is helpless. In fact, some of the largest expenditures seem directed at public relations and lobbying efforts to limit government action worldwide.

So inquiring minds might ask, what if twenty years ago, the EU and ITU efforts had been successful to treat “DARPA Internet names and numbers” like most other telecommunication name and number regimes, including E.164 telephone numbers? This was actually done for the OSI Internet domains, and indeed, the U.S. Department of Commerce promulgated regulations for the US OSI domain and designated a contractor registry. This was all tossed out the window for the DARPA Internet at the little known but ultimately pivotal meeting in Washington in Sept 1994 on “Domain Name Registration for the ‘.COM’ Domain” that led things in a fundamentally different direction.

There is also a certain irony that the original leader of the DARPA tcp/ip development group has undertaken a personal initiative over more than a decade to undertake a kind of corrective action by forming the Swiss-based DONA Foundation with intergovernmental and governmental agreements and standards that render legacy internet names and numbers meaningless. His efforts were in part initiated by the need to deal with authoritative intellectual property tagging.

It seems unlikely that significant corrective action will ensue here anytime soon. Highly profitable, low margin domain name services create their own political persistence. ICANN’s helpful new SVP for Contractual Compliance and Consumer Safeguards arguably has an impossible task – including conflicting roles. High-profile, class action litigation may also bring about corrective action. It is also notable, however, that the Trump family’s cybersecurity activities have largely revolved around their attempts to protect their intellectual property in the existing domain name regime. Thus, ultimately, even if governments through legislative or juridical action individually or collectively via the ITU don’t act, or the U.S. balks, new technologies such as DONA’s DOA, or blockchain, or NFV resolvers, or search engines themselves will significantly change what now exists. Technology itself will bring about corrective action.

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

Follow CircleID on Twitter

More under: Domain Names, Registry Services, Policy & Regulation

Continue reading

Posted in circleid | Tagged , , | Comments Off on Kelly’s Case Updated: A Need for Further DNS Registrar Industry (Self-)Regulation

Certified Internet Pharmacy Criminally Charged for Conspiring to Sell Foreign-Made Drugs

“Yet ANOTHER CIPA- and PharmacyChecker-certified internet pharmacy criminally charged for selling bad, non-Canadian medicines,” John Horton reporting in LegitScript blog. “Yet another supposedly ‘Canadian’ internet pharmacy certified by PharmacyChecker and the ‘Canadian’ International Pharmacy Association (CIPA) has been criminally charged with conspiracy to sell unapproved or adulterated drugs and money laundering. According to the DOJ’s press release, the drugs were not really from Canada. … the website names, such as ‘Canadian Pharmacy Meds’ indicate that they are Canadian internet pharmacies, and they are approved by these two “credible” organizations…”

Follow CircleID on Twitter

More under: Domain Names, Registry Services, Law, Policy & Regulation

Continue reading

Posted in circleid | Tagged , , , | Comments Off on Certified Internet Pharmacy Criminally Charged for Conspiring to Sell Foreign-Made Drugs

A Case to Further DNS Registrar Industry Self-Regulation

In most industries, businesses that blatantly act against the interests of their customers to favor their own internal profit centers would either not be allowed or else subject to controls and oversight by the government. It is universally regarded as an unfair and deceptive business practice. In the domain name registrar business, however, the normal practices of legitimate business dealings and customer protection seem woefully wanting. Kelly’s Case described here illustrates the point, and it provides the opportunity for ICANN to demonstrate it can be responsive to egregious registrar behavior without government agencies or juridical bodies becoming engaged.

A young woman starting up a business recently conveyed a disturbing set of facts. I’ll call her Kelly. Kelly started up a web-based business five years ago, as part of an MBA enterprise development initiative. She created an LLC, registered a related domain name, and over the subsequent years built a business with innovative services, and a trademarked brand name with intellectual property — all associated with the domain name. She regularly ensured the domain registration fee was paid.

Suddenly she found the domain was not functional, and contacting the registrar was told that without her notice, knowledge, or approval, the domain had been hijacked — sold to what appeared to be a domain name collector. She was instantly out of business. Upon further inquiry to her amazement, she found out that the “hijacker” was the registrar itself — the auction unit within the registrar. After pursuing the matter within the registrar’s own processes, she was informed that the registrar regarded its obligations with to its own auction business unit, not her as a customer.

The basis for the registrar’s action was that five years previous when she had registered the domain name, she was enticed by the auction business unit to see what the domain name was worth. No further communication occurred and the relationship with the registrar auction unit itself was terminated — but apparently not the right to “hijack” the domain to sell it off. To the extent a clickthrough agreement existed, it would certainly be unconscionable. She never imagined that the registrar could years later simply transfer the domain name to its own business unit for sale to a third party without notice or approval by her. What is all the more appalling here is that the registrar also reviews its own actions and declared its actions are final in favor of the business unit. She was told by staff verbally that although this was patently unfair, the registrar regards its obligation is to its auction business unit rather than the registrar domain name customer.

From a legal and public policy standpoint, Kelly’s Case raises multiple significant concerns that seem increasingly common. The potential for abuse goes back to the Anti-cybersquatting Consumer Protection Act (ACPA) in 1999, and a considerable body of law has emerged. It is apparent that the U.S. Federal Trade Commission and its counterparts, as well as the courts in many jurisdictions, have instituted multiple actions against domain name registrars for unfair and deceptive practices. Indeed, the FTC itself — concerned about the potential increase in registrar deceptive practices and fraud — has repeatedly asked ICANN “to take additional steps to protect consumers.”

Other than a pro forma creation of an ICANN Data and Consumer Protection Working Group in 2010, however, it is not apparent that ICANN has actually done much of anything to protect consumers against the kinds of rather egregious activities and actions that Kelly’s Case raises. Indeed, until the very recent appointment of a new senior VP for contractual compliance and consumer safeguards, ICANN has been asleep in this area. As part of the group 20 years ago that helped initiate ICANN as a means to help nurture industry self-regulation, I personally find this situation dismaying. It puts the attempt to achieve domain name industry self-regulation at risk. Perhaps now, ICANN consumer protection action will occur — if for no other reason than to ward off government regulatory intervention.

Written by Anthony Rutkowski, Principal, Netmagic Associates LLC

Follow CircleID on Twitter

More under: Domain Names, Registry Services, Internet Governance, Policy & Regulation

Continue reading

Posted in circleid | Tagged , , , | Comments Off on A Case to Further DNS Registrar Industry Self-Regulation