Home / Blogs

Verisign Doesn’t Think the Net Is Ready for a Thousand New TLDs

Yesterday Verisign sent ICANN a most interesting white paper called New gTLD Security and Stability Considerations. They also filed a copy with the SEC as an 8-K, a document that their stockholders should know about.

It’s worth reading the whole thing, but in short, their well-supported opinion is that the net isn’t ready for all the new TLDs, and even if they were, ICANN’s processes or lack thereof will cause other huge problems.

The simplest issues are administrative ones for ICANN. In the olden days updates to the root zone were all handled manually, signed email from ICANN to Verisign, who manages the root zone, with a check at NTIA, who oversees it under longstanding contracts. As the number of changes increased, more due to added IPv6 and DNSSEC records than increased numbers of TLDs, the amount of email got unwieldy so they came up with a new system where the change data is handled automatically with people looking at secure web sites rather than copy and paste from their mailboxes. This system still in testing and isn’t in production yet; Verisign would really prefer that it was before ICANN starts adding large numbers of new TLDs.

The new domains all have to use the Trademark Clearinghous (TMCH), a blacklist of names that people aren’t allowed to register. Due to lengthy dithering at ICANN, the the TMCH operator was just recently selected, and they haven’t even started working out the technical details of how registry operators will query it in real time as registrations arrive.

There are other ICANN issues as well, the process for transferring a failed registry’s data to a backup provider isn’t ready, nor is zone file access for getting copies of zone data, nor are the pre-delegation testing reqiurements done, and the GAC (the representatives from various governments) could still retroactively veto new domains even after they’d been placed in service.

All of these issues are well known, and the technical requirements have been listed in the applicant guidebook for several years, so it does reflect poorly on ICANN that they’re so far from being ready to implement the new domains.

Most importantly, Verisign notes that the root servers, who are run by a variety of fiercely independent operators, have no coordinated logging or problem reporting system. If something does go wrong at one root server, there’s no way to tell whether it’s just them or everyone other than making phone calls. Verisign gives some examples of odd and unexpected things that happened as DNSSEC was rolled out, and again their concerns are quite reasonable.

An obvious question is what is Verisign’s motivation in publishing this now. Since they are the registry for .COM and .NET and a few smaller domains, one possibility is FUD, trying to delay all the new domains to keep competitors out of the root. I don’t think that’s it. Over 200 of the applications say that they’ll use Verisign to run their registries, so Verisign stands to make a fair amount of money from them. And everyone expects that to the extent the new TLDs are successful at all, it’ll be additional, often defensive registrations, not people abandoning .COM and .NET.

So my take on this is that Verisign means what they say, the root isn’t ready for all these domains, nor are ICANN’s processes ready, and Verisign as the root zone manager is justifiably worried that if they go ahead anyway, the root could break.

Update: Thu April 4, 2013
A follow up to the discussed Verisign’s white paper, New gTLD Security and Stability Considerations, in which they listed a bunch of reasons that ICANN isn’t ready to roll out lots of new TLDs. Among the reasons were that several of the services the new GTLDs are required to use aren’t available yet, including the Emergency Back End Registry Operators (EBEROs), who would take over the registry functions for a TLD whose operator failed. They were supposed to have been chosen in mid-2012. By complete coincidence, ICANN has announced that they had chosen the three Emergency End Registry Operators. I can’t wait to see what happens next week.

By John Levine, Author, Consultant & Speaker

Filed Under


TMCH Kevin Murphy  –  Mar 30, 2013 4:30 AM

Probably not accurate to call the TMCH a “a blacklist of names that people aren’t allowed to register”.

The TMCH gives trademark holders the right to register domains in sunrise periods (but only if they pay and are eligible under the registry’s rules) and sends potentially worthless EULA-style warnings to people who attempt to register domains that match trademarks.

It doesn’t stop anyone registering anything.

TMCH John Levine  –  Mar 30, 2013 4:38 AM

You're right, but VRSN's point, that registries have to query the TMCH in real time and nobody has a clue how that's going to work, was the main issue.

And it's a good point. The TMCH Kevin Murphy  –  Mar 30, 2013 4:52 AM

And it's a good point. The TMCH is an unknown quantity for new gTLD registries and their potential customers at this point. The pertinent question, however, is whether it threatens the security and stability of the DNS we all know and love. That's a much harder case to argue. If the TMCH catastrophically fails, what does that mean to anyone other than companies trying to sell new gTLD domain names, and people trying to buy them, during the first 90 days of GA? Not much, I'd say.

software is hard John Levine  –  Mar 30, 2013 4:59 AM

The TMCH will need some kind of EPP extension, that then has to be coded into everyone's registry software and debugged. Having written my share of client/server software I'm acutely aware of all of the strange and flaky ways that stuff can fail. If they're lucky, everything will be just dandy. If they're not, they'll get strange bugs like TMCH lookups randomly changing the strings that people are trying to register. Do read the report. The TMCH is just one example of the parts of the new gTLD program that are not even within hailing distance of being ready for prime time.

Also remember the incentivies John Levine  –  Mar 30, 2013 5:02 AM

There are over 200 new TLD applications with VRSN as the back end, mostly closed dot-brand stuff. That’s got to represent several million dollars per year of revenue to VRSN, with little incremental cost since it’ll run on the same infrastructure that runs .NAME and .JOBS and so forth. They must be pretty nervous to be willing to forego that kind of revenue.

Not necessarily. They could just as easily Kevin Murphy  –  Mar 30, 2013 2:15 PM

Not necessarily. They could just as easily be nervous, some say, about new gTLDs cutting into their $800 million .com business.

"several million dollars per year of revenue" Andrew Allemann  –  Mar 30, 2013 2:27 PM

That’s nothing to VRSN. Look at their income statement.

Just checking John Levine  –  Mar 30, 2013 4:19 PM

So are you both saying you’ve read VRSN’s paper and you think the issues are all bogus?  How about the root zone automation issue?

I'm not saying the issues are bogus. Kevin Murphy  –  Mar 30, 2013 5:02 PM

I'm not saying the issues are bogus. On the contrary, most of them have been discussed for years.

Why now? Avtal Meren  –  Mar 30, 2013 9:41 PM

I’m still trying to understand: Why did Verisign wait until so late to publish these concerns?  Couldn’t they have raised the alarm six months or a year ago?


ICANN announced a few days ago that John Levine  –  Mar 30, 2013 10:18 PM

ICANN announced a few days ago that they've approved about 30 TLD applications, which means that they may actually have some intention of putting them into the root.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global