With its contract with ICANN allowing for 7% price increases per year Verisign has announced that it will again be executing this and raising the prices of COM domains to $7.34 from July 1 2010, and NET domains to $4.65. This has increased the COM price from its original base of $6 in just 3 years.

When we last spoke to Verisign at ICANN Sydney 2009 they suggested further price increases were unlikely. What's changed?

With the approach of the ICANN domain name liberalisation due early next year, this could either cement COMs status as a premium extension, or drive people to look for and explore other extensions. What do you think?

Some of you may have seen earlier in the year that ICANN (the body in charge of regulating the domain name space) announced that it was going to liberalise the market for domain name extensions, e.g. the bit that follows the last '.' in a name, .com, .net., .co.uk, .eu, etc.

What this means is that in theory anyone can apply to become a registry in their own right, and get .theirname so that you can buy domain names from them and get yourname.theirname. ICANN have now announced that the 'evaluation' process for new extensions will be costly, $185,000. Well costly for you and me, but perhaps not for funds or speculators.

But what is point in all this? Does it matter? Should we care?

The justification for doing it is that the internet is growing, more people are coming online, it allows more choice, blah, blah, blah. Which has some truth to it. But in some ways there is already an infinite number of domain names available across each of the roughly 280 existing TLDs (from .ac -> .zw - there should be a catchy alphabet song for them!).

But what does it mean for you, the customer? Well, it does mean you can get more choice. You will be able to buy yourdomain.something. Whether this helps is a different matter. Many of these new extensions will be quite specific, which may help, e.g. myplace.restaurant, or myhouse.london, but it may just create more and more confusion that your chosen name can have so many different extensions, which one is really you?

One result of this will probably be that more and more people will want to authenticate that their domain name, whatever unusual form it takes, can be explicitly linked to them. The most common way to do this at the moment it through SSL certificates, where a third party will guarantee that the domain is owned by a particular individual/company, and that you are browsing on that site in a secure way. So this is something to think about and watch out for...

There is one group of people that will undoubtedly benefit from this liberalisation and that is the spammers, advertisers and squatters.

In the old days if you wanted to protect your brand you could buy all 280 extensions. No longer. With a potentially limitless number of extensions, there is no way that you can get yourbrand.allofthem, so even the most well protected global brands may find a few more lawsuits on the horizon. The beneficiaries of this will be the squatters and advertisers who will use establishedbrand.newtld as an advertising site, or domain auction target (buy this one back, for $xxx).

And then there will be the increased volume of ad sites, just showing endless streams of ad feeds on domain names with no real purpose except to make money for their owner. I always think about this in terms of domain names as property: if the best properties in your town (domains on your tld) were closed down and became advertising bill boards, would you stand for this as a resident? This is exactly what is happening online. Most of the best names/words are turning into bill boards, and it will only continue unless there is a regulatory change to stop or limit it.

So there you have it, the change is coming, the benefits are unclear. But one thing that is clear is that unless ICANN take more of a role in setting and enforcing codes of content for domain ownership/usage, we may find as customers we are browsing in a larger and more polluted domain space.

What do you think?

On July 8, 2008, the US-CERT (United States Computer Emergency Readiness Team) announced that they had discovered a new way to quickly take advantage of weaknesses in the DNS protocol. This method targets non updated 'recursive' servers, allowing the 'attacker' to fake an answer as coming from an 'authoritative' server.

Gandi, as a registrar, only owns 'authoritative' servers and was not affected by this flaw.
However, we are also a webhost now, and our customers go through 'recursive' servers. These servers were updated by our technical team, just a few hours after the announcement.

All right, but what are recursive and authoritative names servers?

There are two types of name servers:

1. The recursive servers, when questioned, get the information from other servers.

2. The authoritative servers have the information requested by (among others) recursive servers.

Recursive servers are those usually provided by ISPs or webhosts for their customers.
To simplify : when someone enters the URL of a domain name in his web browser, if the domain is entirely managed by Gandi, a DNS request goes from his computer to his ISP's recursive server, which in turn, requests the information from Gandi's authoritative server, and get the address of this domain name.

Gandi's authoritative server answers politely to the recursive server, which temporarily stores the answer in a cache, and finally, the answer is transmitted to the browser. The temporary cache is used to speed up the answers to a ''recursive' server, and thus avoid too much repetition of the same question. This way, there are less exchanges between ''recursive" and authoritative servers, and the Internet's general behavior is improved.

And so?

This new method allows a bad person to trap a vulnerable recursive server into believing that an answer comes from an authoritative server. The recursive server, sure that the answer is correct, stores it in its cache. Does this sound abstract?
Just imagine that you have the ability to pretend to an ISP's customers that you are gandi.net, gmail.com or even amazon.com, and do this for serveral hours at a time... You get the picture.

What you should bear in mind (for our more technical readers)

First of all, the flaw of the DNS protocol is not new. It was identified quite a while ago and is inherent in its design. The technique allowing someone to use this flaw was first published on July 21st and showed how to simply bypass the existing barriers.
Once again a new barrier that has been put in place to prevent this. This new procedure has been recommended for several years and works by using a random source port in the request.
It is important to remember that this measure does not fix the flaw but means that any attack would take longer to succeed.

The DNS protocol does not guarantee the identity of individual machines, which makes preventing such attacks more difficult. The DNSSec protocol that might replace it, is designed to correct this flaw (among other things). However, and for several reasons, it has not yet been put into place.
In any case, the solution is to use secure connections, such as SSL (certificates, signatures and encryption...) when you wish to be sure of the identity of a site.
But even with all these tools and technologies, it is still important to pay attention to your web browsers SSL warning messages

In anticipation of all the highly-awaited new services (GandiBlog, transparent URL forwarding, API/XML, etc...) that will be released in the upcoming weeks, the entire team at Gandi joins me in wishing you happy indigestion Holidays!

The follow-up to the return of the revenge concerning the purchase of Gandi, or "how to know if we’re ready for this type of adventure, then how to choose our associates"…