July 15, 2011, was the one-year anniversary of ICANN signing the DNS root system with DNSSEC. While enormous strides have been made since then, such as the signing of key top-level zones, the standard is now entering what may prove to be its trickiest phase of deployment -- encouraging usage by domain registrants and the support of the registrars that, in most cases, will act as their gatekeepers.
About 25 percent of all top-level domains have DNSSEC records anchored into the root, enabling their second- and third-level registrants to sign their own zones. Matt Larson of VeriSign, which made DNSSEC available in the .com TLD at the end of March, told ICANN attendees that 26 registrars -- seven or eight of them in the top ten by registration volume -- have already placed one or more DNSSEC records into the .com zone on behalf of their customers. That's a small but still encouraging number, especially given the short time-span that has elapsed since .com was signed and the relative complexity of implementing DNSSEC. Larson added that one registrar has submitted 1,000 signed domains, and that one individual registrant –- obviously a thought-leader -– has signed 500 of his own domains.
But the workshop also heard from some who are still skeptical about the technology. Michele Neylon of Blacknight Solutions pointed out that, for a registrar with limited resources, it can be hard to justify the cost of implementing DNSSEC until it can be persuaded of the commercial benefit. In the absence of strong customer demand, registrars may feel their time and effort is be better spent on projects that do more to grow their businesses. There are also unresolved issues around procedures for handling cryptographic key data when a registrant transfers a domain to a new registrar or resolution provider, which have yet to be addressed to the satisfaction of some.
This is one of the chicken-and-egg situations that those in the DNS technical community have been commenting on for most of a decade. Today, possibly the only thing that could provide a sudden sharp uptick in demand would be a broadly publicized threat as serious as 2008's Kaminsky Bug, which DNSSEC would have substantially cured. Of course, not even DNSSEC's strongest proponent would wish for that scenario.
In the absence of a stick as large as Kaminsky #2 would represent, the carrot must suffice. Security-conscious e-commerce companies and financial institutions will lead the way when it comes to showing off DNSSEC as a competitive differentiator, which will help awareness-raising efforts. In addition, ICANN's new gTLD program mandates DNSSEC at the registry level, which will likely inspire many applicants -- like potential high-security authenticated zones, such as .secure or .pay -- to enforce the protocol at the second level, too.
You have to learn to walk before you can run, and if the ICANN workshop in Singapore demonstrated anything, it's that the global DNSSEC deployment initiative is certainly still in the walking phase. But it is moving, and that's a good thing.
“Afilias has helped launch more new TLDs than any other provider, and has long been recognized as a leading provider of the critical registry services required by ICANN for new TLDs,” said Roland LaPlante, Senior Vice President of Afilias. “Many applicants are now developing their business plans and have found the need for additional expertise in areas such as premium name valuation. Monte Cahn and Michael Berkens of RIGHT OF THE DOT are well known valuation experts, and we are pleased to make these expanded resources available to applicants.”
“We have worked with Afilias for years and are glad to form this alliance,” said Monte Cahn, Co-Founder and President of RIGHT OF THE DOT. “Proper valuation is a critical element in the success of a new TLD, as it helps put the TLD on sound financial footing. With decades of experience in the domain name secondary market, Michael and I can provide fact-based advice on what names might be valuable and how much they may bring. Each TLD will only launch once, and getting this part of the launch right can make the difference between financial success and failure.”
Cahn and Berkens are widely recognized as two of the domain industry’s most respected valuation and sales experts, and have assisted in the strategy for several previous domain launches and re-launches. They have helped build some of the most successful appraisal algorithms and auction valuation models used in the domain business. Also, they have been central to more than $300 million in domain sales, including some of the highest profile domain sales in history, such as Slots.com, CreditCheck.com, Poker.ca, University.org and Dating.com.
ICANN approved the new TLD program at its current meeting in Singapore and set January 12, 2012, as the date it will begin accepting applications.
Afilias’ Global Registry and DNS services power 20 million registrations across 15 TLDs, including five TLDs operating under ICANN contracts. Afilias’ new TLD services include a state-of-the-art EPP registry, a globally diverse and redundant Anycast DNS network, 24x7 call-center and technical support, and links to the global distribution channel.
In addition, Afilias provides other premium solutions to augment its registry offerings, including technology to enable mobile phone compatibility for websites and a unique IDN-capable email solution. All Afilias services are DNSSEC and IPv6 ready, and reflect more than 10 years of experience in supporting gTLDs operating under ICANN contracts.
About Afilias
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services and Managed DNS. For more information on Afilias, visit www.afilias.info.
About RIGHT OF THE DOT LLC
RIGHT OF THE DOT is an Internet consulting and advisement firm specializing in new and existing TLD strategy, board advisement, premium domain and market positioning, sales and services. The venture is the brainchild of two successful domain and Internet industry veterans, Monte Cahn and Michael H. Berkens, Esq., who posses a unique combination of vision, leadership and domain expertise. Cahn was the original founder of Moniker.com, a top seven ICANN Accredited Registrar, who went on to head the Aftermarket and Sales Division of Oversee.net. Among other pioneering services, Cahn introduced the concept of Live Domain Auctions to the industry. Berkens, a domain investor with more than 75,000 domains, owns WorldwideMedia Inc., including the retail site MostWantedDomains.com. He founded and contributes to the widely read blog, TheDomains.com. Both principals of RIGHT OF THE DOT are members of the prestigious Domain Hall Of Fame, and are two of only 10 members. This highly qualified consulting group gives you access to the most experienced domain sales and marketing strategists in the industry. They are the only domain industry firm specializing in the many of the critical service offerings required to be successful in the ever-expanding domain industry. See www.rightofthedot.com for more information.
ICANN SINGAPORE — June 20, 2011 — In a historic move, today the Internet Corporation for Assigned Names and Numbers (ICANN) approved its long-discussed New gTLD Program. This program allows any brand or community of interest to apply for a unique “right of the dot” top-level domain. For example, instead of “.com,” a brand like Nike could apply for “.nike” to reinforce its brand on the Web.
“The ICANN program creates opportunities for brand builders to re-invent how customers experience brands on the Internet,” said Roland LaPlante, Senior Vice President and Chief Marketing Officer of Afilias. “However, there are a variety of challenges in applying for, winning and running a dot.BRAND Web space. One significant issue is time. The program application period starts on January 12, 2012, and will end on April 12, 2012. Once the application window is closed, the opportunity to apply for a dot.BRAND TLD is gone. There are no firm plans to accept new applications after this round of submissions closes.”
To help global brand builders understand the complex ICANN application process — as well as the many benefits of owning and operating a unique dot.BRAND TLD — Afilias has created an easy-to-digest video and e-book to explain the program.
“Afilias is ideally positioned to offer this information,” LaPlante said. “Afilias is among the world’s largest providers of diverse domain registry services, and has supported the applications for and launches of numerous new TLDs under ICANN processes — including the highly successful .INFO, .MOBI and .ASIA domains. This also means we are uniquely qualified to help organizations apply for new dot.BRAND TLDs as well as launch and manage new dot.BRAND Internet spaces.”
Organizations interested in pursuing a dot.BRAND investment will need to act quickly to assemble a team of experts, which will likely include the Chief Marketing Officer (CMO), a brand advisor, the ad agency, a trademark lawyer and a domain registry technology partner. Properly assembled, this team will be able to prepare and submit an application that will meet ICANN’s stringent requirements and be awarded their own dot.BRAND.
To access the free Afilias e-book, Envisioning Your .BRAND New World: A Field Guide for Brand Builders, as well as the educational video, Welcome to Your .Brand New World, visit www.afilias.info/dotbrand.
About Afilias
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications, including Internet domain registry services and Managed DNS. For more information on Afilias, visit www.afilias.info.
ICANN SINGAPORE – June 20, 2011 – Afilias Limited, a global provider of Internet domain name registry and Managed DNS services, today announced that it has entered into a formal agreement with Chinese Internet services leader HiChina, a subsidiary of Alibaba.com, to help Chinese brands take advantage of ICANN’s New TLD Program.
The agreement recognizes HiChina’s leadership and customer service excellence, and names HiChina as Afilias’ preferred new TLD partner in China. Chinese brands who intend to establish a dot.BRAND presence online will benefit from the combined resources of Afilias, a global leader in new TLD registry services, and HiChina, a trusted Chinese market Internet expert.
“With the world’s largest Internet population, China also represents one of the fastest growing economies in the world. Brands based in China need unique marketing approaches to reach this large, diverse pool of consumers. One approach is a ‘dot.BRAND’ name, meaning the use of a brand name instead of a .com or .net,” said Roland LaPlante, Senior Vice President of Afilias. “A dot.BRAND TLD lets major companies control how customers experience their brand online and helps break through the noise and clutter online.”
LaPlante added, “With the tremendous rise of Chinese language on the Internet, our partnership will enable Chinese brands to present their domains in Chinese script rather than in English alone.”
“Chinese consumers want domain names and websites in their own language. The combined experience of Afilias and HiChina will provide a great user experience for the Chinese market,” said Bridge Song, Vice President of HiChina.
HiChina is the leading Internet services provider in China, and provides comprehensive Web services to Chinese enterprises, including domain registration, hosting, email systems and website creation & management.
“With HiChina’s reach and influence in the Chinese enterprise market, and Afilias’ successful history of supporting more TLDs than any other company, this partnership helps ensure that Chinese brands are on equal footing with Western brands applying for dot.BRAND TLDs,” added Bridge Song.
ICANN approved the new TLD program on June 20, 2011, at the current ICANN global meeting in Singapore.
Brands interested in pursuing a dot.BRAND approach will need to act quickly to develop strong, compelling proposals to ICANN for their desired new TLD string, one of many areas where Afilias is able to assist TLD applicants. Other Afilias TLD registry services include a ”thick” EPP registry, a globally diverse and redundant Anycast DNS network, and 24x7 call-center and technical support.
In addition, Afilias offers other premium solutions to augment its registry offering, including technology to enable mobile phone compatibility for websites and a unique IDN-capable email solution. All Afilias services are DNSSEC and IPv6 ready, and reflect 10 years of experience in supporting gTLDs operating under ICANN contracts.
About Afilias
Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services and Managed DNS. For more information on Afilias, visit www.afilias.info.
About HiChina
HiChina, a subsidiary of Alibaba.com, is the leading Internet services provider in China. HiChina provides comprehensive Web services to enterprises, including domain registration, hosting, enterprise email systems, enterprise website creation & management, and e-commerce applications consultation. HiChina is an accredited domain registrar by both ICANN and CNNIC (China Internet Network Information Center). Currently, HiChina manages and hosts more than three million English and Chinese domains, and also serves more than 500,000 enterprise users with fast, stable and secure websites and email hosting services. Headquartered in Beijing, HiChina currently has 16 branches and more than 10,000 agents in 31 provinces and cities across China. Visit http://en.hichina.com to learn more.
DNSSEC, short for Domain Name System Security Extensions, is an enhancement to the DNS protocol that ensures a greater level of trust when resolving domain names. Using DNSSEC, resolvers can validate digital signatures using public cryptographic keys to see whether DNS answers have been tampered with. The protocol is important because, widely deployed, it will curb attacks such as DNS cache poisoning, which can be used to steal money, identities and other valuable data.
ICANN has held DNSSEC workshops during its meetings for several years, but there was an increased level of excitement and participation this time around. This was not only due to the workshop’s location close to Silicon Valley; participants also expressed a feeling that DNSSEC is now a reality that needs to be addressed. As moderator Dr. Steve Crocker put it, "DNSSEC is in the ascendency."
During the workshop, attendees heard from companies such as PayPal, the major e-commerce payment processor, which has a DNSSEC roll-out plan it believes will take up to six months to implement. Andy Steingruebl, who manages Internet standards and governance for PayPal, said the company is committed to bringing the security benefits of DNSSEC to its customers, but is taking a cautious approach to deployment. The company will begin by signing some of its smaller, lesser-used DNS zones before it brings the technology to its main site, paypal.com. The fact that a company as large and influential as PayPal has already started to put its DNSSEC plan into action is excellent news.
Delegates also heard some notes of caution. Mozilla's Brian Smith, for example, stated that the Firefox browser will not get native, on-by-default DNSSEC compatibility until the organization is confident that the protocol has been deployed correctly in routers and by people signing their zones. Poorly configured DNSSEC elsewhere could create error messages in the browser that the vast majority of Web surfers would not understand, he noted, prompting them to blame Firefox and switch to a competitor's product. Native browser support seems to be a longer-term goal for the global DNSSEC deployment initiative. Browser plug-ins are, however, already available, and that is where client support will likely come from in the near term.
Right now, DNS service providers are doing their parts. A collection of services from various vendors, including Afilias' own One Click DNSSEC, have recently launched to make it easier for companies to secure their zones without getting into the complex technical guts of key generation, management and rollover.
The message from the domain name industry has been clear for some years: DNSSEC is coming. The new message is that key players from other parts of the e-commerce ecosystem are also coming on board. It's a team effort. With the DNS root and TLDs representing the majority of domain owners now signed, and the first registrars already offering DNSSEC services, it's time for everyone else to take notice. The kind of security provided by DNSSEC will only come to the entire DNS if everybody with a role to play takes part.
According to the resolution passed by the Board, ICANN's directors will hold a special meeting on June 20 -- the first day of its Singapore conference -- to consider approval of the Guidebook. Chairman Peter Dengate Thrush said that a guidebook approval at the start of the week gives the community an excuse for a big celebration during the Singapore meeting.
The decision to approve a new timetable came at the end of ICANN's 40th public meeting, which was its largest to date with more than 1,700 registered delegates. For the Board, the meeting week was occupied by intensive consultations with the Governmental Advisory Committee (GAC) and, in parallel, with the community at large. The GAC had raised 80 issues where it was still concerned with the contents of the Guidebook, and the Board sought an equitable compromise that considered both the views of governments and the community's established consensus positions.
Unfortunately, the time allocated to these discussions in San Francisco was not sufficient to allow the Board and GAC to reach a definitive final position. The newly approved timeline, however, calls for the consultation, with an additional round of public comment, to conclude by May 30. ICANN directors described the timetable as both realistic and responsible, and several members of the Board expressed their resolve to finalize the Guidebook in Singapore.
After so many delays and abandoned roadmaps over the last few years, as the rules for applying for gTLDs underwent multiple loops of revision and public comment, the program may now be finally in the home stretch -- ready to make the transition from policy development to implementation. This means, of course, that it is now more important than ever for Internet-using enterprises to consider their gTLD strategies, even if they do not plan to apply.
Following the approval of the Guidebook, ICANN plans to launch a four-month outreach program designed to expand awareness of the new gTLD process to a wider audience.
If you're reading these words before that process begins, you're ahead of the curve. You should use that time advantage to both develop your gTLD strategy and find the expert partners you’ll need to make it successful. The application window is expected to be short -- just two or three months -- and is likely to open before the end of 2011. There have been many delays, but wise applicants will begin their preparations in earnest ASAP.
As a reminder, DNSSEC — Domain Name System Security Extensions — is a trust upgrade to the decades-old DNS protocol. Using DNSSEC, resolvers are able to ensure that no one or nothing has tampered with DNS messages by validating their cryptographic signatures. The technology goes a long way in protecting Internet users from attacks, like cache poisoning, that have the potential to undermine the trust we all place in electronic commerce.
According to ICANN's latest statistics, more than 20% of the world's TLDs have now implemented DNSSEC in their zones: 69 are signed, and 62 have also published the signatures in the root zone, meaning they are fully DNSSEC-compatible. This rapid uptake has been driven by the concerted efforts of TLD registries. Since the landmark DNSSEC signing of .org in 2010, Afilias has been rolling out the technology to all of the gTLDs and ccTLDs for which we provide registry services as part of our “Project Safeguard.” Registrants of .info domains can now use DNSSEC, and we have also announced the signing of the .in, .me, .gi, .mn and .sc zones, among others.
Other ccTLDs have also recently been signed, but two of the largest recent DNSSEC deployments have occurred in .net and .com, which together account for more than half of the world's existing domain name registrations. While the .net implementation is now complete, .com is currently serving DNSSEC information that deliberately cannot be validated. The .com domain will not be fully "switched on" until the end of the month. When this happens, of the seven "original" gTLDs, only .mil and .int will remain unsigned.
DNSSEC availability in .com will also prove to be a landmark in terms of raising awareness among domain name registrants. It's great that so many TLDs are being signed, but this is of little use to Web surfers until second-level registrants also begin to sign their zones. Registrars are already launching services to simplify what is a complex technology to deploy and manage, but these need to be used.
When major corporations that have their primary website at a .com domain begin to publicly deploy the technology, DNSSEC will likely begin to market itself in a viral manner. Much like a newly launched TLD needs well-known brands to adopt its domains, a few big "anchor tenants" will also prove priceless for spreading the word about DNSSEC. When major e-commerce, financial services and social networking sites start to openly embrace the specification, it should become a competitive imperative for others to do the same so that they avoid appearing less secure than their rivals. With a bit of luck, at this time next year, I will be writing about the encouraging level of DNSSEC adoption at the second level of the domain name system, rather than at the top level.
While ICANN's public meetings have recently focused on debating the policies that will go into its gTLD Applicant Guidebook, the .nxt meeting moved the discussion into the future to tackle the issue of what to do when the program has actually launched: how to ensure a proper application; what to look out for as a registry operator; how to differentiate your new TLD; how to deal with registrars; how to tap your community; and in general, how to turn your dream into a reality.
Conference general manager Kieren McCarthy opened .nxt with an upbeat speech that drew remarkable parallels between today’s new gTLD debate and 1930’s controversy surrounding efforts to build the bridge linking San Francisco with the East Bay area. The construction of the now-iconic Golden Gate Bridge, he said, faced opposition from wide range of nay-sayers, including entrenched economic interests such as the ferry companies, technical "experts" who said it couldn’t be done safely, and governmental and legal obstructionists, before it was finally given the go-ahead. The message in the analogy was obvious: the benefits of the Bay Area's bridges have been as immeasurable as might be the benefits of new gTLDs.
McCarthy was followed by a keynote address from ICANN senior vice president Kurt Pritz, who managed to convey the historical controversies of new gTLDs, as well as the future excitement and innovation they can create. ICANN still has no official timetable for accepting applications, but Pritz made it clear he believes we're in the final stages before acceptance begins.
The following day, a second keynote was delivered by the .co domain CEO Juan Diego Calle, who provided great insight into 2010's big domain name success story -- the launch of .co. Calle recapped .co's accomplishments and suggested that more new gTLDs will create a rising tide of consumer consciousness that will carry all domains with it.
Since the purpose of .nxt was to focus on the business of new gTLDs, rather than policy, discussions about ICANN and its Applicant Guidebook made up a minority of the sessions. The majority of sessions focused on sharing the experiences and knowledge needed to successfully apply for and then profitably operate a gTLD registry. Panels covered topics such as integrating with registrars, developing winning marketing strategies, creating innovative business models, community outreach, and the importance of selecting an experienced and stable registry services provider.
It was a fun, informative meeting and a rare opportunity for the industry to gather and debate the future of Internet domain names outside of the highly structured format of ICANN's public meetings. With ICANN seemingly close to launching the new gTLD program, the enthusiasm on display at .nxt was tangible.
If there were a single message to take away from the conference, it would be that new gTLDs are imminent, the application process is complex, and that any organization with an interest in benefiting from the next wave of Internet innovation needs to start thinking today about their marketing and partnering strategies.
Subscribe to our news
