A great guide to not screwing up your domain name management.

Earlier this month ICANN’s Security and Stability Advisory Committee released a report “A Registrant’s Guide to Protecting Domain Name Registration Accounts”. Every domain administrator at small and large businesses, as well as domain portfolio owners, should read (pdf) it.

The report basically outlines steps you should consider to avoid losing access to your domain name or having your DNS hijacked due to a domain name account compromise.

It also points out that domain names may be integral to a business, and that businesses should treat domain names and domain management accounts accordingly. While a simple statement, I find that even Fortune 500 companies are often lax on domain management; assuming their $10 .com registration will be fully protected by their registrar.

One good point that is often overlooked:

In order to protect email delivery against disruption attacks, contact email addresses for a domain should be assigned to mail servers named outside that domain and registration account. For example, if the domain example.net is managed through an account A at registrar X, use email addresses assigned from a different domain (example.biz) managed through an account B (and possibly at registrar Y). This measure prevents an attacker who succeeds in compromising a domain account from preventing delivery of notification emails by altering DNS configuration for a domain.

The report also suggests keeping different contacts for the tech, administrative, and billing contacts on a domain name. This helps maintain control of the domain name if one of the contacts leaves the organization. Better yet, these roles can be assigned to generic roles within your company, such as domain administrator with generic email dns-admin@example.com that can be accessed by the current person in this role.

There’s one thing in the report that raises a red flag, though. It suggests considering making a web host, ISP, etc. your technical contact. Maybe it’s a bad taste in my mouth after hearing about so many web hosts and design firms “stealing” client domains, but I wouldn’t want these entities anywhere in my whois.

ICANN’s three strikes rule is so full of holes that you have to wonder if the holes are on purpose.

One of the major changes to the so-called “Proposed Final” applicant guidebook is a definition of what a pattern of “bad faith in regard to domain name registrations” is. Applicants that have shown this bad faith pattern are barred from applying.

The new rule slipped into the latest version: if you have three or more UDRP, ACPA, or other equivalent legislation adverse decisions and one of those is in the last four years, you may not apply for a new TLD.

Of course this begs the question if registrars such as GoDaddy and eNom, who each have affiliated companies that have lost more than three UDRPs, can apply.

My opinion, based on the current reading of the application, is that YES, these companies can apply. The old language relating to this paragraph read:

Circumstances where ICANN may deny an otherwise qualified application include, but are not limited to instances where the applicant, partner, officer, director, or manager, or any person or entity owning (or beneficially owning) fifteen percent or more of the applicant…

The new header for who these restrictions apply to reads:

Circumstances where ICANN may deny an otherwise qualified application include, but are not limited to instances where the applicant, or any individual named in the application…

So ICANN has removed the “person or entity owning” part. Now if you flip to the application rules you’ll see that a lot of people meet the qualifications of being “named in the application”. These include:

(a) Enter the full name, contact information (permanent residence), and position of all directors (i.e., members of the applicant’s Board of Directors, if applicable).

(b) Enter the full name, contact information (permanent residence), and position of all officers and partners. Officers are highlevel management officials of a corporation or business, for example, a CEO, vice
president, secretary, chief financial officer. Partners would be listed in the context of a partnership or other such form of legal entity.

(c) Enter the full name, contact information (permanent residence of individual or principal place of business of entity) and position of all shareholders holding at least 15% of shares, and percentage held by each.

So let’s look at the example of DemandMedia/eNom. Technically the names it has lost at UDRP (so far 6 cases this year) were part of a subsidiary. The new registry the company sets up, then, would not have any of the “names” related to this subsidiary in it, meaning that (based on my reading) eNom should have no problem.

And if it did want a troublesome person on its board or in a senior position? It can just add them after the application is approved. The way I read it, the cybersquatting provision doesn’t apply to any people added after the application. The only problem when you add someone is if they have a criminal history.

Here’s one theory: this loophole is so gaping that it was placed to appease trademark holders with full knowledge that anyone who wants to get around it can.

Now I personally don’t have a problem with any of the registrars that have been trapped by this new provision from applying. If we’re going to let registrars own registries and vice-versa, let’s bring it on.

That’s beside the point that this three strikes definition is a major problem. Here are three other problems with the rules:

1. We know that UDRP is inconsistent. If some large portfolio holders knew about this new applicant qualification back in the day, they would have fought UDRPs more rigorously. Consider Tucows, which technically would be barred given the three strikes rule. I count 11 decided cases involving the company. It has won all but three, and one of the three had a dissenting opinion. The names it has lost in UDRP are all controversial. They’re common last names, and I believe the company has fought some of them in court.

2. What happens if a company or person lost a UDRP but won the same case in court? Technically it’s still a UDRP loss.

3. It doesn’t take into consideration the number of domain names owned. If someone owns 10 domains and has lost 2 UDRPs, that shows more of a pattern than someone who owns millions of domains losing 3 or more cases.

It still concerns me that this arbitrary provision has been added. It should be overhauled.

Domain theft and now a UDRP. Defending a good domain name isn’t easy.

A domain name owner who has already gone through the hassle of having his domain name stolen has now succeeded in winning a UDRP to keep the domain name.

Altametrics, Inc filed the case against Ryan Sveinsvoll, who owns the eRestaurant.com domain name. The history of the domain name is interesting. Sveinsvoll appears to have purchased the domain name in 2003 and it was then hijacked in 2008. When the domain name was returned the whois was replaced with Sveinsvoll’s name rather than the company name under which it was previously registered.

For that reason, the panel decided that the date he got the domain name back should be the registration date, not 2003. That seems like a questionable decision given the circumstances.

Still, it may have played a role in the back of the panelists’ minds when deciding the case against the complainant. The panel ruled that it wasn’t registered and used in bad faith for a number of reasons — including the generic nature of the domain name.

It appears Sveinsvoll defended himself in the case.

25 (mostly) good tips for end users choosing a domain name.

It’s always interesting to see a non-domainer’s take on choosing the right domain name. I came across a good article today from a web designer featuring 25 tips for choosing the best domain name.

You’ve heard all of these tips before, but rarely have I seen them in one place. Some of the key tips that I see people regret not following are:

3. Can You Say The Domain Without Explanation

4. Never Let Someone Else Purchase Your Domain

14. Don’t Use Clever Spelling

There are a couple tips that I disagree with. I obviously disagree with this one:

12. Stay Away From “Premium” Domains

If you can get the domain name you want for only $2,500, that’s just a drop in the bucket. If you plan to be in business for the long haul (and I assume that’s why you’re starting one), it’s not much when you amortize the cost.

I also disagree with the rationale behind:

24. Purchase Your Domain for 10 Years

The reason in the article is that search engines may view a web site more favorably if it’s registered for a long period since most spammy domains are registered a year at a time. Google has said this has little (if any) effect on rankings. And while that may change, the most important reason you should register a company name for 10 years at a time is that you’re less likely to let it expire. We’re talking about paying $100 now versus $10 a year. Big deal.

Anyhow, it’s worth checking out the list.

Can ICANN handle 9 figures of cash?

$185,000 per application. Let’s say 550 applications for new to level domain names. That’s $101.75 million in cash coming in ICANN’s door next year.

That’s a lot of money.

What will it do with the cash that it doesn’t immediately spend on application processing? How much of this will now be considered “cost recovery”? How much will be reserved for resulting lawsuits?

Don’t get me wrong, I think it should cost a lot to apply for a new TLD in this round. It will help ensure applicants are well funded.

But we could see a lot of applications. Think about IDN equivalents alone. And a lot of marketing departments of large companies will say “Hey, I don’t know if we want one of these. But for under $500,000 we may as well protect ourselves.”

One hundred million in cash. That’s a lot of dough. Hope they don’t screw this up.