Hacker News new | past | comments | ask | show | jobs | submit login
.IO domain name reliability issues and how we’re working around them (getstream.io)
279 points by sbierwagen on Nov 9, 2017 | hide | past | favorite | 153 comments

By that argument you should also stop using:

.org, .ngo, .lgbt, .asia, .aero, .info, .mobi, .pro, , .MN (Mongolia), .AG (Antigua and Barbuda), .BM (Bermuda), .BZ (Belize), .GI (Gibraltar), .IN (India), .ME (Montenegro), .SC (the Seychelles), and .VC (St. Vincent and the Grenadines), .SG (Singapore) and .HN (Honduras) and more

All are provided or supported by Afilias, the company running .IO.


Author here: the post is based on my direct experience with .io. It is not very clear to me how Afilias is involved in the operational side of things, AFAIK they might have just acquired the existing .io infrastructure and kept it as it is (and same goes for the way more reliable .org TLD)

The .io registry transitioned management of the registry operations to Afilias in June of this year. They did not keep the existing infrastructure - it was migrated to Afilias systems.

That's interesting. Can you share the source of that information? I was trying to understand that but somehow I did not manage to find anything online.

I own a .io registrar and I had to make changes to migrate to the new system

dig io. SOA

dig afilias-nst.info MX

This is a blogpost by Planio about moving from .io to .com


> Using .io is unfair to the Chagossian People

> The reason closest to our hearts is the geopolitical background of .io domains which we only learned about recently.

Later in the article:

> Of course, we will make sure to redirect all traffic from *.plan.io appropriately so no existing links will break in the future.

Which to me sounds like they will keep paying for the .io domain for the foreseeable future.

"I don't like conflict diamonds, but since I have a bunch I might as well keep them — I just won't wear them."

That's how it comes off to me.

If you already have a conflict diamond you already funded the mining effort. Keeping or throwing it away has no effect.

Going to planio.com redirects to plan.io, so whatever they had to say about moving from .io to .com can't be worth reading.

I was curious -- it's actually worth reading.

"We have therefore decided to match what we paid for .io domains in the past with donations to the Chagos Conservation Trust and the UK Chagos Support Association. We will continue to do so every year - as long as we will have our .io domain (or the Chagossians start receiving their fair share of the domain business)."

I don't fault them for keeping their .io considering the downsides of not doing so.

I can't find an obvious source on Afilias running .IO? nic.io doesn't link to it, Afilias doesn't list .io on their homepage as one of "their" TLDs, ...

EDIT: Google finds some announcements where registrars tell their customers about a switchover of the registry backend to Afilias June 10th, 2017. Wonder if they run the DNS or not? The nameservers are in IP space owned by ICB, but that doesn't necessarily mean anything.

.IO is historically terrible and seem to have no idea what they are doing. Being it downtime, security or general DNS policy.

FWIW a glance at that wikipedia page does not show any references to the .IO TLD.

According to https://en.wikipedia.org/wiki/.io .IO TLD is run by Internet Computer Bureau - are they the same/related companies?

They aren't running it yet. It is not being offered to registrars yet.

Should it be expected that things will improve once the transition happens, then?

I wonder if that's in effect yet ?

nic.io contact page links to https://www.icb.co.uk/ which is not reachable

I have pingdom monitors on my .io domains, to my memory and according to Pingdom there was only one extended outage (Sept 20th) due to domain DNS. I'm growing so weary of people (mostly a developer complex) complaining about everything and expecting perfection from technology products or even worse open source projects.

Their point was to not run mission-critical API traffic on those domains, which seems reasonable.

It's not an all-or-nothing proposition. Some TLDs are more flaky. Some aren't. There's a whole continuum there, with good TLDs on top and bad TLDs at the bottom. Make your own decision based on this information.

Currently there is one blog post about an outage and a lot of speculation. I don't think there's enough information to make an "informed" decision. On the other hand, if you use .com, and the whole thing breaks, that from a users perspective means "the internet just broke", so your small startup won't be at the top of the list of sites people will complain about.

There's been like three IO outages and plus one user registered the nameserver domains to intercept traffic.

That makes it sound a lot more malicious than it actually is. Said user is an ex-Googler, did it to see if he could, went "oh shit" and immediately started serving SERVFAIL on it so other nameservers would be used. His intention wasn't to intercept traffic.

We were not the only ones affected by the outage: https://news.ycombinator.com/item?id=15293578

It was my understanding that Afilias purchased .io and kept using the existing infrastructure. I believe they have gotten many TLDs through acquisitions so I'm not sure you can compare all of them fairly.

no, they do not use the same infrastructure - it was migrated to Afilias. I own a .io registrar and I went through the migration process in June

my .me domain is my primary domain and won't expire for 10 years.

Also I've never observed an outage for it like this.

you sure about that? the Wikipedia page on Afilias doens't list IO as one of their domains, and the Wikipedia page on .io says tje 'Internet Computer Bureau' runs it, with them also running the .sh and .ac domains.

Yes it was transferred from icb to affilias in July

I never understood why ccTLDs of some third-world countries became popular for hosting production code. There is a real risk of somebody stealing your domain due to vulnerable infrastructure and incompetence at the organizations that sometimes employ less than 10 people. The notable takeover of the .io ccTLD by Matthew Bryant [1] should have been a wakeup call for everybody.

1: https://thehackerblog.com/the-io-error-taking-control-of-all...

One good explanation is that people simply aren't aware of the implications of purchasing those domains. Personally this is the first I'd realized .io was both 1) unreliable and 2) a country code.

All two letter TLDs are country codes.

.eu is not a country.

Correct, .eu is a ccTLD, not a whole country. Glad you're able to see the difference.

If you're going to be pedantic, at least do it properly.

> I never understood why (...)

scarcity of available domain names under the major tlds, imo.

Speaking of questionable TLDs: does anyone know what happened to Togo's .tg registry? I see that there are bunch of SSL certificates revoked due to "registry problems" [1] this month, but I haven't seen any news or warnings about it.

I imagine the registrar just doesn't check for names that would be nice targets, but it would be nice to know for sure.

1: https://crt.sh/mozilla-onecrl

> I never understood why ccTLDs of some third-world countries became popular

Simple vanity.

That's the only reason I use them. Since .am (Armenia) allows anyone to register a domain I can have boreh.am and hence be d@boreh.am. Still haven't got around to putting up content at the web site at http://d.boreh.am :(

I think it's also about awareness. Most people don't know that IO or other smaller TLDs are unreliable.

They aren't unreliable. This article blows up a single minor incident into a controversy of epic proportions.

The incident was far from minor IMO. I think .io has had 6+ hours of downtime (full or partial/non-trivial) this year, long enough to push the annual availability down to 99.93% from what I recall from memory of reading post-mortems.

That was enough to spur us to begin planning to move production traffic off our .io domain as well.

Did any of the large TLDs (.com/.net/.de/.fr/.co.uk) have an outage like that in the last decade?

Not being available for several hours can severely damage businesses. Startups that haven't built trust yet as well as some large companies. Imagine a bank's website not being available for several hours. It doesn't matter if it's a DNS issue, people would start panicking very quickly.

The main motivation is how hard it is to get a good .com domain name.

Exactly. That's why .co was/is popular: it's like .com, and it's even shorter! The fact that it's Columbia's country code is not at the top of most people's minds.

Does anyone know how reliable .co is? Who manages the domain? I have a few .co domains (because the .com was bought by some reseller who wants to have >$1,000 for the domain) but somehow wary using them for production.

Agreed. I looked at it for one of our properties a few years ago and discovered that the legal ownership of the domain wouldn't really be ours long term. I'd prefer to stick with US-enforced property rights, warts and all.

Stop giving them ideas!

>I never understood why ccTLDs of some third-world countries became popular for hosting production code.

I trust and support my brothers in Grenada.

There is also a good, ethical reason to stop using .io domains completely, as the territory's population had no say in the governance of the TLD and are deprived of any revenue from it.

Is it expected that the population of a country would benefit directly from TLD sales? I have not seen a dime of the proceeds from .us.

I guess the money probably goes into the treasury, but it can't be more than a drop in the bucket.

I still think TLDs in general were a mistake. It always felt life a leftover from the old Usenet dominated Internet. The Internet quickly outgrew the categorization system and we ended up where we are today with most everything being shoved in .com because it was the least strict.

Tuvalu makes "several million dollars a year" from .tv domains [1], and their total GDP is only ~$35M, so at least in Tuvalu's case it's in the range of 10% of their GDP.

[1]: http://www.bbc.com/news/world-asia-pacific-16340072

The population of the British Indian Ocean Territory were all deported, to clear the island of Diego Garcia for a large US airbase. It's one of the grubbiest recent bits of British imperial manoevering.

And "recent" here doesn't only mean "the 1970s". TIL: "In 2016, the British government denied the right of the Chagossians to return to the islands after a 45-year legal dispute". [1]

Also, in 2009 an attempt was made to prevent resettlement by declaring the area a marine reserve. [2]

[1] https://en.wikipedia.org/wiki/Chagossians#Court_battle

[2] https://en.wikipedia.org/wiki/Depopulation_of_Chagossians_fr...

Sounds like the UK has effectively given away the atoll to the US. The US is not going to pack up their very important torture base just because the UK asks them to. Denying the islanders permission to return is just a face-saving move to avoid admitting that the UK no longer controls the territory.

I think of this everytime I see .io domains :/ It's a very sad story.

Grubby is an understatement. We "persuaded" people off the island by (for instance) not letting them back in when they returned from holidays, rationing their food and drink, and literally gassing their dogs in front of them.

Edit to add: just to be clear, the UK had bought these people's homeland something like five years previously. Bought.

>literally gassing their dogs in front of them.

This hits me from a deep emotional place. We shouldn't do things like this. The deeper and more connected this giant web becomes for me, and the more parts I know about, the more everything I've ever known comes into question. It feels as if the final episode will be the big reveal that Bruce Wayne is on the therapist's lounge discovering his second alter-ego, the Joker.

What is this giant web you are referring to?

Its far more than this, the original inhabitants of .io were forcibly removed from these islands by the UK in the 60s. The whole situation with a UK company running this TLD is just the icing on the cake.


> Is it expected that the population of a country would benefit directly from TLD sales? I have not seen a dime of the proceeds from .us.

On the scale of a territory like BIOT, it is a reasonable expectation; Tuvalu is a high-profile example. However, the point is that there are no Chagossian representatives who have had a say in the organisation or governance of the territory's Internet infrastructure. There are a multitude of possibilities for how the .io ccTLD could be operated, but Chagossians have not had the opportunity to influence or decide them. In the absence of that, it seems right that the relatively lucrative .io registration business is used in some way to the benefit of displaced Chagossians.

> I have not seen a dime of the proceeds from .us.

On the scales of US budget, it's not likely that income of any government enterprise would noticeably affect your personal income. It may be different for smaller nations.

There is a difference, though, between "the legal representative of the country controls the domain and gets money from it, which they distribute as they see fit" and "somebody having no connection with the country controls the domain and gets money from it". The first may not be ideal, especially for countries with oppressive governments, but makes sense. The second makes much less sense, if we talk about geographic domains at least.

Serious question: does it have still have a significant civilian population? Wikipedia makes it kinda read like anyone who was living there was depopulated to make room for military bases and contractors who are working on military bases.

Yep, that's exactly what people take issue with. Just for extra kicks, because we're nice that way, we also made a huge swathe of the area a 'Marine Protected Area' in 2010, so it's now even less likely that the original inhabitants (most of whom are now, of course, aging and/or elderly) will ever get to move back.

There is a good documentary about it, "Stealing a Nation". Free on vimeo: https://vimeo.com/17401157

I don't see why any nation should have claim to assemblies of letters and words in another language in another land. Should China have claim to the word China? No more than America should have claim to 美國 or アメリカ.

I don't see how your facetious point has any relevance here.

Is it ethical to reward people simply because the abbreviation of their country is a certain 2 letters? That seems the opposite of ethical.

It seems unethical?

That's totally flawed reasoning. The people, if they had their own governance, would not have .IO for Indian Ocean Territories. They'd have some other not anywhere as cool ccTLD. .IO is something the British Government created, not the locals.

I'll politely point out that your response is flawed and incorrect. As self-governing British territories, Gibraltar, the Falkland Islands, Bermuda etc. all have ccTLDs pertaining to their ISO 3166-1 designations. Because of that, it isn't the British government that creates the ccTLD. There is no basis to say that BIOT would not have the .io ccTLD if its domestic population was self-governing.

What? The people, known as Îlois or Chagos Islanders, could well have had .io as this represents the native name of their land.

It means (British) Indian Ocean (Territory).

If it were part of Mauritius, it would fall under the existing MU.

I wonder if this is a factor in why large tech organizations like Amazon, Facebook, Google, Microsoft etc have been so keen to register their own TLDs. Now they only depend on root NS and their own infrastructure, and not _any_ ccTLD provider.

Yes, this is one of the major reasons that we registered our own TLDs. It's definitely not a secret.

Source: I'm the tech lead of Google Registry.

Any hint of a timeline for .app availability?


Stay tuned.

...wink one time if measured in weeks, wink two times if measured in months

Well it's definitely not weeks. The rollout process for a TLD takes several months, most parts of which are unavoidably public.

You really expect to hear a product update via HN comment?

Given the likes of https://news.ycombinator.com/item?id=15353027 and https://news.ycombinator.com/item?id=15269832 , it is not beyond the bounds of possibility.

We do actually find these kinds of comments helpful, because it lets us know which of our TLDs are in highest demand.

May I ask why Google isn't using it's own TLD yet? I just tried combinations such as mail.google, maps.google or news.google and would've expect that they at least redirect to the equivalent.

There's very little value in adding new domain names solely to serve as redirects, because the best practice is to only have a single canonical domain name anyway. We are starting to launch new sites on our TLDs, e.g. https://registry.google https://domains.google https://ai.google https://blog.google https://pride.google

Don't forget, .google is far from the only closed TLD we have, too.

It was recently pointed out that .dev while never officially sanctioned for the purpose has been used extensively as a test TLD for development servers.

Would Google entertain supporting something like .local.dev for this purpose, used only within a single organization and without reverse-lookup supported?

If not, is there a better alternative that also maintains the aesthetics as well as the similarity with production domain names?

More likely is that we'd simply launch .dev as an openly available TLD (based on inquiries it seems to be in demand). Once it's open you could follow best practices by simply buying the actual domain name you intend to use. Whether it routes on the Internet at large is entirely up to you and how you configure the nameservers.

We use real domain names for all of our dev servers on my team. They happen to be .co domain names, not our own TLDs, because of a chicken-and-the-egg problem.

If that were the case then Amazon and practically everyone else wouldn't be running under .com which of course is managed by Verisign.

Will also note that Amazon is a registrar but relies (as others do) on markmonitor.com to be the registrar for their own domain .com name. Ditto for google which is also a registrar. So they could be the registrar for their own .com domain but choose not to do so.

Domain names are amazingly sticky. You'll likely start seeing increased news of companies using their closed TLDs, but don't expect too many existing sites moving over.

With so many issues related to non .com TLD, I was in deep shock to learn Google registered abc.xyz

> In the first case, we would need to keep hundreds of DNS records in sync and double our SSL certificates;

The first thing is admittedly a PITA, but SSL certificates should not be a problem. Either you use LetsEncrypt which automates the pain away anyway or you do the sane thing and buy a wildcard cert - this has the added advantage that no one can run a service discovery by simply grepping a CT log. Yes, I know, security by obscurity, but scriptkiddies will go for the low hanging fruit first, and having your domains show up in CT logs is ultra low hanging fruit.

> secondly we would need to only change our infrastructure to not use any Route53 specific feature

You should not be locked in to Amazon (or for that matter any Cloud provider) anyway, given how easy it is to get banned from them (hint: it's enough if your Google account manages also the Youtube channel and videos on it get striked too often).

> Using a widely used TLD like .com/.net/.org is the best and easiest way to ensure reliability.

Another caveat right here: .com and .net are operated by Verisign, while .org is operated by PIR. You should always take care to choose a different operator for the backup TLD!

> Either you use LetsEncrypt which automates the pain away anyway or you do the sane thing and buy a wildcard cert

For what it's worth, Let's Encrypt plans to offer wildcard certs starting in January 2018.

We have a method for keeping thousands of DNS records in sync per second. Would this by chance be useful? Who should I get in contact with to help?

author here: About your second point. We spend quite some money on AWS every month. As long as we keep paying our bills, I don't see why they would want to cut us loose.

> As long as we keep paying our bills, I don't see why they would want to cut us loose.

I can imagine a competitor trying to boot you off by bombarding their abuse team with bogus complaints and triggering automated actions. It's been done in the past, the problem is that all major companies (not just hosting, but ANY large company!) try to save on actual customer support and even more on stuff they can't bill to the customer, like a properly staffed abuse team.

.io domains are perhaps fashionable, but they are expensive.

For $0.88-$0.99/yr one can have a domain in the same registry as the Alphabet Inc. website's domainname. For that price, it would not be a clever name, but it could be an easy-to-memorize 6-digit number. What if it is only used for an API endpoint?

A higher level of "reliability" IMHO could be achieved by use and publication of a stable IP address, perhaps anycasted if one can afford it. At least it could be a backup for emergencies, such as DNS failures.

Consider that DNS itself e.g., disseminiation of root.zone, does not rely on DNS. The IP address for ftp.internic.net is well known and rarely changes. As I recall, when it does, they notify the public in advance. Some years ago if I am not mistaken, there was a change from to

Another example is third party DNS providers. They too publish stable IP addresses. Sometimes users might even memorize them, or store lists of these addresses e.g. included within installed software.

As a user, I hold no bias against any company that publishes its stable IP addresses. In fact, on the issue of reliablity I would hold them in higher regard than those who rely 100% on DNS and third parties associated with DNS service. DNS is reasonably reliable, but IMO not more so than a stable IP address.

.io is managed by Afilias. They took over and migrated the registry to their system in June. Afilias manages many other TLDs including:

.adult .ag .archi .bet .bio .black .blue .bz .global .green .in .info .kim .lgbt .ltda .me .mn .mobi .ngo/.ong .org .pet .pink .poker .porn .promo .red .sc .shiksha .vc .vegas .vote .voto

They are a very reliable registry operator. This was a bad screw up, and I guess it had something to do with the migration.

>To our surprise, we found out that NIC.io could only be reached via phone between 7 AM to 12 AM UTC Monday through Friday and did not expose any status about the health of the service.

That doesn't sound very reliable to me...

Afilias tech support is 24/7

> Back when we started in 2014 we decided that .io was great from a branding perspective. Stream is a technical product and our audience is mainly technical, so .io seemed like a great match. Using the same domain for the APIs was more of a consequence than a thoughtful decision.

Quite a lot of tech companies are using .io nowadays. If .io reliability is an issue what is the next best alternative for tech domain names?

You can use stream.io for marketing, email, etc. and use something like stream-dot-io.com or 2556369863227.com for production APIs.

This is the correct answer

"Correct" but feels really gross

It only "feels" really gross if you care a little too much about your branding. No one is going to see it but the devs, and at that point it really doesn't matter.

Just use .com for anything critical (i.e. that your customers rely on).

Keep a .io domain or whatever you want for marketing purposes if it's absolutely necessary, just realise your splash page is at risk of failure some times. Whether it's worth the trade-off is likely up to the individual company.

Marketing is the wrong drive. .com is already over populated meaning you can't get the domain you really want. I get a couple domains in .io so I am happy.

> next best alternative for tech domain names

.com is the best not-alternative

I'm surprised there's no .api gTLD yet.

Some newer TLDs that can be used in tech industry (not sure on their reliability): .computer, .consulting, .design, .digital, .engineering, .enterprises, .graphics, .guide, .network, .online, .plus, .productions, .services, .site, .software, .systems, .tech, .zone

Note that some of these newer TLDs can be more expensive (up to $60/year).

The ICANN contract, which new TLDs have to sign and country codes do not, has very strict penalties for having DNS go down for any reason. They're just as reliable as com.

Disclaimer: I work for Donuts, owner of many new TLDs.

They're also much longer names and many people have difficulty with spelling, not even to mention non-native speakers of English.

.io and .com are short and easy to remember.

> Note that some of these newer TLDs can be more expensive (up to $60/year).

A .com WILL also be expensive, because all the good names and most of the crap ones are either used for other companies or, and that's worse, for squatters who hope to extract five-digits prices.

> not sure on their reliability

Then this answer is not helpful, this whole article and the parent's question were about reliability.

You could always keep using .io for your marketing site and then a related .com domain for the actual app traffic.

.com/net/org are also faster, especially internationally, because of more infrastructure. Algolia found the same during their testing [1].

Use the main TLDs for serving traffic and .io/* for corporate/marketing sites or webapps if the occasional outage isn't a major problem.

1. https://stories.algolia.com/algolia-s-fury-road-to-a-worldwi...

Some ccTLDs have good infra though. Many of the smaller ones (particularly ones ran by CoCCA, such as .cx) use Dyntld or Packet Clearing House which have pretty good servers and connectivity.

Hello, I volunteer with UK Chagos Support Association, a voluntary Chagossian support group that Plan.io and other .io firms and users have donated to since this issue was raised in a tech magazine a year or two ago.

Someone Twitter tagged us and linked to this discussion and it's great to see so much support for the community.

Couple of links on the background below.



A couple of .io start ups set up a site to encourage others to support us and other Chagos-related support groups which allowed us to a lot more of our work - campaigning, supporting community projects and issuing crisis grants - over the past few years. Called 'The Dark Side of .Io,' it's actually offline now but the owner has assured me it'll be back on shortly.

I've no expertise to comment on technical issues. On the moral side, I've not met anyone in the community who has a serious issue with firms using the .io domain name - most are impressed that so many firms have chose to back the Chagossian community out of their own pocket. As someone mentioned below, as recently as one year ago the UK government refused to allow Chagossians to return to the Chagos Islands. The community will not see any money from the renewal of the lease on their homeland for use as a military base.

These are the main issues, and while the .io domain name is somewhat symbolic of the wider exploitation of the Chagossian people - others profiting from their homeland with the community itself seeing no benefit - there is at least a positive side to this, which is harder to find in the government's decision to continue the exile.

If anyone is interested in finding out more please see our website (not .io - but that's out of cost and ignorance factors more than ethics)


We're actually planning a bit of a revamp of the site shortly and I'd be remiss if when posting here I didn't ask for anyone interested in getting involved in that - contact@chagossupport.org.uk

"Due to its decentralized nature..." should read "Due to its CENTRALIZED nature..." If DNS were decentralized, like for example Bitcoin, so many problems like this would never happen.

True... until "devops199" randomly gives you 150 million reasons otherwise.

author here: this indeed incorrect, I will change that into "centralized and distributed" thank you for pointing that out

"In July 2017 a security engineer from Google was able to buy the domain of one of the authoritative nameservers (ns-a1.io) and gain control of every .io domain."


Dumb question, but why not host DNS name serving somewhere other that NIC.io so it does not go down? As I recall you can set the name server to live somewhere else, though I don't have the account pages open.

The dnscheck.pingdom.com page shows that .io domains commonly route to different name servers. Just try stream.io and slither.io and you should see different authoritative name servers. (I picked those randomly for the test.)

DNS resolution is hierarchal. You start at the root DNS servers for a TLD to find the authoritative servers for a given domain in that TLD. You can host your authoritative servers wherever you want, but you have no control over the root servers and it was the latter that had problems.

Thanks, that clears things up.

Cross-posting a message I posted about one year ago because I am still mad about what happened 7 years ago:

"In 2011 I paid for and registered o1.io (I really wanted 01.io, but back then it was not available to register domains containing only numbers on .io). The .io NIC web interface is really horrible and I ended up in an inconsistent state after making the "horrible" mistake of clicking the back button. Even though my Paypal account got charged, I received an email confirming I was the owner of the domain, and so on, I couldn't access my account. Next step I took was contacting them. I got ignored and after 7 days later they made a transaction reversal on Paypal and I never heard a word back from them, even though I have tried to contact. Some time later they made the o1.io domain a reserved one and so if I wanted it now I would have to pay thousands. What a shame."


For anyone recommending .com one of the simple factors that it isn't often a good choice is people sitting on domain names for profit or other reasons.

So either you have to think up a completely ridiculous name for your new service/product/company, pay stupid amounts or use something other than .com

use .io or similar for any customer facing websites but a .com for any mission critical api type calls. Customer never even has to know about the existence of myUglyCompanyNameApiHandler.com but all api calls are handled by it.

It's a good idea, but if your product is a website, cookies and authentication in general are going to be a real challenge. Obviously you won't be able to share cookies between the site and the api. But you have the additional challenge of having your api domain treated as 3rd party and are thus subject to all the security measures and sandboxing that come with that.

And what if your product is just an api for use by developers? Now the api is part of your brand.

It's just a bad situation all around.

> Obviously you won't be able to share cookies between the site and the api.

I don't know of any API that requires cookies from the site. Usually you use an access token or something similar for an API.

> But you have the additional challenge of having your api domain treated as 3rd party and are thus subject to all the security measures and sandboxing that come with that.

CORS solves most of the pain points. You just need to ensure the API is serving the correct CORS headers.

sure its not optimal but the lack of available .com domain names forces you into a corner at least in the particular situation referenced by OP.

The other poster is correct though in that CORS will handle alot of your issues.

You are absolutely right in that it is definitely going to increase the effort involved in rolling out a site/service. I don't know of any pretty solution to the issue.

We migrated from serving production JS assets off our .io domain to .com after we found a number of corporates/schools in Ireland blocking the domain at the TLD level.

Since then, the number of inexplicable error reports has dropped dramatically.

It's hardly surprising sadly. Looking back through my submission history there's two instances of incompetence by the .IO handlers:

1) Storing passwords in plain text: Although the post is now down, it pointed to the fact that Nic.IO will email you your password in plain text. Something which everyone that's spent more than a few weeks coding should know not to do.

2) Another pretty major outage back in 2013 that rendered two of my sites offline.

I personally stopped using them after my last IO domain lapsed but this should serve as a stark warning to anyone thinking they can pick up a cute IO domain

Remember this: https://www.icann.org/news/announcement-2017-09-27-en

I think .io was part of the issue for the delay.

After the last outage, we at gator.io took it as a 'all hands on deck' firedrill to get our api off .io. The problem is that many of our customers have scripts on their sites with the old .io endpoint. Migrating them is very difficult.

If these are just API endpoints (not typed in by users, and thus, no Marketing value to the name) why not just register <random hash>.com?

That's what we do :) It's ok for the marketing page to go down every now and then. Not so nice for the API to become unavailable. (200 million end users)

WireGuard similarly moved from the .io to wireguard.com in July: https://lists.zx2c4.com/pipermail/wireguard/2017-July/001569...

Less trendy, but otherwise, zero regrets.

Nice, if you have the .com

I guess that's why the domain name infrastructure should be decentralized. Though I'm not familiar with the tech involved, does blockchain based things, like namecoin, solve this problem?

.io represents the suppression of the Chagossian people. https://en.wikipedia.org/wiki/Chagossians English imperialism at its best.

Do not use this unethical TLD: https://gigaom.com/2014/06/30/the-dark-side-of-io-how-the-u-...

By those standards, can you provide a TLD that is not the result of some atrocity or another?

.cx? (Christmas Island), which is a Australian territory? Maybe your right. I think .io is especially egregious because of history of Chagossian people.

Where they planning on setting up a TLD? It seems like you have to have an almanac before you do anything these days, lest you offend someone.

Might makes right.

It's not my area, but it seems like if your application is deeply dependent on an API it might be a good idea to directly reference the IP address? Over 1000s of requests, wouldn't that save time?

It would be slightly faster. However, if you ever had to change your server's IP address (for example, because you had to move to a new hosting provider) you'd be utterly screwed.

That scheme assumes that the service is hosted at a stable IP address, which in almost all cases is not a valid assumption.

Not my area either but I think dns queries are cached locally for a certain amount of time so dns lookup for 1000s of requests shouldn't give too much overhead Edit: yeah and also what the other guys said about not relying on the ip being the same forever

Said by the company that uses .io

I mean if you read the article the reason they say not to use it is specifically because they used it themselves and were burnt

TL;DR - company follows trend of misusing top-level domain of the British Indian Ocean Territories, finds it unreliable and not-so-great, starts the wheels in motion to switch away from it.

Addendum: Mind you I applaud their coming forward to report this. Hopefully people get the message. It's not the first time fashion got the better of a large number of people.

Sorry, but the title is click bait. Can people just write "Our IO domain Resolution Failed, A Lesson Learned"?

In the "What Really Went Wrong" section, the author wrote:

> it does not take a lot of research to find out that the .io TLD team made several mistakes

and went on to cite two incidents, which are not exclusive to .IO domain. So let's not blame ".io domain team" and only happen to .IO domain, try to convince me (at least the way I read it based on the title) that using .io domain is a bad idea. I should stop using .com then.

For me, I was looking for a "so we are going to switch away from .io domain in the next year or so" at the end of the post, because .io is not good according to the author. The plan instead is just add a backup domain, so it looks like the author is eating his/her own words, even though the critical stuff are going to run over .com. So let's just switch everything over, what's the big deal for your user-facing website not over .com? Do people really think a big deal now about .io vs .com when you have established a business?

Anyway, I do appreciate when a postmortem is available because I can learn something new, but I do hope we write postmortem with an objective tone. So no, if there is a downvote button on HN for the submission, I would downvote.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact