The reasons that DNSSEC has not been deployed have changed over the years. DNSSEC would have rolled out in 2002 had either the IETF agreed to the technical changes required to deploy in .com or ICANN had told VeriSign to deploy without IETF approval. Until the protocol was changed to add the NSEC3 record in 2007, the additional data volumes from signing every DNS record in .com would have been totally unacceptable.

The current reason for delays is that the current architecture is politically infeasible. Back in 1995 Internet protocols were low on the political radar. Now the status of cryptographic protocols and registry protocols are considered major diplomatic concerns. Some countries have large diplomatic staffs whose primary function is to look at emerging technology and see what strategic/economic leverage may be involved. My own country has a 25 person consulate located on MIT property for the sole purposes of technology transfer and business facilitation.

The chair of the ICANN security WG has been approached by representatives of various states and told that the current architecture is unacceptable to them. He continues to dismiss their concerns as not a worry to him. Which is pretty arrogant when members of international intelligence agencies are visiting to tell him that they are a concern to THEM.

To understand these concerns, let us imagine that some ambitious member of Congress decides that they could do with a few more votes or a few more bucks. So they decide to write a bill that would force ICANN to drop Cuba or maybe Palestine out of the DNS root.

If that bill was presented today it would be a major diplomatic crisis and the state dept would be running round trying to contain the damage to all the negotiations they are working on. But they would eventually manage to get the point across hat if ICANN was coerced into abusing the root zone in that fashion the result would be a collapse of ICANN. The non-US root operators would ignore all instructions from ICANN, non-US ISPs would deactivate the ICANN roots, many US ISPs would do so as well.

Either way, ICANN would be damaged and would eventually end up absorbed into the ITU for protection. In the process, huge damage would be done to the US state dept policy of encouraging Internet deployment in order to spread democratic, liberal values. Iran, Cuba and the rest would receive a gift wrapped proof that the Internet was a US tool of imperalist hegemonistic whatever.

Now add DNSSEC to the system with ICANN holding the root of roots and a billion or so embedded devices round the world that will not recognize any other root. Now ICANN can enforce any decision and sooner or later there is going to be some idiot in Congress who works out that that gives him leverage and decides to use it.

The country code TLDs have embedded every irredentist dispute into the core of the DNS. That is why the world intelligence services are so mad with ICANN. That is why the Palestinian minister of Information makes visits.

If you don’t understand that conflict, you can’t understand any of the politics that surround ICANN.

Should ICANN deal with this – hell yes. That was why ICANN was invented.

Minor redesign of the DNS protocol could allow ICANN to cut the cost of names in half.

Only the process of registering names is a natural monopoly. That is not a difficult task, pretty much any serious DNS infrastructure company could cope with that task, plus IBM, EDS, pretty much any competent enterprise class IT provider.

The cost of running the registry is in the publication side. Answering all those queries. That is the piece where the money goes. That is not a natural monopoly.

You do not need the IETF to be involved in that process at all. The IETF maintains the public interfaces of the Internet, it does not need to be involved in developing standards that support communication between ICANN contractors and registrars. That is what OASIS is designed to support.

Even if ICANN had the mandate and, magically, the ability to do this (and don’t you think it’s more in the domain of the IETF?), do you really believe this gargantuan task would be justified by these objectives?

Universal resolvability – the key principle of an open and end to end Internet – requires a single authoritative registry for each TLD. Ergo, registries are natural monopolies. Does this mean that each registry is a singe point of failure? In principle, yes. In practice, no because of mirroring, e.g. of the root servers. But is it expensive to run a registry, especially an enormous one like .COM? Yes of course it is, for many reasons, not just the capacity needed to cope with the volume of business but also because of all the excess capacity needed to withstand DDOS attacks, and the resources required to defend against other types of attack or infiltration. This creates a clear barrier to market entry, at least for potential competitors in .COM. However, it’s a barrier, not a complete block.

I was not privy to the deliberations last time the .COM contract was up for renewal, but my sense is that Neustar’s bid was seriously considered on its technical and business merits. There’s a fascinating discussion to be had on the technical and operational considerations of moving the biggest registry in the world to another contractor. Is .COM too big to move? Verisign certainly seems to think so, and is looking forward to another 25 years running .COM. But let’s be real, here. You’ve not mentioned the key factor here; the political pressure brought to bear on the renewal or otherwise of the .COM contract, on ICANN’s existence, core financial stability and the resources it has to do its job, and fundamental to the progress ICANN has been able to make on DNSSEC, by your former employer, Verisign.

Of course, having spent the past 5 years working for ICANN, I see things from a particular point of view. I welcome a discussion on the hows and whys of what ICANN does, and where it has failed and continues to do so. But it’s not good enough for you to just whip out the usual ICANN-bashing rhetoric without mentioning the elephant in the room, Verisign.

I worry that arguing that the only way to introduce ‘real competition’ in the DNS is to take apart the whole system and re-design it – a practical impossibility and a political nightmare – distracts attention from actual work being done to create competition at the registry level, simply by creating more registries.

ICANN isn’t ‘plotting’ to deploy new gTLDs and squeezing money from supplicants. It’s working through a 5 year process – community prompted – of consultation and deliberation on how to expand the name space so that it reflects the people who use the Internet today, not just the legacy North American / European founders. Why? To introduce competition at the registry level, just the thing you say ICANN has failed to do. And just the thing many incumbent registries have fought tooth and nail against.

As to squeezing money from ‘supplicants’, I just wish that when people say ICANN is creating new gTLDs to make money, they would do their homework and inform themselves about what it takes for a 120- person organisation with no special legal protections to develop and implement a fair applications process that does everything from managing conflicts between rival applicants, determining morality and public order concerns to the satisfaction of international law and other governments, dealing with potentially identical or threatening strings in different character sets, communicating the whole programme globally so everyone gets a shot at being part of it, managing its own substantially increased legal risk, facilitating increased participation from different language groups in all ICANN’s processes, and building out ICANN’s own infrastructure to cope with the ongoing administrative and technical burden of the new gTLDs. Give me a break!

It costs a lot of money to do all of this, not least because the organisation recognises (too implicitly for my taste) that it screwed up on earlier application rounds.

So come on. Less of the rhetoric and more grappling with the realities of what it takes to keep the DNS going using the odd, imperfect but rather wonderful vehicle of a wannabe global California nonprofit.

This is something that ICANN circulates as a talking point and takes credit for. Maria really should check her marketing dept before repeating their claims.

ICANN is comparing a two year contract to a one year contract and is taking credit for the elimination of the $35 surcharge to the NSF fund which they had nothing to do with. Not only was ICANN not formed when the surcharge was eliminated, it was eliminated as a result of a lawsuit brought against Network Solutions and the NSF/DoC.

ICANN is taking credit for a price reduction that happened before it came into existence and occurred for reasons that have nothing to do with it. The price of .com registrations came down in response to the introduction of competition between registrars. The decision to introduce competition was made before ICANN came into existence and ICANN was in fact created as a result of that decision.

I beg to differ. A good friend of mine paid $93 + tax for 2 years for a .ca domain recently from an outfit that looked slightly less scam-like than some others that he looked at. But I – I mean he – was wandering around lost, with no way of knowing what was behind these web pages. His main criterion, at least from what he told me, was that the web site not use blink tags and not show banner ads that blocked the attempt to sign up. And the fact that he knows nothing about DNSSEC, TLDs, the problems introduced by DDoS attacks, didn’t help me – I mean him – one bit.

If I read Maria’s comment right, it sounds like we need to be grateful to sploggers for keeping the domain registrars honest. The mind reels!

Then ICANN was formed.

Since then ICANN has done absolutely nothing to change the basic structural weaknesses of the DNS protocols that make the registry fee so high. The cost of supporting the registry is high because the infrastructure has to be engineered to a vast capacity in order to defeat the DDoS attacks that happen from time to time. The DNS architecture is unfortunately a single point of failure model and thus the only way to provide DDoS protection is to deploy massive amounts of spare capacity.

Nor has ICANN done anything to introduce competition into the registry provision side of the equation. There is really no reason why the whole .com domain needs to be supported by a single source supplier. Relying on a single source supplier means that ICANN will never have a viable alternative. There is no way NeuStar is a credible alternative to VeriSign as the .com registrar today and there is no way that they could ever build out sufficient infrastructure to mount a competitive bid in the future either. So each time the contract is up for renewal there will be no real choice but to renew with the incumbent vendor and accept the increase in fees demanded.

Instead of paying attention to the issues that ICANN should have addressed, it has been plotting to deploy new TLDs under a scheme where the supplicant pays ICANN a non-refundable application fee of $100K+. Last time round ICANN simply rejected most of the applications and pocketed the money.

ICANN has made some progress on DNSSEC, albeit having been warned by several countries that they are not going to tolerate the current scheme where ICANN will establish itself as the root authority. Protests are likely to be muted though since there isn’t currently a scheme for registering a DNSSEC key as a domain name holder. So even with the DNS apex being signed there will be no point.

https://swww.baremetal.com/rt_reg/domain_rates_can.html gives typical domain registration prices in Canada. It’s more trouble than it appears to maintain a registry of domains…

The OECD published a still relevant report comparing cc domain registration in 2002; http://www.oecd.org/dataoecd/46/38/2505946.pdf and this sort of follow-up in 2006: http://www.oecd.org/dataoecd/8/18/37730629.pdf

And also this very good 2006 report on the secondary market for domain names (mostly in the gTLDs): http://www.oecd.org/dataoecd/14/45/36471569.pdf

This one, on new gTLDs, was a good summary of the relevant issues: http://www.oecd.org/dataoecd/56/34/32996948.pdf

There are two basic types of domain; country code and generic. .CA and .UK are ccTLDs (country code top level domains). How cc’s are run varies widely. Some countries farm it out to quasi-independent structures (probably most oecd countries do this), and others hold it closely within the business or telecoms ministry. Registration policies vary widely. Some require you to be resident in the country, others – e.g. .TV – don’t care. Some have sub-domains; e.g. .ORG.UK, others don’t, e.g. .IE. And prices vary widely, too. Lots of ccTLDs have a memorandum of understanding with ICANN, but they’re not regulated by it.Some cc’s coordinate themselves internationally in bodies like AFTLD and CENTR, but they tend to resist policy-level harmonisation. Result; enormous variety of pricing, service and rules.

Generic TLDs like .COM or .INFO are administered according to contracts with ICANN. These contracts set conditions like registrant data publication (WHOIS) or transfer and deletion rules.

But very few TLDs – either g or cc – sell names directly. (In fact, contracts say you’re not buying the name; you’re renting it under certain conditions.) Similarly to regulation in the telecoms world, ICANN brought about a structural separation between registries (the organisation contracted to ICANN to maintain the authoritative registry of name ownership, so at its heart a monopoly task) and registrars (downstream companies that deal directly with the public and compete with each other). Both types of organisation are contracted to ICANN for the sale of gTLD domain names. Over the last decade, this structural separation created intense competition at the registrar level, bringing names in .COM down from the $100 level to under $10, depending on who you buy from.

However, the regulatory approach to registrars is still pretty minimalist. And there are a lot of cowboys out there. Only in the past 5 years, as ICANN got budget stability and the community insisted very loudly, has it bulked up its compliance function. The list of ICANN-accredited registrars only tells you which registrars are directly contracted to ICANN, and not if they’re any good. The list expanded enormously a few years ago because the rules encouraged registrars to set up different corporate entities and accredit each of them in order to have more shots at potentially expiring domain names. And in a desire to be even-handed, ICANN doesn’t recommend one registrar over another. The market failure to community-source a who’s who of registrars is striking.

How to find a good registrar? One positive aspect of the influx of domainers is that they demand good service and aren’t afraid to complain and give public rankings. Most of them are still North American, so google ‘domainer’ and you’ll start finding your way to rankings and discussion of various registrars who operate in Canada.

As to who’s making money out of this. The margins in a registrar business are unbelievably narrow. Domainers made a lot of money in the early days, say 5 years ago. It’s a lot tougher now, especially since ICANN made a rule change last year that prevents them from picking up a name for free for a couple of weeks, monetising it and dropping it back in the pool at no charge. Both registrars and domainers, at least the successful ones, make their money by tiny increments on big volumes, and through clever manipulation of the rules. One of the fascinating things about working for ICANN was anticipating and observing how each rule was ‘gamed’.

So there you go.

If you feel like providing more inside scoop on the politics and business of domain registration, you would have at least one interested reader.