Hacker News new | past | comments | ask | show | jobs | submit login
Save .org (savedotorg.org)
2297 points by jaden on Nov 23, 2019 | hide | past | favorite | 342 comments

Some further background on what happened. I don't see how this can be interpreted as anything other than corruption, plain and simple.


"Former ICANN CEO Fadi Chehade personally registered the domain name currently used by Ethos Capital in May and it was registered as a limited company in the US state of Delaware on May 14. That date is significant because it is one day after ICANN indicated it was planning to approve the lifting of price caps through its public comment summary.

As such it appears that the plan to purchase the .org registry was predicated on the price caps going ahead and that those behind the deal had intricate knowledge of ICANN’s internal processes."

Posting from a throwaway account.

I worked at one of the main TLDs for years and was on one of the ICANN boards and got to know the industry well.

It is well know amongst the domain name community that ICANN is a poorly run organization, whose directors have in recent years have used their position of leadership to lead decisions from which they are afterwards benefiting themselves economically, in many cases by rushing decisions such as in these case.

Peter Dengate Thrush was famous for pushing for the new domain extensions (.anything) as chief executive of ICANN and quitting a month later to become the CEO for a company that was the main bidder for a large number of extensions. Fadi Chehade is doing the same with .ORG by lifting the price cap on the prices of an established domain name and then gobbling up the company that sells those domains.

Sadly, ICANN has little oversight and since its kind of in the air and doesn’t report to anyone, the directors get away with what would be legally considered corruption in most of the world. The fact that the internet community and most Internet companies have never care about it makes doesn’t help, since a lot or times the “multistakeholder” model that they claim to use in reality doesn’t work.

Ultimately, this is why the DNS and domain name industry feels so shady in general and why for most companies getting a name on the internet is a tortuous process that feels very scammy, which is unfair and costs more than it probably should. But so far we don’t have any good alternatives to the current system.

The process of mapping name=IP is not remotely technically difficult, and I'd dare say most people reading this message could implement the backend to such a system in a few days.

Setting up the peering replication and nameservers around the world is considerably harder, but it's definitely not a $10 billion+ problem (the current value of registrars and certificate authorities.) A startup funded by YC could handle that easily.

Dealing with all the companies trying to sue you over others squatting their domains and having to decide who has the better claim would be the most expensive part.

I really hate to say it because it's so cliche and overused, but a blockchain-like system could remove the central authority, the server costs, and the lawsuit risks. But it would introduce concerns over trust, most likely.

The really hard, unsolvable part is the unwillingness of the browser vendors to support an alternative domain name system. If Chrome, Firefox, and Safari all supported a new TLD outside of ICANN's control as a public service (let's call it "Let's Resolve" which would offer free domains and would be funded through donations), it would be very successful. If even one of them didn't support it, nobody would ever consider using it for their websites. Browser extensions, even if they allowed access to intercept domain name lookups, would not work. It would have to be supported out of the box in every major browser, and well, good luck with that. Anything failing to herd those three cats right out of the starting gate is absolutely dead on arrival.

Who knows though, maybe they'll raise .org prices just a bit too much, and piss off an established non-profit enough to start a huge campaign to create an alternative. But probably not.

Browsers shouldn't be the entity deciding on address resolution, a domain system bound only to the web/httpx would be a huge leap backwards. This should be up to the os and whatever names resolution the os provides should be happily accepted by any network program, be it a browser, email client, ssh, irc or something completely different.

Unfortunately, with at least Chrome and Firefox moving to DNS-over-HTTPS, they are the entities deciding on address resolution for 99% of average-user requests.

I would agree with you in principle however, in which case there's an even more impossible goal: get Microsoft, Apple, Google, and every Linux/BSD distro to agree to a new OS-level alternate domain name resolver that functions out of the box. And also stop Google and Mozilla from rolling out browser-level DoH.

Wonder if this means Cloudflare - and/or the other termination points for DNS-over-HTTPS - could be an interesting place to start adding an alternative DNS resolution system?

Then it wouldn't need to be done by any browsers... if the DNS-over-HTTPS end point provider does the additional name resolution, it should "just work".

Yes because that is what the internet needs, to have CloudFlare in control over more and more of it

We’re here because a private company has taken over .ORG

I see what you’re saying in theory, but it can’t be cloudflare or a private company or else it’s more of the same.

If it's done as a coalition of the places which provide DNS-over-HTTPS, it might work. :)

Negative. Private equity has billions to pay with. Everyone has a price.

The OSes appear to be signing up for DoH as well.

Browsers are the only ones actually willing to allow any change. If we wait for OSs to change nothing will ever happen. If it works well in browsers first then the OS will pick it up.

That's because there's no need for change. DNS works pretty well. There are various options to secure DNS, so that part of the DoH is also moot.

Browsers should respect the OS instead of trying to circumvent it.

Lastly, DNS is properly decentralized out of the box. I don't get that some people who argue for a decentralized internet also argue for DoH.

Similar to how email works and has various options to secure it but the reality is no end users were benefiting from it. How many OSs have enabled by default encrypted DNS? Browsers should primarily focus on providing the most secure and private browsing experience.

DNS is also not decentralized. It's centralised on ICANN and whatever company owns your TLD which is why this thread is here.

> Browsers shouldn't be the entity deciding on address resolution ...

See DNS Wars, Episode 6: "Resolverless DNS":

* https://blog.apnic.net/2019/11/04/dns-wars/

* https://www.ietf.org/mailman/listinfo/Resolverless-dns

('Amusingly' I cannot view the mailman page because Cloudflare DDoS protection is blocking me. The same CF that is doing DoH for Mozilla.)

> Browsers shouldn't be the entity deciding on address resolution

Someone tell the guys pushing DNS over HTTPS that.

> The really hard, unsolvable part is the unwillingness of the browser vendors to support an alternative domain name system. If Chrome, Firefox, and Safari all supported a new TLD outside of ICANN's control as a public service (let's call it "Let's Resolve" which would offer free domains and would be funded through donations), it would be very successful.

Not sure I understand your proposal. Say every single browser in the world supports Let's Resolve. byuu.org is registered with ICANN; but someone now wants to register byuu.org with Let's Resolve. Do you let them? What about the other way round? And what if someone attempts to register byuu.org with ICANN, while another attempts to register byuu.org with Let's Resolve at the same time, causing a race. Who wins?

Also, unique, meaningful and memorable identifiers are a scarce resource. Offering free domains just open up the floodgate of squatting and hoarding (at unprecedented ease).

Edit: Parent suggested a new TLD; I read it as a whole alternative system. Well, the new TLD idea was already implemented as .bit AFAIK, and it's pretty crap.

You probably need a system that allows both roots to function together. Maybe a different URL scheme:

http: and https: use ICANN, httplr: and httplrs: use LR

If not specified, browser tries LR first, then falls back on ICANN.

Doesn't feel as solid to me, but they could also register a placeholder TLD that would be use for redirecting requests to LR, or the other way around:

google.com.lrns would tell the browser to resolve google.com in the LR root (hardcoded), or google.com.icann would tell the browser to resolve google.com in the ICANN root. When falling back from one to the other, the browser would display the hostname with the fallback TLD on it.

Just some ideas off the top of my head, I haven't fully considered the implications yet.

Phishers would love that.

As stated by another person, yeah I'd want it to not overlap with the existing ICANN TLDs. Not too hard to do, and we could fix one of the bigger annoyances of DNS and correct the ordering: bsnes.byuu.org -> #newtld.byuu.bsnes, for example could work, or even just #byuu -> #byuu.bsnes and only have a sole TLD for it.

I don't know how we stop squatters, maybe a one-time registration fee would be reasonable, but that would be discriminatory as $100 would be trivial for developers in the US, and impossible for service workers in Mozambique that just want a personal website.

It's not as though .com/.net/.org (and heck, even a lot of the new gTLDs) aren't absolutely filled to the brim with squatters already.

I mentioned Handshake in another comment. It has a good method for mitigating squatters. Names are won through a vickrey auction so they go to the highest bidder, and your funds are locked up for the duration of the auction (2 weeks) so it inhibits squatters from bidding on all the good names at once.

Still gives those with the most money the most domains...

Wait til you find out who gets the most IPv4 addresses!

The simple answer to that is prices based on the country's GDP.

us.whatever: $100 mz.whatever: $0.80

brb gonna go buy a bunch of mz's for my botnet clusters

I think by "TLD outside of ICANN's control", GP meant a unique TLD that (currently) does not exist under ICANN. So it's not going to be byuu.org under ICANN vs byuu.org under LR, it's going to be byuu.lr (under LR) versus byuu.org (under ICANN)?

Yeah I misread. Then it's gonna be subject to good old squatting and hoarding (vastly more so if free) as I mentioned, and not really solve anything.

I agree. As long as there's scarcity, there's someone trying to exploit it.

I think it could be better to just accept that unique global names are not a great idea, and start identifying parties by certificates rather than name. Various chain of trust & reputation type arrangements can be used to ensure people won't confuse Their Bank (certificate issued by/for Their Bank) for Their Bank (certificate issued by & for scammer in Ukraine). Legit entities will have every reason to include information that minimizes likelihood of confusion.

Come on, I can have more than one James Smith in my phone's contact book too.. let's stop fighting over names.

> Various chain of trust & reputation type arrangements

The problem of course is that as you said, you still need authorities or a chain of authorities to tell you which one is the genuine Debian and which ones are trying to shove malware onto your machines. Today we go to debian.org, see the valid TLS cert, and assuming there’s no fraudulent issuance of debian.org cert and no attacker injected their cert into our device CA store, we can be reasonably sure the PGP key listed there is genuine.

You only need to look at .onion to see how well the keys without authorities idea turned out.

I don't have a problem with having authorities as long as we can choose which ones to trust (and have limitations on the scope of their authority), and form our own as necessary.

For example, I'll be happy to add and pin my government's authority for the services that they control. I'll be happy to add a group of FLOSS hobbyists issuing certs for open source projects, as long as they are transparent and can demonstrate that they have a handle on security. In both cases, there must be some way to limit the scope of their authority, and ideally do things like pinning the authority so that one can't sneakily take over the other in an attack that results from e.g. misconfigured scope.

I think establishing identity is something that we should learn to do. When John Smith gives me his phone number, I'm probably looking at his face and I know which John it is that is giving me their number. I should also be able to go to my bank and get their cert when I sign up for an account & credit card. I'd like to have additional confirmation of their identity (-> reputation) e.g. from my government, but I don't know if I want them to be automatically trusted just because there happens to be a chain that checks out.

If I'm looking at some entity that I cannot meet in person, I should be able to see who have vouched for their cert and make a judgement based on that.

Kinda like PGP I guess, at a larger scale and with better infrastructure (geek signing parties and wide open keyservers are not good enough). The system does not need to be centralized.

It should be possible to have certs signed by multiple parties, to help establish trust without having everyone agree on a single source of trust. (At this point, I'd like to use a term that sounds smaller and less powerful than authority)

I'm not particularly happy with the model where the chain of trust in every case is established starting at some international megacorps that do who know what, and countless issuers are directly or indirectly "trusted" from the get-go until someone points out their abuse and removes their certs.

The hope is to get a non-corrupt TLD in place that won't raise prices on you with no caps (and if possible while we're at it, won't charge you for certificate signing.) Ideally, a real winner would be a pay-once, own-for-life (say 100 years) TLD. I might be willing to drop $500 on a domain I know I'll never have to remember to renew.

namecoin is one of the oldest altcoins around and probably predates the existence of the term altcoin.


Ah perfect, not your keys, not your domain. I mean now domain jackings can be permanent and irreversible! Apple.com can literally be stolen by Tim Apple and there’s not a thing anyone could do about it. Another clear win for the blockchain. Resolving this kind of dispute is why we have central authorities in the first place.

The dispute process is there to solve the kind of issues that do not exist in a fully automated domain name assignment systems.

Fully automated system will only care about keys and cannot hand apple.com over from Apple Inc to Tim Apple because of his name.

You’ve got it backwards. When the keys are lost or stolen you’re SOL. The dispute resolution process would restore proper ownership via existing legal frameworks like it’s been done for hundreds of years.

> The dispute resolution process would restore proper ownership via existing legal frameworks like it’s been done for hundreds of years.

Not if the owner lost all proof of ownership, which is the assumption your argument is based on.

You don't need proof of ownership to obtain a judgement in your favor. It would make the process easier to be sure but you can make the case based on historical ownership and other indirect proof that a judge will accept.

You don't walk into a court and have the judge say "what you don't have the receipt?! case dismissed!!" -- the judge isn't a parking meter.

I may be mistaken, but I always thought DNS resolution was handled by the underlying OS, and not by the browser through HTTP. Support from browser vendors would probably matter a great deal for this, but not at a technical/implementation level, right?

Conventionally, yes, but that's changing somewhat with the deployment of DNS over HTTPS.

Chrome already ignores OS-level name-resolution in favor of phoning home directly to Google DNS unless you block their IP#s at your border. I see it daily in etherape. Side-effect: Chrome users on my LAN have to type in IP#s to browse local resources because their browser ignores my dnsmasq, which resolves the split horizon.

Do you mean Chrome or the Chromecast? The Chromecast totally ignores network-configured DNS and uses The Chrome browser has its own DNS client, but it doesn't phone home to Google DNS - it still uses the DNS servers configured by the OS.

How could free domain names possibly work? Good domain names are scarce so of they were free someone could just write a script to register every good domain and then resell them. The yearly renewal fee means people tend to let go of domain names they no longer and never will use.

The blockchain idea could work. There is a coin called namecoin which attempts to do this. I think on end user devices we should still use DNS so you don't have to store a 1tb blockchain on your device but the blockchain could be what the DNS servers source their data from.

Handshake is trying to do exactly what you’re describing. It’s an alternative root of trust for DNS that uses a blockchain to secure names. One of the non-obvious security benefits is that you can store certs on the blockchain instead of relying on CAs, which is a source of failure in the security of the Internet today.

Browsing adoption is tricky, but people can point their DNS to Handshake resolvers pretty easily — it’s equivalent to switching to ‘S service which many people already do.

(1) There exists a blockchain-based, decentralized DNS lookalike: https://handshake.org/

(2) Every major OS has has a way to plug an alternative DNS resolver (except maybe iOS), and every major browser has a control to switch off the DNS-over-https resolver. With any goodwill from the major mobile OS vendors, a new resolver could be rolled out to 99% of consumer devices or so, and work transparently.

(3) A new name resolution system should not clash with the DNS namespace. It could allow to copy established DNS domains (not parked) to the new namespace for a nominal fee.

(4) Many DNS tricks, like load-balancing, could go away. Running your own name server can become harder. The transition, should it occur, would not be fast.

Anything that doesn't work out-of-the-box is dead on arrival, though. I would never be willing to move my domain from .org to a system that people couldn't get to without installing additional software (eg OpenNIC.) But if every OS and/or every major browser supported OpenNIC, then I'd be willing to make the switch.

Indeed. My point is that supporting an additional name resolution system is mostly a political problem, and technically doable.without forcing people to even upgrade their OS, phone, or browser.

You're right that the technology is the very least of the difficulties. And that's the reason it won't change: nobody's going to do all the work of replicating all that bureaucracy just so there's even more organizations involved.

The only way I can think to end the corruption is to take away the financial incentive, and AFAIK that would mean either the government runs anything that makes a profit, or to remove price completely.

"but a blockchain-like system could remove the central authority, the server costs, and the lawsuit risks" This already exists, check out [ENS domains](https://ens.domains/) running on the Ethereum blockchain. They can be mapped to [IPFS](https://IPFS.io) hosted sites

In case anyone is wondering there is a blockchain that was made for such a reason. It's called namecoin. It spawned a project called chimera which was renamed xaya. In xaya the idea is you can reserve a name and the name has an alterable 2048 byte space for json data that you can update every block if you wish.

Namecoin though has always been around to reserve names and in particular domain names.

ICANN having little oversights is not an accident. It’s corrupt current and past leaders have ensured that. This organization is supposed to be non-profit international organization. If you ask me “who controls Internet”? it’s these guys. They have managed to convert ICANN into a perpetual personal wealth fund for friends and families.

The writing was on the wall when the board decided they weren't getting what they wanted from the at-large constituency & direct elections and shut them down, in doing so completely blowing off the Memorandum of Understanding. It's a bit surprising that it's taken so long to hit .org directly, it's a really obvious target if you want to find ways to turn an ICANN position into cash.

Full disclosure, I was one of those at-large members and they made it very clear that we weren't being good little peons.

To me, this seems like a good case for government intervention. Domain names are critical infrastructure at this point.

Which government? Critical to whom?

It possibly fits within the portfolio of the ITU (although I guess the UN is intergovernmental, rather than a government).

That has been proposed for as long as I can remember. The result would be that dictatorships and authoritarian governments control the internet, because they make up the majority in the ITU. I don't think we want that.

Can you explain this a bit more? Afaik the ITU does a good if boring job. I can phone about anybody in the world. The system works.

Now ICANN? They seem a bad choice, as this story demonstrates. Tolerable as long as the internet wasnt very important, but today, a UN international body seems the obvious choice.

They would only control the assignment of TLDs, whereas all the stuff that's actually interesting from a censorship perspective happens on much lower levels than that.

For example, ITU also controls country code assignment for phone numbers. Does that translate to any meaningful capacity to censor? So far as I know, the only practical restriction that comes out of it is that unrecognized states don't get one assigned, but that's also generally true with TLDs.

No, Hell no. The UN should not be involved in the Running of the Internet. That would be worse than ICANN by far

Each one for its ccTLD. I don't think anything can be done about generic TLD without a democratic world government.

All of them? (for both questions) :)

> Ultimately, this is why the DNS and domain name industry feels so shady in general and why for most companies getting a name on the internet is a tortuous process that feels very scammy, which is unfair and costs more than it probably should.

Shady is putting it lightly.

I once tried to register a nice .wiki domain in order to host a wiki for myself. Those domains weren't available anywhere. I had to "request" one from the company that managed the TLD. So I emailed them and they asked me about my "plans" for the domain. Eventually they just said they'd host it on my behalf. They created a wiki on the domain I wanted, threw ads around it and told me to start contributing.

It's not really an equal playing field where anyone can buy a domain. They gatekeep not only by charging huge prices but also by simply refusing to sell the domain if they think you're not important enough.

People should start making more onion services.

> People should start making more onion services.

A practical DNS replacement would be nice. Something not amenable to governmental or legal attacks, or straight-up corruption like this.

Onion services don't have human readable namespaces. Independently of using onion services, whatever services we run should probably be registered on Namecoin and/or Ethereum Name Service. That's how we get out of the DNS cabal's grasp.

ENS is more focused on wallet naming than DNS. Have you checked out Handshake? It’s aiming to create a more secure root of trust for DNS that’s resistant to seizure and censorship. We (namebase.io) are building on it ourselves.


You highlight an interesting point which made me realize that no one actually owns their domain names on the Internet. We’re all just renters.

You might be interested in checking out https://handshake.org which is trying to create an alternative to the existing ICANN system that is resistant to censorship and seizure. The technology is really interesting and we’re building on it ourselves.

At the risk of being overly-nationalistic, this is exactly the sort of scenario that many were worried about when the rest of the world demanded that the US hand over control to an international governing body. Just as you see with - for example - the IOC, many international governing bodies have a dangerous tendency to devolve to the ethical standards of their most corrupt members.

It may be useful to note that the US government transferred control of DNS to ICANN in September 2016. I searched HN, and this seems to be the biggest thread from back then: https://news.ycombinator.com/item?id=12612033

At the time, consensus in the media seemed to be that this would have little effect. However, the debate was quite politicized, as the transfer to ICANN occurred towards the end of the Obama administration, with fruitless opposition from high-profile Republicans.

>>consensus in the media

There is a reason for this, the American media is laregly Anti-American today. They believe in idea of "American Imperialism" and that America is the cause of most of the worlds problem. Thus they believed anything was better than "Corrupt American Control" over the internet.

There were many many people that predicted bad outcomes from this transfer, most are starting to come true

Corruption and causing financial damages intentionally for having personal benefits on it - especially by abusing a position against the very community they represent - is punishable by law in most country. Aren't they subject of legal proceedings now by violating the law?

Yeah this movement shouldn't just be "Save .org" but also specifically "Prosecute Fadi Chehadé", who is a criminal.

It seems to me that running an NIC for a major TLD almost has zero marginal cost: for each domain, you automatically interface with ICANN once in a while to update registration info, then serve some NS and associated A/AAAA records. So it’s kind of surprising to me that $10/yr is already a non-profit price. Am I missing something?

The $10 a year includes the markup of a profit making domain registrar which has marketing and support costs.

This article suggests Public Interest Registry's costs for third party technical services were about half their revenue, with the beneficiary of the rest of the funds being the Internet Society https://domainnamewire.com/2019/10/28/pir-org-slashes-regist...

Still, you can see why those kind of margins and the ability to raise prices were an attractive combination to private equity

> The $10 a year includes the markup of a profit making domain registrar which has marketing and support costs.

I use Cloudflare Registrar these days for .com and .org. They claim to offer wholesale prices. My last .org bill was $9.90 + ICANN fee. And according to [1], Cloudflare directly work with PIR to offer .org, so unless they're lying, they are actually charged $9.90 per domain per year by PIR. Now, the article you linked to claims that PIR paid less than $2 per domain to the for-profit contractor who did everything technical for them (what's left? PR?). I wonder where the remaining $7.90 went...

[1] https://www.cloudflare.com/tld-policies/

Edit: Apparently overlooked the beneficiary part. Not a fan of mandatory donations but at least the numbers sort of add up now.

How is it “in the air”? It is a non-profit registered in California.

Who'd have thought unaccountable private companies would act in their own best interest?

We[1] are building on a new project called Handshake[2] which is trying to create a more secure (alternative) root of trust for domain names. It does so by storing certs on a distributed ledger instead of relying on CAs. Though this isn’t the main goal of the project, one of the benefits is that anyone can register their own TLD through a vickrey auction which is much more fair than the current ICANN system.

[1]https://namebase.io [2]https://handshake.org

> It does so by storing certs on a distributed ledger instead of relying on CAs.

When you remove/replace the buzzwords that sounds exactly like a CT log, which is also a Merkel tree.

It's funny because every defence I've heard about ICANN is "why did you not participate in the governance meetings?".

>>>Sadly, ICANN has little oversight

This is why the US Dept of Commerce should have never given up control

The whole deal smells of self dealing, why was Ethos Capital selected to buy the .org registry versus an open bidding process?

I think all this information should be added to Fadi's Wikipedia page [0] so that people can be made aware of it.

That is one good way to bring corruption into light.

[0] https://en.m.wikipedia.org/wiki/Fadi_Chehad%C3%A9

If we in the United States had a forceful, competent FTC or FCC, perhaps this would be investigated. I don't think a Sanders or Warren administration would ignore something like this entirely.

The SEC are both competent and forceful, and this smacks of self-dealing, which is within their remit.

ICANN is a "non-profit". They do not issue a publicly traded security, and so they are not subject to the SEC's jurisdiction. The FTC is probably the best hope for intervention in a matter like this.

> ... corruption, plain and simple.

That's right but the right to get rich by corruption is the most important and most appreciated unalienable entitlement of US weenies, even more important than food or shelter or life itself. After all, in a thoroughly corrupt system all of those can be bought. Only corruption itself cannot be bought if the system doesn't already have the necessary level of corruption. It is the US's holiest mission to convince the rest of the world of the fundamental importance and indispensability of our way of corruption.

A couple additional things: EFF blog post on the topic: https://www.eff.org/deeplinks/2019/11/nonprofit-community-st...

Here's the initial letter being sent from EFF & others to ICANN and the Internet Society: https://www.eff.org/document/coalition-letter-sale-public-in...

(Disclaimer: I work for the Internet Archive, and we are one of the initial signatories to this letter.)

Thank you and good luck.

Has the broader group thought about just buying their own tld?

With a better governance model.

Would it matter? You're already locked into years, maybe decades, of brand building. You'd still need to redirect your old .org indefinitely.

.ORG should be properly managed and regulated, we shouldn't need to attempt to rebuild something because ICANN is corrupt and Internet Society is selling out non profits they promised to serve.

Not just brand building. How many accounts are linked to your email, and how many of us have had that email on a .org for 10, 20, even 30 years in some cases.

Do you even know how many accounts have that email address as either the primary, or backup/recovery email?

An email address is central to identity management these days.

Lose a long established domain, and you might lose access to most of your other internet accounts, especially the ones you don't use every day and are hard to remember.

This is just awful. For everyone wondering "how bad can it really be?", they can put whatever cost they like to keep your domain registered. I have a small carpooling site for ski fields in New Zealand - snowpool.org . I've run this for 10 years, as a fun side project. If they hike the fees to 3K a year (or whatever) then there's just no way I'd keep it going. I've have to migrate somewhere else, which would be a complete pain in the ass.

I find it just awfully sad (and probably corrupt) that this happened at all, and I really hope there's some higher authority that can roll this back - or at minimum bring back the price-cap.

Very sad times.

There's no higher authority than ICANN as far as domain names are concerned. That's why the letter says "help stop the sale", not "stop the sale".

Well, there's the US government. They could pass a law in theory at any rate. One of the arguments for allowing self regulating bodies like ICANN is they do a decent job but if that ceases to be the case it's kind of the governments job to step in.

This campaign needs a punchier call to action. It should be something like "Tell the New York state attorney general to prosecute Fadi Chehade for self-dealing if this sale goes through". This movement is lacking stakes. People need to go to prison for this.

This is the case for all new gTLDs. .pro to .xyz to . accountant, the registry can put any price, be it zero or a million dollars.

.com has price caps. Imagine what happens when they remove those and they can just price everyone out of their .com names, names they may have had for 25+ years.

Imagine a world where whomever has the most money can control your brand. What happens when McDonalds buys the Burger King brand because BK was priced out?

.com, .org, and .net are long standing shared resources that should not have unlimited prices. They should be capped forever.

McDonalds and Burger King can duke it in court.

It will be more site the kind of wikileaks that could get effectively removed without having to go legal routes. Just have your friends price them out of their domains. Nobody needs to even buy the domains, they just need to be expensive enough to stay unused.

If this got really bad then I could see how a site like wikileaks would use some secondary domain name service on addition.

I agree with your principles. If it came to that, I'm pretty sure there would be a hard response by the worldwide body of developers and companies (especially the 80-90% of small businesses that make up rich economies; the biggest corporations altogether barely accounting for single-digit % of national GDP, so I don't know who's the target of price hiking to a ridiculous degree).

There are ways to circumvent DNS so long as IP works (I mean the "Internet Protocol suite"[1], "TCP/IP", the real-world implementation of OSI if you've been taught that theoretical model).

Maybe a 'public darknet' (a parallel "white net" really, nothing shady about it, by "darknet" I refer to how it works technically[2]) wherein we don't care about a global DNS, and use links + light VPNs to browse internal (firewalled) resources — I'd wager it's doable using tokens to auto-validate public VPN access like we'd greenlight an SSL connection, essentially, probably some 3-way handshake. The whole thing would be public, just circumventing DNS/TLD hierarchy, so indexes etc. would work just the same (it doesn't break Google Search).

A neat bonus is that companies could use whatever name scheme they like, "store.sony" would work, and even collisions could be resolvable through aliases.

Whatever works but if current DNS/TLD's become a corrupted theft, the world will definitely move away from it — and we don't exactly look back for these major PITA standards.

[1]: https://en.wikipedia.org/wiki/Internet_protocol_suite

[2]: https://en.wikipedia.org/wiki/Dark_web

Another option will be using an alternative DNS root such as OpenNIC which is user owned and controlled. Besides offering resolv of ICANN root, it also adds its own TLDs. The now defunct ORSN was also another choice.

Sure, but, people went into those domains _knowing_ that was the case. .org started with a price cap and I for one thought it would stay that way.

I've been thinking a lot about the sheer downsides of DNS overall. We need something different. Something decentralized, encrypted, something not reliant on a protocol that hasn't kept pace with security and privacy and we need something verifiable that provides accountability. As others have said TLDs have become a racket. Only the priveleged and nation states have the authority to use the system as a funnel of ridiculous revenue and rate manipulation. We don't need DNS anymore. It's become more of a lynchpin to bottleneck and advance control of the few and continues to erode our privacy as it stands today. What's next?

Looks likes you’re wanting the decentralized web [0][1][2].

The DNS equivalent technology there is DHT(distributed hash tables) [3] which was used in torrent technology for a few years. Ever wondered about how you can find the torrent seeders without a centralized entity? The Bittorrent DHT is the underlying tech.

[0] https://ipfs.io/

[1] https://dat.foundation/

[2] https://www.scuttlebutt.nz/

[3] https://en.wikipedia.org/wiki/Distributed_hash_table

> Ever wondered about how you can find the torrent seeders without a centralized entity? The Bittorrent DHT is the underlying tech.

The Bittorrent DHT is not fully decentralized, it needs a list of hardcoded bootstrap nodes. https://stackoverflow.com/questions/1181301/how-does-a-dht-i...

Well, it's for ease-of-use. Anyone can make an alternative DHT with their own bootstrap nodes, but the Bittorrent main one is the biggest, therefore most programs have that one hard-coded.

Anyone can make an alternative client that uses the exactly same tech with different bootstrap nodes, and once they gain popularity, there will be people using that.

Democratic, I would say.

Yes, sort of. That's one way to get peers, but clients support other ways to peers.

So in practice you can get peers from the list of previous peers, PEX (peer exchange), or a tracker for a given torrent.

So in practice once you talk to a few bittorrent peers (of millions) you likely are talking to another DHT peer and can bootstrap. Also given that there's typically millions of peers in the DHT, even brute forcing it by search IPv4 (4 billion addresses) for a few million peers is likely to only involve a few 1000 UDP packets or so.

Which can easily be changed. The bootstrap nodes don’t hold any special power.

GNS from the GNUnet project is the most interesting alternative to DNS that I've come across, and is orthogonal to projects like IPFS and Scuttlebutt (although I don't know much about Dat). It's basically DNS with DHT and some very cool crypto.


I'm not convinced we are talking about a decentralization issue.

We could achieve the same result with laws. Just make what is happening illegal, corruption is already illegal.

Furthermore, decentralization won't solve the basic economy rules of offer/demand. Even with a decentralized system, website will still be referenced by natural words ("domains"), which can be owned by only one site-owner at a time, which means there will always be people ready to spent a lot of money to acquire a domain/reference.

I'm for decentralization in general, but in the current case I fail to see how decentralization alone will make domain owning fairer

In this particular case, the problem is not that individual domains can be traded at market prices though.

The problem is that organisations have to rent their domains from a central authority that can hike the rent for an entire TLD to some fantasy price.

So the hierarchical structure of DNS is clearly what creates an opportunity for corruption and extortion.

And let's not forget that DNS is ultimately a global issue, which means that the rule of law cannot be taken for granted.

Laws have to be part of the solution. But it's easier to legislate effectively if the underlying structure doesn't invite corruption, authoritarian abuse and market dysfunction in the first place.

> And let's not forget that DNS is ultimately a global issue, which means that the rule of law cannot be taken for granted.

I think this strongly points towards ccTLDs being the best solution. It is very difficult to get all the different countries to agree on common rules/governance for the legacy TLDs, but if everyone gets their own independent corner then that should be easier to get agreements on.

Dividing the control by country also conveniently avoids any single one being able to cause as much damage as ICANN now is.

I think ccTLDs don't work so well in a globalised world. Many internet services are not country specific, and ccTLDs sort of put you in the local business category.

> Many internet services are not country specific

The companies and/or owners of those services do operate under a certain legal aegis, though. It’s not like they are stateless.

I just happened to read the text on a food product; it had text in three languages, and the www.* domains listed in the three texts were in the ccTLD for each country. No .com was mentioned anywhere.

Domain names should never change and be easy to remember whereas legal ties to countries are often complex (i.e not 1 to 1) and subject to change.

Should I really have to remember going to apple.ie because that's where the Apple shop happens to be legally based at the moment? Or should it be apple.eu because consumer protection is an EU matter? Or apple.us because that's where Apple's headquarter is located?

And when a company gets sold to a different country, should all their URLs have to change?

Multinational companies should be the exception, not the rule. “Designed by Apple in California”; will Apple ever stop being a U.S. company? Why would “apple.us” not be appropriate?

A company is an entirely legal construction, and, as such, is entirely bound to the laws of a certain country.

It is amusing that you believe government would stop corruption.

History proves that to be false

Further "just make it illegal" under which nations laws? That was the problem ICANN was suppose to solve, no one wanted the internet to be operated under the Laws of the US, which is why in 2016 the US removed itself from Internet Governance.

So do we put the Internet under the laws of China? or the EU both of which have Free Expression issues....

Which nation? or maybe the UN which has Dictators and human rights abusers in positions of power...

Decentralization is far far far better than looking to a government resolution

If you decentralize, you don't end up with something equivalent to "the internet" anymore -- you end up with several islands of things that (to varying degrees) resemble "the internet", and run on the same layer 4 fabric, but are largely isolated from one another.

I think we actually experience a mild version of this today, where entities publish their all their Twitter/Facebook/Instagram/Snapchat/Whatsapp/Linkedin etc profiles.

I can't help but see whatever this distributed DNS replacement is as basically being this situation but without the backstop of globally-accessible websites and e-mail addresses. You should have no doubt that, for example, Facebook would make a "the internet" which was 100% Facebook-operated sites.

Islands already exist, with national firewalls, corporate networks, dark nets, etc. Decentralization of DNS would just take middlemen out of the picture. A dominant decentralized system would probably handle most requests if one were to ever get off the ground, making it equivalent to what we have now.


DNS worked just fine with nonprofits and government entities who weren’t leeches.

But it no longer works fine. If there is money or power in something, it will inevitably get corrupted if it can be centralized or captured.

Why? Because even you are using the past tense. The genie is out of the bottle.

Because centralized power run by people gets corrupted and bogged down by special interests.

> Islands already exist, with national firewalls, corporate networks, dark nets

And you don't see companies posting their addresses on those things. They still advertise "example.org" not "if you're in {county} use {county-specific address}, or on Tor use {onion address} or using {decentralized DNS} use example.com".

> A dominant decentralized system

How does this result in a different situation then the "centralized" DNS we have today?

> How does this result in a different situation then the "centralized" DNS we have today?

If, for instance, the DNS entries were tied to entries in a blockchain, such as namecoin, then no 3rd party would be involved in a transaction to transfer the domain, no annual fees would be required, and no one could block or remove an entry.

> You should have no doubt that, for example, Facebook would make a "the internet" which was 100% Facebook-operated sites.

AOL already tried that back when they were still sending floppies through the mail. They were the largest ISP on earth and couldn't keep people in their little walled off corner of the internet. I don't think anyone else is going to be more successful.

They might not have been able to keep people there forever, sure. But their walled garden was “the internet” to a major chunk of people in the US for quite a long time.

Remember when TV commercials would tell you a company’s AOL keyword?

Yeah, that was around the time the internet wasn’t even relevant to the majority of the first world population. Trying to make comparisons to how it might look today is pointless.

At AOLs peak, it had about 35 million subscribers. Comcast alone has nearly that many.

Or when people would tell you their ICANN domain?

They were probably more successful than you'd like to acknowledge. And the modern companies do have a fair bit more power.


Handshake Name Service (HNS) is working on this problem from an interesting angle, with some significant institutional support.

The problem is that DNS powers the internet as we know it, getting everything ever to switch over is at least another 30 years after you make a protocol (that would also need to have literally no downsides).

Not sure I agree. If FF & Chrome both supported it...it'd be in effect in < 5 years total.

Just look how quickly DoH is being rolled out, or Google's QUIC.

Realistically if Google, Mozilla, Cloudflare, Apple, Microsoft, and a few others agree that this move is bad, and wanted to stand up a new .org TLD...they could, and I don't believe it'd be illegal (IANAL).

Web is only small part of internet

Yes, but most of the internet is exposed to users via the web anyways. OSs would need to follow suit, sure — to make everything that’s not a browser work so that the alternative lookup mechanism is used instead of traditional DNS. How long do you think that would take? Not too long methinks.

Namecoin did this, and I think there are similar efforts on Ethereum, but it turns out that the tyranny of the installed base is a real thing.

All these Ethereum/Namecoin/Whatever solutions aren't really solutions. They're subject to namesquatting, arbitrary prices, arbitrary decisions regarding TLDs and they end up being centralized in the end for various reasons.

I think a good solution is to switch to using petnames instead of global names.



I liked Namecoin.

Ethereum Name Service is doing something similar on Ethereum.

We don't want DNS anymore, but we don't have a replacement. It's the same as Facebook->Diaspora, Twitter->Mastodon. The non-centralized versions are too hard to deploy to all the non-techies out there, despite being the "morally" correct architecture.

The only thing wrong with DNS is that we entrust it to a corrupt government. It's time another country step in and take control and replace ICANN.

> It's time another country step in and take control

What's to stop them from being just as corrupt? It's too much for any one country to have control over. It'd be far better to come up with a way to take the power out of the hands of any one entity so that we don't have to keep moving it around when the people holding all the power are inevitably corrupted by it.

Abandoning the whole idea of gTLDs and using only ccTLDs kinda accomplishes that, each country would control only their part.

ICANN is a non-profit organization, not a government entity.

I can't speak for Diaspora, but Mastodon isn't any harder to use than Twitter. It's mostly network effects that keep people there.

Lots of distros are in .org aren't they? I see Arch, Debian, Gentoo, Fedora, Centos, OpenSuse, Raspbian, Damn Small Linux, Linux From Scratch, NixOS, Guix, OpenWRT, PfSense, FreeBSD, OpenBSD, NetBSD, OpenSolaris, Illumos, and probably lots, lots more.

GNU is also on .org.

Also languages, at least Python, Ruby, Haskell, Rust, Go, Clojure, Racket, Zsh, etc.

.org seems to be the go-to TLD for open source projects.

".org" is almost the standard for all community projects, there will be huge impact if the management went wrong.

What will be the impact?

Projects losing their ability to run their existing site because money, losing it to <whatever> and significantly losing in visibility e.g. python.org or freebsd.org now advertising spyware or some shit with the historical ranking of a trusted and respected source.

Or these project having to plonk a significant amount of money in paying for their domains rather than <insert thing which is actually useful>.

I run a tiny carpooling site (not for profit) snowpool.org . If they turned around and upped the fees to 3K a year or something, it would basically force me to shut the service down.

This is an incredibly awful move, I'm completely astounded that it was allowed to happen.

if there's money to doing something, it will happen.

Why not just move to a different domain, and while your old one is still "cheap", do a redirect etc?

Because I've built up a presence over 10 years of running the site, so, I'm not just about to move! It'd be a huge pain to move probably hundreds of email addresses over to a new domain etc too (I sign up with [domain]@snowpool.org)

It completely depends on what they do, I've renewed for 10 years so I have time now, if they put the fees to >500 a year then I'll definitely move.

Do you own a domain yourself that people have been using for 10 years? You might feel differently about the ease of "just moving"

As if this couldn't get crazier:

> Goldman Sachs & Co LLC. is serving as financial adviser to both the Internet Society and PIR.


This is what they do - finance deals. This is as notable as saying Wells Fargo issued their home mortgage.

Wells Fargo, eh? Your example is apt, but perhaps not for the reason you intended (unless you're making a subtle joke, in which case I apologize for not catching it.)

> This timeline charts the most significant events in the sales scandal that erupted at Wells Fargo [in 2016]


> Wells Fargo(WFC)charged customers a monthly service fee to maintain a checking account that many customers assumed was free and the bank is mulling how to respond to people who feel cheated, according to the bank and sources familiar with the accounts.


> Wells Fargo and an insurance company it worked with have agreed to pay $432 million to settle a class-action lawsuit brought by customers who say they were charged premiums for auto insurance they did not need.


IMO only fools and masochists would continue to bank with Wells Fargo.

Anyhow, Goldman Sachs have no business being anywhere near DNS or ".org" at all, at all. They're a bunch of crooks who make Monty Burns look sympathetic in comparison.


Whenever there are politicans robbing those who they claim to serve, Goldmans are there advising anc charging huge fees.

Whether it is this, Greece debt, 1MDB in Malaysia. Goldmans have no regard for their own reputation so we should assume anytime Goldman are advisors that the deal is a massive ripoff for which people should be going to jail. Goldmans may not have always been this way but they sure are now! They're a leading indicator of gross corruption.

I think it's fair to see private equity as red-flag, and I feel ideologically aligned with the folks raising the alarm here. OTOH, the concerns raised include a lot of speculation (in the form of "could do bad" or "has the power to do bad"), and that's also a red-flag.

It's interesting to compare ISOC's blog (https://www.internetsociety.org/blog/2019/11/the-internet-so...) and the followups like EFF's blog (https://www.eff.org/deeplinks/2019/11/nonprofit-community-st...) and SaveDotORG (https://savedotorg.org). They touch on a lot of similar themes of community and transparency - which, on paper, makes it sound like there's some meeting-ground.

As an outsider to the discussion, questions would be:

1. What are some specific problems facing the ".org" registration process for which capital/investment would be helpful? (Obviously, there's no perfect answer. But as an outsider, it looks like ".org" registration already works about as well as anywhere else, so one needs some examples to animate the problem.)

2. Would any of these folks care to improve their engagement/trust with each other? Talking more specifics about "Stewardship Council" and "Community Enablement Fund" might help. Or is some reason for bad blood?

3. What kind of track record does this private-equity shop have? Have they worked with other non-profit or socially-oriented endeavors? Maybe some founders/staff/customers can give some positive or negative testimonials?

They lied to get price caps removed on .org and then sold it amongst themselves to profit. I'm not sure how you trust people that start with a lie. Look into the history of how shady this really was.

Yeah, this comment https://news.ycombinator.com/item?id=21612033 links to an article on the Register which gives a lot more substance to the concerns/reactions. That deeper story helps to show where the mistrust comes from.

From the peanut gallery, it looks like the ball is in ISOC's+Ethos' court to demonstrate their good faith as stewards...

the concerns raised include a lot of speculation (in the form of "could do bad" or "has the power to do bad"), and that's also a red-flag.

I'm not really sure how to address the idea that we shouldn't attempt to understand and interpret what things happening now might mean for the future.

I saw this logic coming from a lot of people trying to push these changes through. They've been good so far, we should just trust them. They stick their heads in the sand and pretend we don't need rules because organizations, people, societies follow norms and that's enough. Until someone shits all over them, which is why we make rules in the first place. This whole nothing bad has happened yet, we shouldn't consider a bad outcome as a real possibility is ignorant and dangerous. The same people who if you look at ICANN mailing lists are still trying to play both sides, with whataboutism type arguments in an attempt to discredit people against .ORG being sold to a private equity company. I've dug into those people a bunch too, they're pretty much all connected to registry interests (https://reviewsignal.com/blog/2019/06/24/the-case-for-regula...)

A downed power line or gas leak only "could" do bad, but that's not a reason to dismiss them.

People. We are losing the Internet that we all love and care for so deeply. We all need to rise up to fight for the freedom the Internet gives us.

I mentioned in my last comment about this being outright corruption by the Americans involved.

Now it is time to mention the 1 positive that the USA has that other countries(visibly) don't:

> The willingness and ability to sue as a collective

.org is a domain used by everyone from Wikipedia, UN, Debian and your national dog shelter.

Private Equity cares only about one thing: making money. Anybody with a toe in the finance world knows that these are the same people that will do "hostile takeovers" to strip companies of their assets, pile on debt and push out a sale.

A class-action lawsuit targeting the PE firm(or parties involved in the sale of .org) and then pushing your State Attorneys to investigate these corrupt individuals at a personal level will have the desired effect that appeals to the moral high-ground won't.

I wholeheartedly agree. Letters like this only work for congresspeople, and even then only some of the time. For everyone else, lawsuits, injunctions, and criminal investigations are much more effective deterrents.

In 1998 Jon Postel briefly "hijacked" the DNS root zone. Formal control over DNS had always belonged to the US government, but Postel commanded such universal respect from the internet community that they were willing to follow him, as head of IANA, over the government contractor that "officially" ran the root at the time.

This of course is why ICANN was created, to bring governance of the Internet closer to the community that developed and maintained it. But now ICANN has become just as remote and unaccountable as the bureaucrats and contractors it replaced. And Postel is long gone, and the Internet community has grown so big and fragmented that no one person will ever have anywhere near the towering position he once did.

So now what do we do?

Except at least the American bureaucrats were accountable to the Department of Commerce, and ultimately elected officials.

ICANN is accountable to nobody, whatsoever, in any capacity.

Wilbur Ross is even less trustworthy than ICANN. Which is saying something.

ICANN members are not powerless, even if organizing and kicking ICANN out is a lot of work.

This feels unreal! How is this even happening? Domains are more like the airwaves than a commercial product. How can they do this??

Just wait until you see what they have planned for the airwaves next!

TBH I’d be happy for the (AM/FM radio) airwaves to be privatized if it meant getting rid of the absurd, antiquated rules about not being able to say certain words in song lyrics.

That shouldn’t be necessary though, better regulation of a limited resource is preferable to no regulation.

That problem is microscopic compared to the problems you would invite.

Bad at math.

It doesn't actually mean that. Look at censorship that Facebook implements for an example of what you can expect. Sure, there might be some obscure stations that wouldn't have such rules... and nobody would know about them.

Anyone freely interfering at high power would be dangerous for everyone.

Existing .org domains they can't move without overwhelming disruption, so most will just pay whatever it costs. But for the future, we need to move the Internet towards having peering relationships with TLDs such as OpenNIC.net.


* This issue of .org being sold for profit

* The fact that OpenNIC had to rename their TLD domains (e.g. .free to .libre) when ICANN created a colliding .free domain, demonstrating clearly that they are not peers.

Internet technologies such as browsers and operating systems should recognize ICANN and OpenNIC roots as peers, with DNSSEC to both. Should ICANN decide to create a .libre domain, existing browsers and operating systems should consider it a DNS attack and not recognize it. I think an organization like Mozilla ought to (1) flesh out any technical challenges, (2) support OpenNIC and (3) push for this.

OpenNIC is a poorly managed amateur project, built on shoddy infrastructure that was thrown together in the early 2000s -- it's completely incapable of acting as any kind of peer to the ICANN root. In particular:

- Their resolvers are not consistently available. Many of them are hosted on public cloud hosts (which also raises some questions about their security), and outages are not uncommon.

- It's not clear that they support DNSSEC, or that they have any plan to do so.

- The governance of the OpenNIC-specific zones that they offer is even shoddier than the DNS root itself. Most of them have no registry/registrar distinction, no domain transfer process, no WHOIS services, and sketchy to nonexistent abuse policies.

- Since OpenNIC TLDs cannot be resolved on the public Internet, it's impossible to issue a SSL certificate for one.

Most of your points are valid. That's why I'm suggesting Mozilla support it. It would be a lot less "shoddy" if someone shepherded it. I think it is the right idea.

The last point is only true because they aren't recognized, which recognition would immediately fix, therefore it is moot.

My concern would be that it's enough of a mess that Mozilla would have an easier time building an equivalent project from the ground up than reshaping this one into something reasonable.

I could be convinced that a community-based restructuring of DNS could be for the better. But I don't think that OpenNIC is the right project to base that around. The technical aspects of what they've built are not complicated, and much of that would need to be changed anyway to operate at scale; good governance is a lot harder to build.

Full disclosure here, I am the host of the ".epic" TLD on OpenNIC.

Knowing the maintainers of the project and the community at large, I doubt they'd take kindly to opening up the project to Mozilla's support/control. They've ran a tight game, relying on their own money and individual donations. Opening it up to Mozilla's big money would bring the democracy aspect of the project into compromise.

Personally, I'd find it interesting to see where OpenNIC would go with that kind of investment, though. I've poured plenty of my time and money into the project, and would like to see it grow. Perhaps not at the expense of the projects principles, though.

Again why does ISOC feel they have to do this? Are they starved for funding? This sale directly contravenes several of the founding ideals of the Internet.

Why did it happen entirely behind closed doors? No way they got this deal together just after price caps were removed. Was this orchestrated beforehand? Domain registrations for Ethos Capital pre-date the change and timing coincides with proposed contract change to remove price caps.

What does Andrew Sullivan get for this move? Is Jon Nevett connected as well considering his ties to Donuts which is connected to Abry Partners which was managed by now Ethos Capital CEO?

So many questions, all this happening in shadows means we shouldn't give any benefit of the doubt.

How about getting the browser and OS makers together to use an alternate DNS system?

It only needs Google, Mozilla, Apple and Microsoft to agree and ICANN can be made irrelevant overnight.

Where do we put the DNS root then?

If you want oversight and international consensus it cannot be placed within a country. Only option I see is to put it under the UN but that will probably ramp up the politics.

Yes, have 'access to the internet' a universal human right and a UN body to work towards that goal, managing domains.

> It only needs Google, Mozilla, Apple and Microsoft to agree and ICANN can be made irrelevant overnight.

Of course not. The Web is only a small part of the Internet. DNS is used by way more services than Web browsers.

But the value of preserving your existing address exactly, including .org on the end, mostly only exists in browsers, where humans find things initially.

Actually, I bet by now it doesn't even matter that much even there any more. Consider how the search in google already forms an effective alternative dns for many actual humans attempting to manually go somewhere.

If you have a .org domain, you can change all the non-browser uses of the domain pretty easily. The tools in the background of things don't care what the names are. You can change them and it's really not that much of a disruption.

Once someone finds your site, via their browser, you can populate that site with whatever kinds of urls and directions and references you want. Just like no one really cares how ugly and long all the urls to actual things other than the front page are. Your site can include say, the directions to access your API, and those directions don't have to say foo.org in them. Even existing api users that break if you have to change your name, can react to that change easily enough.

Email is probably the biggest problem. We will all simply have to never pin too much dependency on any single email address. But we already have to do that, so no loss.

If you had set up your own domain so you weren't at the mercy of google killing your gmail account and killing your ability to prove ownership of everything else in your life, well you would just need to have more than one email registered with everything like paypal etc. So me@mydomain.org can break and you don't die from it.

You just better realize your domain is going to break and unregister those emails everywhere before it goes into someone else's hands. Because when someone else owns a domain, then they can receive all emails sent to any name at that domain, including "reset password" mails.

It's not the most fun passtime, but it's not necessarily the end of the world either.

It really is human interactive web browser usage where the exact name matters most. So if cloudflare and google simply sent browsers to the right place and ignored the traditional root authority for .org, or any other name lookup, that would pretty much be good enough.

Google could do it already without even violating dns just through search results.

The aforementioned companies make more than web browsers. They make entire operating systems. If an OS changes how it interfaces with DNS, it will affect every service that runs on the OS.

To be honest I don't see this happening any time soon with the major commercial OSes. But in Linux you can install some programs to e.g. send all your DNS queries through a certain encrypted tunnel, and nearly every application installed on that box will happily use that tunnel.

I don't understand why everything must "grow and adapt ...". Can't something just stop evolving? Its not like its failing or something, we don't need everything to do everything just be good - very good - at what you do.

I've always been a bit confused by the relationships among government agencies, ICANN, IANA, the registry-operating entities, etc., and this site doesn't seem to explain why the CEO of the Internet Society is the right person to appeal to. Can anyone point to an explanation that summarizes the overall flow of authorities and obligations involved here?

Only entities who could stop this, ICANN (this is being pulled off by insiders including former ICANN CEO). Internet Society - they did this deal in the first place. And... who the hell knows? Could the US Government step in? Maybe? They stepped back during Obama admin, I'm not a lawyer but someone needs to step up and I've lost faith in both ICANN and Internet Society.

The entire domain system is a racket.

It always astounded me that for the longest time until only recently, you were expected to pay additional money, more than the domain cost itself, for HTTPS security (and if you wanted a wildcard certificate, substantially more money.)

I guess when the gTLD explosion didn't result in massive new profits for the new TLDs (some are $100+/year!), the powers that be decided to focus on existing TLDs instead where there's extensive decades-long lock-in effects at play. No one needed company-name.ninja, but good luck giving up your company-name.org to a squatter or worse, your competition.

Why can't we simply configure clients to use a phonebook we like, rather than the phonebook we don't like?

Today, it's relatively easy to create something like a piece of software and a db of alternative roots. And any clients which have that kit installed are suddenly simply ignoring pieces of what the traditional roots say.

Yes it would be fractured for a while. But it's no worse than say, dns over https, and the way say, you can't reach archive.is while your browser is using doh, but can when you turn doh off. (unless they finally fixed that, but that was the situation for a ridiculously long time after both cloudflare and archive.is were made aware.)

We already have such things today, so might as well employ it as well as suffer it.

As a website owner, how do I track down all the alternate roots I'd need to register with? If each of those charge a fee, how much will I need to spend on each root? If I need to perform an OPS task like flipping to a new external load balancer IP, how many alternate robots do I need to coordinate with, and how much testing do I need to verify each root is updated?

It's amazing that .org avoided some powerful group injecting themselves as rent seekers even this long. It's a pity we've decided to run society this way generally.

I fully support any campaign against the .org TLD hijacking but it would be good to know who's behind that savedotorg.org domain name. A whois search gives me 'Registrant Organization: Data Protected'.

I'd like to know to whom are we giving our email addresses, and what are they going to do with them?

That could be due to GDPR. Some European registry companies believe GDPR makes the collection and publishing of WHOIS data illegal.

ICANN is currently suing a Tucows company in Germany [1] over their refusal to comply with WHOIS data collection, and ICANN published a Temporary Specification that allows/requires every other registry to hide WHOIS data globally pending the result of the GDPR court case [2].

Of course, that doesnt prevent savedotorg.org from posting their own "About Us" webpage explaining who they are.

[1] https://www.icann.org/news/announcement-2018-05-25-en

[2] https://www.icann.org/resources/pages/gtld-registration-data...

Yes, an "About Us" page should be included on that site at least.

AFAIK GDPR protects personal data only, so if the savedotorg.org registrant is an entity of any kind then it shouldn't be any problem publishing that info.

They've added an "About this site" page now. As I can't edit my previous comment, I'll add the link here https://savedotorg.org/index.php/about/

I happen to live down the street from the Internet Society.

What could I do in person to emphasize the point?

paint something with chalk on the pavement before their entrance? Harmless and gets attention


This is essentially a hijacking of the DNS as far as I’m concerned. The sale of .org is heinous; And I’m an unabashed capitalist.

There is absolutely nothing defensible about this move that I can see.

Is there any argument that this is beneficial to anyone except Ethos and Internet Society? Is it even clear they have the right to sell it?

Has every person at ISOC submitted conflict statements? Are they willing to commit to never benefit financially from Ethos controlled entities for 10+ years?

"This is essentially a hijacking of the DNS as far as I'm concerned."

At the last NANOG, the keynote speaker described three instances where companies have "hijacted" the DNS.


The first "hijack" was Versisign wildcarding unregistered .com and .net domains (https://en.wikipedia.org/wiki/Site_Finder). The second was OpenDNS redirecting Google searches to an OpenDNS proxy (http://web.archive.org/web/20120518025819/http://www.opendns...).[1] The third is the EDNS client subnet extension.[2]

1. Acording to the keynote this led to the creation of Google Public DNS "within 45 days".

2. If I am not mistaken, OpenDNS was an early proponent of EDNS client subnet adoption.

TLDR: "Dear Mr Andrew Sullivan, even though you already had extensive meetings and plans to sell and you are fully aware of the damage you'll cause, and have decided instead to take the money and run, please reconsider."

Why would someone so greedy and tone deaf possibly give a damn about such a letter? He's walking away a rich man and he already made his choice fully knowing.

If you want to Save .org, abolish ICANN. It's time to take our medicine, ICANN with no oversight has predictably led us to an internet controlled by greed and corruption of a few wealthy elite.

Appealing to the greedy will get us nowhere.

We need to seize power, not to plead.

Does any one have a source for the rationale behind the sale? I was surprised it was even considered.

Read this: https://www.theregister.co.uk/2019/11/20/org_registry_sale_s...

It appears to be a corrupt inside job.

Wow, despicable. Thank you.

At what point does the internet community simply decide to fork the DNS root? I know it's a management nightmare, but the existence of an alternate root would put a cap on the value of the existing one.

Is there an effective direct action that can shake ICANN into some sense?

I don’t mean this as a serious suggestion, but as an example we could have a “drop dot org” month where resolvers refuse to forward queries to the ORG nameservers.

Not a great example because it would have a pretty negative impact on the domain holders, and no impact on ICANN. Can anyone think of a better example, equivalent to saying to ICANN “if you go ahead with this then we’re going to boycott dot org in a way that makes it worthless”?

Why do the resolvers need to follow what ICANN says to use for .org? They could revolt if coordinated

As a plan B. Is there any top level domain run by a non-profit where I can switch to long term?

If you mostly trust your local government, perhaps your national ccTLD would be fine?

Hmm, in my case this would be .de/DENIC. Seems to be organized as a cooperative with those members: https://www.denic.de/en/about-denic/members/member-list/ So not very promising.

But .eu/EURid seems to be a non-profit.

I've found it curious that while there's a relationship to trademark for US domains (the .com/.org/.net ones) in anti-cybersquatting law and UDRP, the USPTO doesn't have a mechanism to tie a domain to a mark.

This would be useful if we could register our marks and tie it to a domain, along with the standard application fee. At least for certain TLD's (.com would be a good candidate).

FWIW, I have a long history of dragging registrars through the mud to get clients' domains back. As of this time, I am in a dispute with GoDaddy over a domain that was deleted because GoDaddy sells a 'business registration' service. My client renewed this thinking it was for his expired domain, GoDaddy updated the WHOIS nameserver records and the site came back online. 45 days after the initial expiration GoDaddy dropped the domain without notice and a broker picked it up. I can't even go through UDRP on this because the client never registered their trademark.

There is no added value to justify doing this to .org.

It is rent seeking.

I think it is possible to do a "name drop" similar to a coin drop and either change the accepted ending for .org or remove ICANN's authority over namespace altogether.. One issue might be creating an acceptable authority for certificate registrar's, so let's encrypt has an explanation of what domains it confirms and how if not via the ICANN derived path.

If everything is as corrupt as some throwaway states why build a new domain registration system more free and open?

I know it's work however if done right (or better) a .org should be low cost for a NGO and how about a decent non profit tld so they could have it lower cost or free?

Sure it sounds hard but the automation and handling enrolling new domains is the real work

For more information about this transaction, please see this post from one of the Internet Society Board of Trustees members who voted for the sale (as did they all unanimously) - Why I Voted to Sell .ORG - http://www.circleid.com/posts/20191127_why_i_voted_to_sell_o...

When I ranted about how the transfer of DNS power under the Obama admin was a bad idea and stuff like this would happen I got called a crazy conspiracy theorist... I'm getting really tired of being right about bad things, the "I told you so" is very hollow.

It is OpenNIC you need to petition, so that they accept to cause a schism on the .org TLD

I also think ICANN is a very corrupt entity now, with very bad governance at the moment.

Serious question, what are the actual downsides of this, if any? Or is the backlash due to the "private equity" being associated with evil? Doesn't seem like anything is actually changing other than who issues .org?

I haven't read the 2019 rules, but if the letter is to be believed, the new rule creates:

> The power to implement processes to suspend domain names based on accusations of “activity contrary to applicable law.” The .ORG registry should not implement such processes without understanding how state actors frequently target NGOs with allegations of illegal activity.

Under the previous rules, the registry level could (more or less) resist being bullied into taking down a domain due to government pressure, though the government could implement a firewall and threaten other service providers. Now, though, a large country could say "we will block .org domains, or .org DNS resolutions, if you don't suspend an activist organization's domain globally," and there would then be a PROFIT MOTIVE to take down the domain GLOBALLY, as the value of the registrar would decrease if .org domains were blocked in that country. And this would be permitted by the 2019 rules. This gives censors tremendous leverage to implement censorship around the globe.

I'm all for the role of private equity in helping companies to grow - while there are certainly firms that operate in bad faith, the PE industry overall doesn't deserve the bad rap it gets in the media.

But IMO this sale should absolutely be disallowed from a humanitarian and international security perspective. The incentives are just too badly aligned.

It costs like 3$/year (or less probably) to register a domain name. But once you build your brand/website/etc you are tied to your domain name, which is tied to that registry.

This gives the registry huge leverage over you. That 3$ that it actually costs them to run it can increase to whatever price they think you will be willing to pay and you can't not pay it...you would lose your spot and identity on the internet. Its not like with registrars, like godaddy, ghandi, bluehost, etc... that you can switch between in like 24 hrs.

IIRC .orgs were price controlled, so the price couldn't rise, but with this takeover, the price controls have gone away.

PIR currently charges registrars about $9/year per domain, with registrars allowed to mark that up however much they want without restrictions-- AFAIK neither the "wholesale" price nor the actual price from registrars is currently price controlled by ICANN.

Regardless, I don't see how moving .org's operations from a non-profit (PIR) to a private equity firm benefits anyone, except the owners of said private equity firm. You're basically taking something that could operate at-cost and giving it a mandate to turn a profit-- the only way that happens is if prices go up. Likely a lot.

PIR is already a rent-seeking organization designed to fund Internet Society. They don't actually handle the registry at all. It's outsourced, they put it out to bid. If you look at financials, they are paying <$2/domain.

Yes, ICANN granted a monopoly to ISOC in the form of PIR, who have been allowed to increase prices consistently for years but at a capped rate. And they wanted more. As costs have gone down.

Then everyone at ICANN talks about not being a price regulator and free markets. Ignoring the fact it's a monopoly, and not one ISOC/PIR played any role in creating, it was a gift from ICANN. A perpetual, no bid, contract with ever increasing prices on a decreasing cost monopoly good.

> AFAIK neither the "wholesale" price nor the actual price from registrars is currently price controlled by ICANN.

Important point: just before this rigged bid went through, ICANN conveniently decided to remove the price cap for .org registry prices.

We can expect every .org owner, most of them non-profits and many not well-funded, to be squeezed and then shaken down for money. Not tomorrow, but it will start as soon as they think they can get away with it.

Serious question, did you even read the page? Specifically, the part where it makes specific complaints about the 2019 .org registry agreement, such as the ability to raise registration fees without ICANN approval?

So it goes up by $1 or $15, how does that hurt non-profits? They aren't going to out price other TLDs, the market isn't that elastic.

If you have already owned your .org, have used it in publicity materials, use it for all of your emails etc. then yes you are pretty much stuck with that domain no matter how much they jack up the price. So the domain is inelastic, that is a change in price will not significantly change demand for those who already own them.

Exactly. As a community, we have routinely given the advice to “own your identity” by buying a domain. Since most of the good com domains are long bought, someone newer to the internet is likely to have looked at org. If someone took us up on our advice in, say, 2014 that means that he or she has had a domain for five years. Five years to integrate that into a life in various ways, remembered or not. And now, that thing could cost $75/year with no recourse.

Then there are people like me. My org domain is so old it can legally drink and soon be able to run for Congress. What is it worth to me? $200/year? $500? $1,000? I don’t know and it sucks to have to consider yet another astoundingly high cost of “living” in a world that keeps going up in cost.

> So it goes up by $1 or $15, how does that hurt non-profits?

In the aggregate, that's many, many millions of dollars going into Ethos Capital's pockets at the expense of charities and other non-profit organizations.

Who says it stops at $15, too?

Registry can set prices for individual domains as well (see what Donut is doing). This means that a new domain could be priced $1, and renewal of WordPress.org set to $50, and npr.org to $50 million. What are you gonna do? Change your domain to something else? Yeah good luck.

It doesn’t have to be fair.

They could charge x.org $15 and y.org $150,000.

Have a look at The Register's article on the subject:


Evil or not, Private equity by definition is focused on maximizing profit.

You can do the math.

"issues" == "controls".

The worldwide non-commercial Internet being controlled by an unaccountable private corporation is evil on its face. Burden is on someone to prove otherwise.

Challenging to imagine any potential downsides of granting the management of a commons devoted to nonprofits to a profit-driven monopoly.

Uncapped fees that can be raised arbitrarily.

The few other types this happened, it has resulted in exorbitant prices across the board.

This is an example of rent-seeking.

Half-baked idea for an alternative to domains:

Let every site have a UUID, kinda like TOR addresses, and let the host/servers as well as users specify multiple human-readable shortcuts for that UUID.

So HN might get o4u20j4c9qwybv3u0p2hnxjq4k1n4vmcsvtvm2666kjn123 and no other site should ever get the same ID until the heat death of the universe, and you could access it by any name you want.

Something like that would be resilient to impersonation, takeovers, brand renaming, and other issues.

you're describing ip addresses and domain names

I'm talking about something akin to onion addresses:


Is there a reason why price caps on .org can't be restored?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact