Hacker News new | past | comments | ask | show | jobs | submit login
Google .dev domain early access (domains.google)
331 points by jonseitz 35 days ago | hide | past | web | favorite | 452 comments

Alphabet has too much cash. They have a well established track record of enthusiastically backing exciting new projects way outside of their core competency just to dump them like hot garbage several years later.

They also compete in random new industries each time this happens.

It doesn't seem like a smart move to lease a domain from a politically active mega-monopoly that might decide to randomly become your competitor in 2 years.

Hi. I'm the Tech Lead of Google Registry, the team that is launching .dev (not to be confused with the linked Google Domains, which is one of many registrars selling .dev domains to end users).

You'll be glad to know that TLDs can't simply be discontinued like other products might be. ICANN doesn't allow it. The procedures in place preventing a live TLD from shutting down are called EBERO; more details here: https://www.icann.org/resources/pages/ebero-2013-04-02-en

The way it works is that all registries must send daily full backups to a third-party escrow provider, which are then used to restore the TLD under a different operator if the original operator shuts down unexpectedly. This is not some theoretical backup/restore procedure that goes untested; it's been used in the past, e.g. with .wed: https://www.icann.org/news/announcement-2017-12-08-en

But this typically only happens when the registry operator goes abruptly bankrupt, and is thus quite rare. Many, many widely used TLDs have been seamlessly sold/transferred across registry operators without you ever realizing it, including .io last year. That would be the "worst" you would expect from TLDs launched by large established players like Google. You actually get a lot more protections with gTLDs than you do with ccTLDs (such as .io), as ccTLDs aren't bound by contract with ICANN and thus aren't forced to do EBERO, or anything else for that matter.

If I register a domain, can google boot me off it at a later year if they don't like my politics? Or do I own the domain with the continuing option to re-register it or transfer to another domain registrar? Does google ultimately own the domains and simply lease them to me with no guaranteed option to continue?

Along those lines, if Google decides I’m a bot or nefarious developer as seems to mistakenly happen on occasion judging from recent hacker news posts, will I then lose my domain name? Or at least access to it? At this point tying any major asset solely to a Google account feels risky.

But don't worry, if a mistake happens, I'm sure you can just call Google's customer service and get it straightened out. Ha!

Paid google products, like google domains, have a 24-hour helpline https://domains.google.com/contactus

I've heard that if you call during the day you get someone who's actually competent, not just some T1 support person.

Doesn't matter the level of support, the CEO of Cloudflare was involved and still ended up bringing politics into infrastructure.

Who is a good/trustworthy registrar then?

https://namesilo.com - reliable, cheap & they offer free whois privacy. All they do is sell domains.

I couldn't recommend namesilo more! They almost always have the slowest price, very close to what the registry charges them.

Their UI is dead simple and gets things done well and fast.

Amazon Route 53. Full blown registrar.


Problem with Cloudflare is that their CEO has taken down a domain for political reasons.

While I agree with him taking the domain down, but what about the next CEO?

That's just false information. They didn't take any domain down. They stopped offering their CDN/proxying service to a customer. That customer is/was free to host their own content using their own or a different service. No company should be required to offer services to anyone and everyone unless they are the only option on the market. And cloudflare is very far from the only CDN on the market.

Unless I'm thinking of something else, it's not a domain registered through CloudFlare. The taken down site was using CloudFlare's reverse proxy service. IIRC, Matthew wrote about the incident in length.

I personally don't use CF for various reasons, but this site take down is not one of them.

care to explain this? Thanks

I wouldn't lease the domain through Google domains. Use a different registrar --- if possible, one that you'll be able to trust. That registrar will work with the registry of the TLD, which would be google in this case, and has a much better chance of actually resolving issues than if you were a direct customer of Google Domains.

Now you have two entities who can fuck it up for you instead of just one.

While this is true there are very few reasons why a domain registrar will give you a lifetime ban let alone automatically do it for some perceived TOS crime, let alone refuse to tell you what your alleged misdeed was, let alone automatically reject evidence you submit to the contrary and keep your domains. Imagine the liability!?

Meanwhile someone got their Adsense account banned and in those cases Google refunds the allegedly fraudulent revenue to the advertisers and do not pay you the non-fraudulent revenue. The person who got banned went to court over it because it looked like Google schedules these things to maximize how much they could keep, Google fought for four years to conceal where the non-fraudulent revenue went and then settled for $11 million to keep that shrouded in mystery.


Note the nobody who will say what happens to your domains when your account is banned despite relevant Google personnel participating in this page, but they have time to detail how we're covered by ICANN if Google with $106+ billion in savings goes bankrupt in thousands of years...

They designed this awful system exactly the way they wanted it to work and they choose to keep it this way, everyone else should probably not use them for domains or web hosting in case yourself or someone associated with your account is irreversibly judged to have committed a TOS transgression somewhere within their empire.

What registrar would you suggest? I have some on Google but I think I want to transfer now.

I also have some on Namecheap, are those safe?

I've been using https://www.hover.com/ for many years and they're great. Mostly because the prices aren't too bad, the dashboard makes sense, and they never contact me.

And would I have any way to actually reach a human at Google, aside from media heat from a Reddit/HN/etc front page story?

Probably none, going by the track record.

It really depends on the product. E.g. if you buy Google Wifi, you can call them or chat with customer support, etc. If you need help with constructing a web search query, not so much.

So, please do not over generalize or compare apples to oranges.

As a customer, I can't be expected to have a mental model of which Google services come with actual support, and which ones come with Google-it-yourself support.

Comparing Google products to Google products should not be comparing apples to oranges. If Google is frustrated with customers assuming they don't support their products, maybe they should support all of their products, not just a select few.

Ask yourself "Do I pay for this Google product?" If the answer is yes, then the product comes with actual support.

They should quote that on the GMail sign up page.

I am frustrated by Google’s lack of support as anyone else, but it is completely unreasonable to expect support for a free product, regardless of how they might otherwise profit off you.

I'm not frustrated because I don't rely any Google services.

I was serious, though. People would be less frustrated if they had that helpful reminder on sign up.

Obfuscating that GMail isn't a real product is just another one of their sleazy business tactics, I guess.

You can't say for sure that any new Google product is guaranteed to have horrible customer support, but you probably should assume that any new Google product has horrible customer support until you see proof of the contrary.

Google Fi’s support might be great. But you have to pay for it through Google Payments which is another potential single point of failure. If you ever trip any of their fraud flags you’ll probably never be allowed to pay for anything through google again, and good luck getting it fixed.


Sorry, but I reserve the right to be cynic. I belong to the old group of people who got to know Google as "do no evil" company, who tossed that to the wind as soon at it suited them better.

That's a redundant question, because just about every registry can dictate what their TLDs can be used for. It's part of the design laid down by ICANN.

- For Verisign with .com, they don't care if you're really a company or not.

- With Minds & Machines and .law, they only want qualified lawyers, courts, legal schools, etc. using the TLD.

Keep in mind that the registry and registrar are different things.

I think the difference is that Google boots folks off YouTube for political purposes while VeriSign does not kick people away from their .com.

Godaddy banned Gab for political reasons as well. While you can split hairs and say that's just a registrar, you can also split hairs and say that youtube is just a hosted content platform. If you're thinking of running another infowars then I would advise avoiding registering domains with any major tech platform in general.

@bduerst, Forgive my ignorance, but just to distill it down to brass tacks:

In this case, Google is the registry and thus the supreme court of who can and cannot be on this domain and there is no recourse if they yank your claim on the domain?

Is it more nuanced than that?

I mean, the entire domain name infrastructure is set up so that someone along the path can revoke registrations, all the way up to ICANN itself.

IME you're much more likely to be banned by the registrar than the registry itself. Registries want people to use their TLDs, so they're not going to reject post-registration unless you've changed how you're using the TLD and it's violating the rules they originally laid down. Registrars are much more consumer facing and will act accordingly - i.e. GoDaddy banning Gab.

Google has a track record of being capricious with bans, whereas other companies do not.

And just like that, the 'Tech Lead of Google Registry' has fallen silent.

You talk about the protections ICANN gives your customers in case Google goes bankrupt, but what are the protections or recourse your registry or Google Domains created for your customers to ensure recoverable domains and unimpeded uptime if their Google account is banned?

What prevents Google from charging an absurd rate like some of the other TLD or other practices that effectively change the service?

The trend across the gTLD industry has been one of decreasing prices, not increasing prices. I'm not sure what you're referring to?

i guess he is talking about the premium domains:

> During both the Early Access Program and General Availability, there is a $12/year cost for .dev domains. Annual fees may vary for Premium domains.

"Premium" domains are resold domains. The prices are typically dictated by the person holding them.

Premium prices are set at the registry level, and for Google's TLDs, are charged annually. The EAP fee is a one time only up-front cost.

Domains being sold by resellers are something different entirely, but yeah, some registrars that participate in reseller networks may lump those in as "premium" as well, which is confusing. Those prices tend to be one-time acquisition costs.

Because this is your area of expertise, can I ask you why more registrars are not selling 10 or 20 year domain ownership? Who wants a domain for just a year (if you agree with the premise behind individuals owning domains in the first place)?

If I could buy a domain for 50 years, I'd do it.

Most TLDs allow registration lengths up to 10 years. And registrars will happily sell you registration for 10 years. Buy the domain, then immediately renew it for 9 years. I suspect the reason they don't offer a choice of registration years in the initial checkout flow is to reduce purchasing friction -- they don't want you to have to make another choice and then potentially back out of the sale. It's the same reason e-commerce sites will ask you for as little information as they can get away with when checking out your cart; for digital sales many retailers just do zip code instead of full address since they're not shipping anything.

As for longer registration periods than that, I suspect it's the same reason you can't, e.g., call up your cable company and try to pre-pay 50 years of service. They have no idea what things will be like that far down the road, and they don't want to have such longstanding obligations weighing on them.

It comes down to business decisions, not technical issues; technically speaking the spec allows for up to a 99 year registration period, though I'm not aware of any TLDs that support that. https://tools.ietf.org/html/rfc5731#section-2.5

I recently read an HN thread about Romanian ccTLD registry selling domains for lifetime. They have stopped it and asked the former customers to pay up though.

And also ccTLDs can make up whatever rules they want, whereas gTLDs are all bound by the same common set of rules. There are many ccTLDs that don't even use EPP (the spec I linked to above).

We already have enough sleazy domain squatters holding names for years and trading for ridiculous prices. Instead of long ownerships, we should have some way to prove you're actually using the domain after a certain number of years.

I disagree. At the end of the day, they are still vanity domain names. Adding more paperwork and process doesn't change that.

For example, pitch a solution that doesn't just make squatters upload some bare bones index.html. Or check a registrar's checkbox to park the domain somewhere with content. Or, well, upload the minimum amount of substance that you think is necessary.

Think about how you could possibly design such a program to ensure use, and how you'd prevent parking site services from cropping up that would make a site just meet the requirements for continuing registration. And if it's not a purely automated process, then the base registration price would have to go way up to pay for all the human work going into validations.

And now imagine the public outcry that can happen every time people have their domains taken from them (rightly or wrongly).

No, no registry wants to be in the business of doing that. You continue to pay for the name, it's yours.

We should stop calling organisations who hog domains in order to accrue an exaggerated profit from them "domain squatters". A real "domain squatter" should be someone who employs the "domain hogger's" domain until the domain hogger decides to actually do something with it themselves.

We wouldn't need such a profusion of TLDs (most of which are awful: .dev is an exception) if real domain squatting was made feasible.

The biggest problem with squatters is that they pay 100x less then you do for a domain. If they had to pay the same price they would squat on way less domains.

Many of the new TLDs do their own domain squatting. Short, pronounceable domain names are flagged as "premium", and sold at a higher price.

It's a nifty business hack actually, as unlike a 3rd party squatter, the TLD itself has no financial risk in upmarking domains.

The trend in browsers is being precise about standards and yet only yesterday google took an existing standard and tried to corrupt it.

I'm not trying to be snarky and thanks foe answering questions but this particular comment was a non-answer.

It sounded like they were referring to something specific, but didn't provide examples. I want to know exactly what they're worried about so that I can answer the question, but I haven't been given enough to go on. It sounds like they're worried about prices being jacked up by large amounts, but I'm not aware of that even having happened. Absent that, the current prices are what they are; pay them or don't, but you know what you're getting into.

I think they might be referring to Chrome's upcoming use of &targetText= for linking to specific words or paragraphs, which caused some controversy here yesterday. See:


I doubt that's it.

Yet here I am about to lose my .eu domain, because of Brexit. I'm paid up for 10 years, but the EU can just change the rules, and I lose my domain.

> Hi. I'm the Tech Lead of Google Registry, the team that is launching .dev

/remindme! 2 years

> You'll be glad to know that TLDs can't simply be discontinued like other products might be. ICANN doesn't allow it

Except if your website was the daily stormer.

Daily Stormer never had a TLD. (And no, ICANN never will delegate .nazi)

Hi, just wanted to say how absolutely horrid this entire idea is. Domain name squatting and auctioning is already bad enough, and you're telling me we should give one of the richest companies in the world thousands of dollars for a domain name for development. This is completely counter to the spirit of the internet, and spits in the face of open source and passionate hobby developers who don't have silicon valley stock vesting every quarter. Instead of trying to get these domain names into the hands of real developers at a reasonable price, you're going to sell them to the highest bidders, squatters looking for new investments, and corporations.

Really not at all impressed by this, and it only serves as a stark reminder of the failed state of TLDs.

I don't understand the bile here, nor the alternative. Today there are no .dev domains, so anything is an improvement: today you can't use them, tomorrow you can choose to if you think it makes sense.

Re: price, say the .dev registrar decides to offer domains for a hobby-dev-friendly $1 flat fee, first come first served. Wouldn't that just immediately lead to a resale market where predatory squatters register all the domains and extract the market price from anybody who wants one?

I think it’s not cool to offer “early bird” registration for thousands of dollars. So Google is endorsing that rich developers should get the best domain names? How are they reserving for themself?

I think it would be cooler to have programming challenges or something neat.

But a cash grab just seems kind of, lame I guess.

I wouldn’t say I have bile, but I went from “this might be cool” reading the headline to “this is really stupid.”

But if you don't think the dutch auction style is a good one, what would your alternative be?

Because the problem of resellers buying up TONS of domain names is a real one, and thus far a dutch auction style seems to be one good way to combat that (since buying 10000 names and selling 10% of them for an overall profit is a LOT more risky when getting them first means shelling out a LOT more money).

A challenge or something would probably drive costs up across the board, and it would still exclude those who want to use the domains that might not be able to complete the challenge (IMO a worse situation), and other methods of "verification" would either be gameable or would exclude many devs.

I don't know of any more "fair" way of allowing people to buy domains. Why should a hobbyist be able to buy "paypal.dev" when potentially thousands of devs could use that domain at paypal, and similarly "klathmon.dev" would be awesome to have for me, and it's pretty unlikely that someone will buy that out from under me with this scheme.

Not to mention that the timeline here is literally half a month. After Feb 28th, there is no additional charge. So we are talking about 2 weeks of waiting.

In an idealized economic model, "rich developers" will get their desired domain names anyway as they can offer a large sum of money to the "poor developers" to give up their domain name.


I can't tell if your argument is that we should artificially limit TLDs to increase competition? Is that the point you are making?

Literally: "We will create monopolies and increase competition."


I think the risk isn't that they become your competitor, it's that an algorithm flags your website for perceived abuse and that cascades down to you and your workplace being banned forever from Google, with no recourse because they choose to provide fake support despite having $100+ billion in savings and plenty of funding for eg global tax evasion.

It's risk management through diversification attempts. Google, like any other large scale extremely successful single product[1] company, hedges market risks in occupying "hot" spaces. Same with MS, Apple and all other giants, even in non-tech.

[1] see financial report of the last year (10K). Search for "We operate our business in multiple operating segments. Google is our only reportable segment. None of our other segments meet the quantitative thresholds to qualify as reportable segments" and "How we make money" (Source: https://www.sec.gov/Archives/edgar/data/1652044/000165204419... )

It's kind of amazing that after all this time, they haven't created anything worth reporting outside of the add business.

Youtube, maps, phones?

Youtube - money loser Maps - money loser (but we will see after their recent huge price increases shake out) Phones - money loser. they are selling fewer phones annually than apple sells in a week.

Is Youtube really a money loser? I thought they'd turned it profitable years ago.

Maps - in flux like you said.

Phones are more than hardware sales. They also run an app store and license their own ecosystem.

Acquired, acquired, acquired.

Originally, perhaps. But in the last ten years how many times have these platforms been rewritten?

Hosted services like Drive, Photos, and GSuite are also entirely in-house.

In any other area that would be a red flag of “money laundering”.

I am not accusing them of it. Just stating facts.

You made a fully general argument against anything that Google touches.

This isn't useful, because everyone knows that argument already. I'd rather know what Google's track record is specifically having to do with DNS (or fundamental Internet infrastructure).

I think their DNS server has a pretty impressive track record for I think over 10 years. I know many people who changed their dns to when they thought their DNS was shitty.

Back in highschool (15yrs ago) pinging a DNS server was something I sometimes did when fixing people's internet, always used No idea why it's still in my head so much later, sure is a lot easier to remember.

And so is

Which is cloudflare's IP, to be clear. I'm a fan, but I like transparency.

1.1 is even easier (

Remembering two distinct numbers is harder than remembering one distinct number

You misunderstand, `1.1` _is_ ``, there are multiple ways to represent IP addresses.

If I had to bet, the majority of .dev pages will be engineers posting their portfolio, not startups building developer tools.

Github.com/devname is way better than devname.dev

Can't agree with that. Taking a minimal amount of time and effort to host your own site on a TLD shows, at least, a moderate understanding of DNS and all that, much more than clicking things on Github Pages IMO.

If your github profile is your resume, yes it is. But it not so good if your resume contains other things.

Haha. I totally agree. As a shareholder, I almost feel like an activist campaign is needed. Sure, Verily and Waymo are interesting moonshots, but then the rollout of Youtube Plus or Premium seems like the most mismanaged rollout of a big tech company outside of the Amazon phone. Why is Google bothering with domain registry is a good question. Google code probably could have been what GitHub had it not been abandoned is another example of mismanaging product or service vision.

> ... might decide to randomly become your competitor in 2 years

think of the bright side. they might be willing to buy your neato .dev domain name back ... for $12.

To be honest, TLD business is probably not one of them. Even fi google becomes your competitor, they won't touch the domain.

Agreed, for reasons I don’t know exactly, they even donated duck.com to DuckDuckGo

My tinfoil side would assume that's to cover them in a future "no we're not being anti-competitive! We even gave a premium domain to a competitor!"

A while ago, some posts on HN went around saying that you shouldn't use third-world TLDs for your startup because some of them are unreliable stewards who would put your domain at risk. Does registering a .dev domain make you dependent on Google in the same way that registering a .ly makes you dependent on Libya?

There was this one guy who lost a valuable Twitter handle due to him using his custom domain email (via GoDaddy) as a login email.[0] I'd like to think imagine Google is better than GoDaddy when it comes to security and fighting social-engineering attacks but who knows. But if Google is a weak link wouldn't that also mean all our gmails are not as safe as we think?

[0] https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...

I'd say Google would be one of the most resistant organizations to social engineering by virtue of the fact that you can never really talk to an actual human even if you are a legit user and want help on an issue.

The ultimate "it's a feature, not a bug!" case.

Except we have the example of the daily stormer, a neo nazi website that had their domain ownership siezed by google.

I don't really understand the worry here though. Aren't you always trusting your registrar when you buy a domain name? Google at least has a pretty solid track recordin wrt security.

I hate to be that guy, but I honestly hope you don't make decisions based on anecdotes, and instead rely on data.

You are dependent on your vendors, period. Choose them wisely. This is not a mystery.

>You are dependent on your vendors, period.

You aren't dependent on your vendors if you can switch them out without destroying your company. The real mystery is why people turn their own businesses in to little barnacles on the skin of behemoths and expect to not get brushed off.

The short answer is that yes, this domain is administered by Google through a holding entity. See https://www.iana.org/domains/root/db/dev.html

It’s a good question. Does anyone know who legally owns the domain and what responsibility google has to ensure you can use the TLD in perpetuity?

Names in the DNS aren't personal property (and they certainly aren't real property). So "owns" is probably the wrong word.

But ICANN, which is responsible for the entire hierarchy, expected that eventually at least some of the new gTLD registry operators would fail, and so there is an escrow agreement for each one. If the gTLD is popular enough that somebody else will operate it, the last daily backup from escrow is given to the new operator and things continue from there. I guess your new registry operator may set fees or other conditions your current registrar doesn't like, but if you like the new you can move to a registrar that's OK with them. The list of names in the registry doesn't vanish unless both your registry AND the third party escrow company screw up.

If the gTLD is grossly unpopular, it may not be possible to find a new operator for that gTLD registry. I don't know what happens in that case, although whatever it is by definition won't happen to many names.

I also don't know what happens for the very stupid gTLDs that are essentially for private use by a single organisation, like .kerrylogistics. And I don't really care, so long as the fees roll in to pay for everything. Actually I'd have billed them for their original request, .kerrylogisitics [sic] as well, but I guess someone felt that was too mean.

"ICANN requires all registrars and gTLD registries to contract with a data escrow provider in order to safeguard registrants ... in case of registry or registrar failure, accreditation termination, or accreditation relapse without renewal." Basically if Google screws up then ICANN will give the data to someone competent who will take over the domain. https://icannwiki.org/Data_Escrow

I trust Google a heck more (to stay around and honor contracts) than I trust Libya.

,,.dev lets your clients know what you do before they even open your site.''

I hate the new trend of companies having multiple domains with different TLDs, as I never know this way if it's the same company or not.

I'm in favour of this trend for this very reason. One should never implicitly assume you know it's the company you expect in any case.

That’s a bit of a stretch, not? If I visit dev.somesite.com, I can reasonably assume it belongs to the same owner as somesite.com. The same can not be said about somesite.dev.

Not sure I understand the point here, you're comparing subdomains to TLDs?

Yes because not everyone understands x.y.z and y.x are not owned by same person.

Should we design standards for the dumbest of the lot lol? Not everyone understand that TLD is then maybe they should be educated rather than appeased to.

Also it seems to be primarily USA's issue. Every other nation uses their domain for internal websites (like cats.de) where's Americans tend to just clump everything in `.com` and act all confused by simple TLD scheme.

I don't think a person qualifies as "dumbest" because they do not know what a TLD is. Not everyone has to understand everything else in the world to be a human and use it. Not everyone knows how to be a mechanic but lots drive vehicles and fly in planes.

The issue with your generalization of America is flawed. The internet started in America so "we" clumped everything into .com because we could. TLDs for countries came as a way to organize and route better. A German requesting amazon.com, should goto amazon.de. (This all happened before amazon and CDNs and other things.)

It is ignorant to think a fundamental concept of domain resolution, TLDs is something everyone should understand to use the internet. Do you know how your cell provider takes a request to dial a number and resolve it to another person across towers and potentially hard wired cabling? Most don't and they all make calls.

In this particular instance at least, .dev is targeting developers, who do tend to know these things.

“Don’t you guys have phones?”

Compare and contrast whitehouse.gov and whitehouse.com

A company owning whitehouse.com and a government entity owning whitehouse.gov? I'd call that working as intended.

The .com used to be a porn website, in the 90s. That might have been working as intended, but has surprised quite a few people.

And the original discussion was someone claiming that having different TLDs were superior to subdomains for maintaining identify.

My point was more about the assumption about who owns somesite.com. Assuming two domains are owned by the same company is a somewhat secondary concern to authenticating the owner of either; both of which are larger issues in their own right.

As commented by someone else, see e.g. whitehouse.com. The fact of whitehouse.gov being a different owner is much less of concern than that of whitehouse.com not having the expected owner in the first place (from the perspective of most visitors).

> You can purchase an SSL certificate through one of our web partners or a Certificate Authority. Read this article to learn more.

Really? No mention of Lets Encrypt? Does anyone still buy certificates nowadays, especially for dev sites?

They explicitly mention letsencrypt as a free provider when you click the "Read this article" link.

It's not like they made any effort to make it visible, though. And "purchase" implies that the options they present are non-free.

Which is interesting, I would expect Google to promote Lets Encrypt... Or do they assume devs already know about it?

They probably don't want to cause ill will by being partial to a particular CA, even if they're supporting it.

Of course they do.

Let's Encrypt provides DV (Domain Validation). Not OV (Organization Validation).

Obviously .dev is intended for software development and most domains there would probably be using DV only so this might not apply to it, though.

OV is useless. No consumers look at it. It’s just a sad attempt for CAs to trick people into paying for something they don’t need.

Do you even use Amazon or Internet banking?

It might sound useless for those who doesn't know what it is.

However, for those who does it is very useful and getting more useful.

Browsers might (if not yet, coming soon to you) raise red flags if you try to use a website whose certificate was signed by a rogue CA that, according to DNS instructions, shouldn't be able to do so for that domain.

Browsers might demand OV from high profile websites in theory.

etc, etc, etc.

Maybe we are

Seeing the organisation name next to the lock icon definitely gives me an extra layer of warm and fuzzy feelings. I’d say it has some value for those that can pay for it.

You are talking about EV certificates. OV-validated certificates require (the best case) the user to click on the padlock icon to reveal more information about the certificate.

Not all certificates are created equal

> Let’s Encrypt offers Domain Validation (DV) certificates. We do not offer Organization Validation (OV) or Extended Validation (EV) primarily because we cannot automate issuance for those types of certificates.

I buy them. I don't like paying for them, but I want a certificate I know will just work for years without having to run certbot or one of its clones on my server. Well, that and LE didn't yet allow wildcard certs when I bought mine. They've already dropped their maximum validity from three to two years though, so I'll probably throw in the towel when they further reduce their validity to less than six months.

Let's Encrypt certs are valid for 90 days.

There are 2 reasons: 1. To limit damage from key compromise and mis-issuance 2. To encourage automation.

What is the issue with running the certbot on your server? It's not like you have to run it manually.

Here are official reasons: https://letsencrypt.org/2015/11/09/why-90-days.html

P.S. Wildcard certs are available for almost a year now: https://community.letsencrypt.org/t/acme-v2-production-envir...

The issue might be executing 3rd party code on a server.

ACME is an open protocol (and very soon it will be an IETF Internet Standard too). There are many alternative implementations. Just find one you trust. We actually did our own DNS-based implementation for our infrastructure.

I don't want to run someone else's code on my server just for this (the default certbot wants root access too, yikes), nor do I want to analyze someone else's implementation before running their code, and I sure as heck don't have the time, patience, or interest to write my own implementation of ACME just for the one service that uses it.

I want to go to a website, have it tell me to put a string into a meta tag or DNS TXT record, and then save the key it returns on my box. Then I want to forget about it for the next 2-3 years.

Honestly I don't even want to do that. I want my nameserver to generate a DANE/DNSSEC record for me automatically, and for browsers to honor that. It isn't like domain verification is any more secure than a DNSSEC record would be.

Take a look at https://github.com/joohoi/acme-dns/ (which of course still requires trust in the client lib)

We do something similar, although not through a REST API. We handle all this cert management centralized on one server, which publishes the DNS records for DNS verification etc.

On our other servers is then just a simple script that periodically checks if the certs on the machine are near the expiry date and if so pulls a new one from the central system.

ACME protocol is fairly straight forward to implement, and you can easily write your own implementation with existing code (OpenSSL, Apache/nginx, etc).

With many commercial registrar's, although they offer a valid and long certificate, their technical aspects aren't very good. Many CAs don't support ECC certificates, the must-staple flag or CT SCTs embedded in the certificate.

I work a lot with web PKI, and every time I have to deal with a CA that's not LE or Digicert, I sigh out loud.

Well that's nice. But that mean you'll have to manually buy, upgrade install and test them. I have better things to do.

Takes about 5 minutes of time. It really isn't a big deal.

So does setting up Let's Encrypt + automating the renewal, and you don't have to spend a dollar in those 5 minutes.

5 minutes once forever is even less of a big deal.

A certificate that last for years... That's exactly how you end up with a certificate that expired and no one realized. An automated process is a way more reliable.

Until the automated process breaks. I've encountered more "invalid certificate" warnings on Let's Encrypt sites than any others.

This "early-access" price which decreases over time is an approximation of a Dutch auction: https://en.wikipedia.org/wiki/Dutch_auction

Dutch auctions are incentive-compatible - they allocate the resource to the person that gains the highest utility for having it. Maybe Google got some of the people working on ads auctions to design this pricing structure.

I’m, that’s an icann rule for launching new tlds. The early access period is always higher, then there are several other periods that happen before a tld gets to General availability.

This pricing structure is not just for .dev domains.

FYI, there is no ICANN requirement that any sort of auction be involved in launching a new TLD. We used to use a standard auction (called the landrush phase in TLD parlance), but have since switched over to a descending price Dutch auction because it's significantly less operational burden for us.

It's generally a good idea to have some kind of auction for the reasons the parent comment mentions, as it is a more economically efficient way to allocate the limited namespace to those who want it the most.

I think you forgot to suffix that speech with "you peasant."

Google has a long history with the Dutch auction, they used it in their IPO, back in '04.

I remember people calling that a bit of a fiasco... was there anything theoretically wrong with the application of a Dutch auction for that purpose, or was it just that the underwriting community and their clients had every reason to make the situation look bad?

The price basically ended up being set by the underwriters because they big players bought most of the shares and bid at the price they underwriters told them to bid at. It wasn't really a fiasco, it just didn't accomplish what they wanted.

Thank you for mentioning this. Memories are increasingly short, and this is nothing new!

Or companies that value the $100-10k for the early registration fee so little that it's a drop in the bucket compared to individuals.

I'd like to have a very short domain personally but it's hard to anticipate what the demand will be like here.

Yeah, there are domain names out there that are so valuable that they've sold for eight figures USD. There definitely are domains that buyers (typically companies) are willing to spend well over $10k on acquiring. It's with this in mind that the EAP prices are set.

> they allocate the resource to the person that gains the highest utility for having it

I don’t think that’s necessarily true. Any large company is able to drop a ton of money on something that has marginal utility for them, whereas a small business that would gain much more utility from it may be outbid just by virtue of having the wrong opponents.

This assumes bidders have similar amounts of money to spend on domains, which may or may not true for any particular domain.

We can say that, when bidders do have similar bankrolls, whoever wants the domain the most is likely to buy it first. If they don't, whoever has the bigger bankroll will probably be able to buy it first.

I reserved unix.dev for the regular domain reservation price, not the crazy "premium domain" price because unix.dev was not part of the premium domain list.

However, Google determined that no, unix.dev should be a premium domain, and "stole" the reservation from me (after I have already paid for it). They later added it to the premium domain list, and they asked me for $11k to keep the reservation.

TBH, I expected to lose the domain because of trademarks or whatever, but apparently it was simple highway robbery.

Btw, I didn't even get my money back, just "store credit".

Hey, I just want to correct some misunderstandings here.

"Reservations" mean nothing. Google Domains is merely one of many registrars that have customers all vying for domains in the same namespace. A "reservation" just means that the registrar will make their best effort to attempt to get that domain for you at the specified price; it doesn't mean that some other registrar won't get it first, or that some other customer isn't willing to spend more and will get it on an earlier day of EAP.

Until the domain is actually created with you as the registrant, it isn't yours in any sense of the word. There are even registrars out there that will, upon acquiring a domain, auction it off amongst all of their customers who pre-registered it.

And what were you going to do with unix.dev, if I may ask?

How is that relevant? Could be a porn site for all I care.

It is fair to claim it legally under copyright etc like the OP mentioned, but otherwise, he paid for it and gets to do whatever with it.

What does it have to do with what Google did? Fishing for pre-crime to justify it?

There are quite a few Russian lastnames that end ”dev”, like Medvedev. I think there is going to be quite a rush for these.

There are also Indian (male) names that are just “Dev” or that end in “dev”. The word means deity or god. There could be many Indians buying these when early access ends on February 27.

"Dev" also means giant in turkish

120KB of javascript and still the accordion doesn't open on OSX Safari.

I recently found out that the sidebar menus on pages within https://developers.google.com/web don't work with JS off (usually a trivial thing: show sub-items by default and hide them with JS). Almost every Alphabet website has something like that.

So yes, minor anecdote, and I genuinely appreciate the hundreds of Google employees who really help the Web and share useful knowledge (and don't lead developers into using techniques best suited for billion-user websites, as FB often does) but I'll reserve to right to side-eye anything Google says.

Also the site claims to about “web fundamentals”, but the content pushed out are all articles about cutting edge, experimental features in Chrome. There’s nothing wrong with documenting new features in your browser, but calling it fundamental is fundamentally misleading.

Not working with JS disabled is bad, but not working on a major modern browser is ridiculous.

Safari is the new IE8.

Every web dev I know bitches about it.

It's not. I'm a web developer and it's my browser of choice.

Every bad web dev bitches about it.

There's nothing about Safari that makes it "the new IE8". Ironically, the very same HN that bemoans every new thing as "why should devs jump onto this shiny new things, just slow down already" criticises Safari for not jumping onto every new thing.

Ironically, the very same HN that bemoans every new thing as "why should devs jump onto this shiny new things, just slow down already" criticises Safari for not jumping onto every new thing.

HN is quite diverse and I'm pretty sure those are two disjoint sets of users. (I'm in the former group myself --- not a fan of presenting information in such a way as to decrease its accessibility while also increasing resource usage.)

I bet I could make those accordion sections work in all browsers going back to IE5 without much effort, and use nothing near 120KB of JS to do it... but no, most "modern web devs" would rather pile on the bloat of their libraries and "best practices" to make something that works only in the very latest version of the one browser they personally use.

> I bet I could make those accordion sections work in all browsers going back to IE5 without much effort, and use nothing near 120KB of JS to do it.

<summary>/<details> tags with JS polyfill is all you'd need.


Your post shows the big difference in mentality that's partly responsible for why we see so many broken sites --- I haven't ever used those tags before and would just go for plain old DOM style manipulation with JS (which has been around for a very long time), whereas you started with something much newer and took backwards-compatibility as an afterthought to be added on. Your solution requires less initial effort (providing you knew about the new tags) but then additional effort to work on older browsers --- that might not even be done --- whereas my solution may take a little more effort initially, but then naturally doesn't need any further considerations for backwards-compatibility.

My mentality is to make the website usable without JS for most people (with the reasonable effort of installing FF or Chrome at most), then use as simple and compatible JS as possible if needed. Thus, old-style DOM fiddling isn't the first choice - and if we're talking very old browsers, it was also tricky to get right due to all the incompatibilities.

Why you think something would be broken when a polyfill is used as fallback, I don't know.

Why would anyone use an older browser? (Other than IE in old firms - but this is probably becoming rarer and rarer) I guess everyone should upgrade their browser regularly, at least to get security upgrades

It's not so much jumping on new things, it's implementing accepted features which has slowed down very considerably since the Blink fork.

Google was really carrying a big part of the webkit development.

> it's implementing accepted features

Define "accepted". Hastily implemented and shoved down everyone's throat by Chrome doesn't mean "accepted".

> Google was really carrying a big part of the webkit development.

Nope. Google is dominating the development space with utter disregard for public/dev opinion.

It's support for video codecs is pretty limited, and has been for a long time, but I think you're right about most of the other things being very new "standards".

It's annoying that it throws exceptions when you try to access LocalStorage in Private Browsing.

And, hilariously, iOS Chrome, because it uses the same renderer as Safari.

Also, the navigation and some other parts aren't usable with ad blocker enabled, since there are no non-JS links/anchors. Embarrassing for an entity that once tried to position itself as a supporter of usability and user-friendly web pages.

If you're not supporting their ad business, you don't matter to them.

You may get a kick out of this...

Google Support

<SUPPORT_PERSON>12:53 PM Thank you for contacting Google Domains. My name is <SUPPORT_PERSON> and I'll be happy to assist you. Let me quickly read your notes here.

<SUPPORT_PERSON>12:54 PM Hi there

<SUPPORT_PERSON>12:54 PM How are you?

<ME>12:54 PM Hi. I'm trying to read your website but it's broken in one of the dominant web browsers in the world.

<SUPPORT_PERSON>12:54 PM Hi you said that the link https://domains.google/tld/dev/ doesn't work on Safari?

<ME>12:55 PM The accordion links are broken.

<SUPPORT_PERSON>12:55 PM Have you tried in Chrome already though or maybe a private window in Safari already?

<ME>12:55 PM "Is this a one-time payment? Will I still need to pay $12 every year to keep my domain?" click (nothing happens)

<SUPPORT_PERSON>12:55 PM It's just maybe a cache

<ME>12:56 PM It's not just a cache

<SUPPORT_PERSON>12:57 PM Alright but have you tried other browsers maybe?

<SUPPORT_PERSON>12:57 PM I've checked it here and the link you sent works just fine

<ME>12:57 PM Did you test in the latest Safari on the latest macOS? Because it doesn't work fine.

<SUPPORT_PERSON>12:57 PM Sorry, not using Mac

<SUPPORT_PERSON>12:58 PM But we'll look into it if we get feed backs similarly

<SUPPORT_PERSON>12:59 PM We apologize for the inconvenience but please take a look into it on a different browser like Chrome for the time being

<ME>12:59 PM here are other reports https://news.ycombinator.com/item?id=19178833

<SUPPORT_PERSON>12:59 PM Oh alright thank you

<SUPPORT_PERSON>1:00 PM Let me check that

<SUPPORT_PERSON>1:04 PM We are already looking into it <ME>

> Hi. I'm trying to read your website but it's broken in one of the dominant web browsers in the world.

Don't we all hate reports like this one. "Yeah I know what information you need but my high horse told me to write this crap instead."

> <SUPPORT_PERSON>12:54 PM Hi you said that the link https://domains.google/tld/dev/ doesn't work on Safari?

Where exactly do you think that came from? Kindly note the words "you said".

It's almost as if there was a "please tell us what you're asking about" field that you fill in before being connected to a chat agent or something.

It works great in Edge, Firefox, and Chrome on my PC. I think he's too high up on his horse to realize that the problem may be on his beloved religion/platform.

Made for developers, by developers!

> A domain just for developers

> $11,500 for 9 days early access

Makes video games early access look like childs play.

It's a nice way to earn a bit of cash from larger companies who do not want "company.dev" associated with porn or malicious content. Imagine if "unity.dev" or "disney.dev" pointed to a cesspool of viruses.

There are icann rules for launching a tld. There is a period for tm holders. Most companies are going to get their company.dev during the tm period. If they don’t, three is always the udrp process.

So big companies with big money won't have to shell out cash because there's a TM period for them but smaller one got to buck out 10,000 bucks to prevent cyber squatting ?

Welcome to the Domain Name System?

Domain Name System is an absolute cancer and has always been this way.

So soft handed implied blackmail? Seems legit.

> A domain just for developers

> Can I buy a .dev domain even if I'm not a developer?

> Yes! From tools to platforms, programming languages to blogs, .dev is a home for all the interesting things that you build.

The .dev TLD worked fine before it was bought. Now we have to use .test or .local.

I don't get what Google thinks they'll get out of sponsoring putting sites under development online.

It's always best to follow the RFCs [1] to avoid issues like this. ".dev" worked but it was never safe to use it.

1: https://tools.ietf.org/html/rfc2606#page-2

Why do you have to use either one of those?

If you're already running your own internal DNS servers (to serve .dev, .test, etc.) , then just buy a domain for your org for internal use (e.g. "<mycompany>-internal.<tld>" or "<mycompany>-private.<tld>", or if your company is "<mycompany>.com" then purchasing "<mycompany>.net" or similar), split-horizon so that queries from the Internet direct to some CDN-hosted static page saying "nothing to see here, internal use only, if you are an employee please VPN in" and internally you find the actual services.

You never run the danger of your internal domain being unroutable (since you indisputably own it), none of the stuff on subdomains of your internal domain are internet-discoverable (since none of the internal services are exposed externally), you retain the flexibility of eventually making internal services Internet-routable when you get around to building out a BeyondCorp model (if you ever do), and it probably costs a negligible <$10/year in registration fees.

Why do you have to use either one of those?

I’m not the OP, but I’m in the same boat.

Not every development environment, company, and set of IT/security policies are the same as yours. Just because you cannot envision the problem doesn’t mean the problem doesn’t exist.

If you've any developers on your team that use MacOS, avoid .local since it does some listening on this for Bonjour: https://blog.scottlowe.org/2006/01/04/mac-os-x-and-local-dom...

I believe .localhost is the "official" recommended TLD for local development.

According to RFC 2602 [1],

> The ".localhost" TLD has traditionally been statically defined in host DNS implementations as having an A record pointing to the loop back IP address and is reserved for such use. Any other use would conflict with widely deployed code which assumes this use.

So it might work but it could be problematic if the intent is to use ".localhost" as a local network domain rather than just the local host.

[1]: https://tools.ietf.org/html/rfc2606

.test, .example, and .invalid are also reserved by the RFC and don't have this problem.

> ".test" is recommended for use in testing of current or new DNS related code.

This one looks the safest and least prone to confusion.

> ".example" is recommended for use in documentation or as examples.

> ".invalid" is intended for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid.

Both of these look problematic from a terminology standpoint, not a technical one.

.test is also problematic for the purpose of hosting internal (but not development/testing) domains on a private network.

There is a draft RFC to reserve .internal for this purpose, which I think makes a lot of sense.


.lan would be much better name.

An internal network might not be a LAN - for example, it might be a company's entire internal infrastructure spread over three offices and a datacenter with VPN.

Plus "DNS related code" can be stretched pretty far to "code that uses DNS." so it's the one I prefer.

The only thing I wish was easier was having a TLD for network local names but not link-local names. I typically just buy a name for that but it seems clunky since any in-use name that uses public DNS TLDs I feel ought to be DNS server independent.

Way more things than MacOS use mDNS for service discovery. That TLD is reserved for that use.

.test also works, but I like .dev more, so I have and continue to use .dev via hosts file (edit: hearing Firefox is doing the .dev HSTS preload as well, that's very disappointing to hear.)

I do wish /etc/hosts accepted wildcards, though. It can be a touch annoying having to add a new rule every time I create a new subdomain.

If you like .dev so much instead of .test, why not use something like subdomain.[public-domain].dev.com for all of your dev use?

It seems silly to continue using .dev, especially when this will now be a public and commonly used TLD. So now, if you're modifying .dev records for a local/private network, and then you or someone on that network attempts to go to a public website that is using the .dev TLD, it might not work, or you'll get a completely unexpected result. Doesn't seem worth that hassle.

I guess I just don't like multi-billion dollar companies coming in and dictating that I change my workflow for their cash grabs.

Who bought it is irrelevant. It could have been released to the public in a similar way to .com and the same issue would remain.

The .dev TLD was never reserved for your dev use. If you had been doing it correctly and following the RFC, you wouldn’t have to change anything with your workflow.

Now, if they ever release .test for public use then I’ll grab my pitchfork with you.

Thankfully RFC 2606 ensures that that will never happen.

That's what he meant with the pitchfork.

The fact that it is legal doesn’t make it any less of a PITA though.

The point is that the cause of the PITA is the refusal of people to follow RFCs.

Then you should not have built your workflow on a non-reserved TLD.

Eh, I'll just keep doing what I've been doing, but thanks.


One company I worked at thought it would be a good idea to use .local for their global internal network.

Worked fine for Windows folks. Was an huge pain in the ass for anyone on a Mac (using Bonjour) or Linux machine (using Avahi). No auto discovery of printers.

Google weren't supposed to make it generally available. From their application[0]:

> .dev will operate as a closed gTLD. It will provide Google with the opportunity to differentiate and innovate upon its Google products and services through its use of the gTLD. This will promote competition in the gTLD space by inciting competitors to respond with improved gTLD operations, greater range and higher quality products and services, and⁄or the creation of their own respective gTLDs, to the benefit of all Internet users. Launching the proposed gTLD will also generate increased competition in the online marketplace by adding incremental availability to the second-level domain pool.

[0]: https://gtldresult.icann.org/applicationstatus/applicationde...

Why do you need to use .test or .local?

Presumably you were already editing your hosts file or running your own DNS server in order to make .dev resolve for local development, which you can continue to do?

HSTS is required for .dev

Install a root cert? Takes 1 minute.

Yeah sure takes one minute, one minute of wondering if you really wanna bash your head against a wall getting openssl to spit out an X509 cert and then some.

Or use any of the million utilities for setting up a machine-local CA.

mkcert is one.

You mean wait six to eight months for the IT security department in another division of the company in another state to -maybe- approve my cert request.

Not all web development is three guys on Linux laptops at WeWork.

Why would you need a real cert? This is for your local machine, right? Use the tool, generate a CA, important into Mozilla's trust store, and go nuts.

I'm trying to imagine a webdev workflow where you couldn't get a machine-local CA working.

No admin privileges to manipulate the certificate store is one.

You shouldn't need admin to add a CA to the Windows User Trusted Root Store.


I do development. I do not use Windows.

If you're a big org, presumably you could just get your org to just buy the TLD if it's that much trouble.

Something tells me it's not actually that much trouble though, and people just like whining about minor inconveniences because it's the internet and they can.

When in doubt, racketeer.

I've been annoyed by how Google uses Adwords for a while; suppose you're company in a competitive, undifferentiated space. I just searched for "enterprise rental cars," and the first thing below the search box, an ad, was for getaround.com. The second was an ad for Enterprise, the third was the organic result for Enterprise. Google is effectively telling these companies "You wouldn't want someone to happen to see a competitor first and click them when they search for them, would you? Then pay up." That's a racket.

Same with this. They're inventing the demand for this TLD, then telling developers to pay up if they don't want someone to take their name.

They're inventing the demand for this TLD, then telling developers to pay up if they don't want someone to take their name.

For a lot of developers the demand was already there because they had their local virtual hosts on .dev. It wasn’t standard, but it was extremely common.

Then one day Google announced that it owns .dev and all the developers had to move their development domains to a different imaginary TLD or .example since Chrome would no longer let them test web sites on their development environments.

I am a developer. I will not pay Google or anyone else to use .dev simply because I have learned that Google can not be trusted. What prevents Google from taking .dev back in-house one random day and kicking everyone’s web sites to the curb? Absolutely nothing. Because you don’t own the domain. You only rent it.

I keep my development and testing on locally routed .dev and simply don’t use Chrome. Fortunately the people who sign my paychecks only care about Safari. Not everyone has that luxury, but I do, so I will make this minuscule stand that Google will never know or care about because an algorithm cannot know or care.

You could make the argument with a lot of the (mostly pointless) TLDs that have been released recently, such as .uk, which was a clear money-grab targeting existing .co.uk owners, or .sucks, which feels like an attempt to extort all domain owners.

True. Also, the new TLDs have gotten out of hand to the point that ICANN launching a new TLD has become noise. Their restraint has been so lacking that I'm expecting punycode emoji TLDs in the next few years. If you thought .sucks was bad, just wait for the poo emoji.

Ugh. I wish I had something more insightful to say, but I read your comment and audibly groaned, because I just know deep down that you're correctly predicting the future.

google.com isn't a public place, it also isn't a particularly valuable plot of "land" aside the private goliath built upon it.

The fact people go to Google gives them their power to extort business for ranking. But thats because Google remains valuable - people use it because it works, or at least because of inertia that nothing is remotely better yet, and so long as people still value the search companies can do the cost benefit analysis to know if paying the rent is worth it.

And its fortunate the only people who really care about search ranking are those trying to make money off it. There are a lot more egregious crimes being committed in the privacy space by Alphabet or by rent seekers across the economy than a business making money as a parasite off other businesses trying to make money.

I'm aware of free speech in privately owned "public places" (usually shopping centers) in some jurisdictions (California), but I didn't think that applied to racketeering.

I find it hilarious that most solo or indie developers (who they are targeting, and the vast majority of developers) won't be able to get a .dev domain judging by these prices. If they really cared, they would have some program where they validated you were a real developer and actually put some effort into screening out squatters.

Instead they have implemented a braindead dutch auction-style system that ensures developers will not be represented fairly. The marketing and implementation of this are out of touch and its doubtful this effort will be successful.

Really? Because starting feb 28th it's only 12$/year, that's lower than pretty much any other decent TLD. Do indie devs really need the high demand domain names?

When I think of 'developers' I don't think of corporations with a $12k budget, sorry. What was cool about domain names back in the day was that anyone could register them, and you could get a cool name as an individual. I realize things are different now, and it's all about money.

It would be like Github launching a new web site and allowing 'developers' to select their usernames on a first-come basis if they paid $12k for the privilege. It's incredibly tacky and shows a lack of self-awareness on the part of Google.

Dude, 12 dollars a year. Not 12 thousand.

Google is such a big company, I find it bizarre they are trying to make money in this way.

It would be interesting to know what they make at the end of the pre-sale.

My guess would be that this isn't primarily about the money (there are probably domains they could get more than $11,500 for), but rather about allocating the most in-demand domains in a way that reflects how badly people want them. A Dutch-auction-type thing like they're doing is a crude solution to this problem, but if they just went straight to GA too much valuable real estate would immediately be claimed by squatters and trolls.

The squatters defense is a good point - however, this also seems to ensure that the megacorps get the best pieces before anybody else gets to choose.

If defending against squatters is the top priority, they could also make it an application-driven process: Let people submit proposals about what they want to do with the domains along with a link to their organisation and have some group grant applications (preferably along some previously published criteria)

That sounds just as empty except now with massive human overhead for processing applications that can pitch whatever they want. I'd even be tempted to write up some bullshit to get a domain I want. What are they going to do, research my details? You can barely get a human on the phone at Google even when you're a paying customer.

Not to mention all the hurt feelings when someone's application is denied and the domain stays undeveloped or becomes a terrible website.

Auctions seem unfair but money is an extremely simple system for allocating finite resources. And it's not like you need a dictionary word domain name to have an online identity. It's almost pure vanity.

That kind of program, with us being in charge of deciding who gets each domain name, would be received extremely poorly. You can just imagine.

Domains would also be much more expensive, as there would need to be human evaluators in the loop for each domain name. The base price would likely need to be at least 10X higher to fund all this.


>I find it bizarre they are trying to make money in this way.

Why not? If they charged a flat rate at launch, domain speculators would snatch up all the valuable domains and you'll have to buy it from them at an inflated price. At least with this system google is pocketing the premium rather than third parties.

Maybe they aren't doing that great? What their last successful/profitable product?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact