There are some compelling use cases for .brand TLDs, especially when a given brand is a large company that has lots of different websites. Take Barclays for example. They're a bank, so they're obviously especially sensitive to security issues, and they run a bunch of different websites. Just using websites of the form barclaysfoo.co.uk is obviously unsafe, because it's rife with phishing opportunities since you're training customers to accept these kinds of domains and then some phisher goes out and registers barclaysblah.co.uk and users don't think twice about entering their credentials there.
Subdomains off barclays.co.uk are also not great, because cookies can be shared up to the domain level (intentionally or accidentally), and you don't want any risk of your potentially less secure marketing websites being compromised through CRSF or something and leaking access to sensitive login cookies on the actual bank's website.
So the best solution here really is to get and use the .barclays TLD. That way, there's no possible cookie/session-sharing security exploits since every website is truly a different domain, and only Barclays itself can register .barclays domains so customers can have trust when they see a .barclays domain that it is actually the bank they're dealing with. Additionally, there's fun security things you can do at the TLD level, like globally applying HSTS preloading, that Barclays isn't doing (but should be) and that we are.
And as for open TLDs, the existing generic namespaces like .com are heavily mined out and it's very expensive to acquire a decent domain name in them. So having all these other alternatives available now makes it much easier to get a decent domain for a reasonable cost, which is good for users (and bad for domainers, who I have no sympathy for). For example, I managed to pick up cyde.dev at the base registration cost, which I'll be putting some real content on at some point in the future. I think that's a pretty darn good, short, domain-specific domain name, and much better than anything I could've gotten on .com. cyde.com, by contrast, was registered way back in 2002, 4 years before I ended up going with my second choice of cydeweys.com. But I like cyde.dev better, so I'll be migrating stuff over to it.
It's interesting how you count organizational complexity, incompetence and (minor) technological shortcomings as a reason to create a whole new TLD.
It's convenient for the brand, but not a good reason to pollute the global namespace, especially as it sets the expectation that every organization worth something should have one.
> the existing generic namespaces like .com are heavily mined out
True, and the proper solution is to clear some up. The name authorities need some shaking up. Squatting should be made illegal/against terms and actually prosecuted/applied. Registering domains by 100s or even 100'000s you should not get discounts - you should get unaffordable price hikes. On ccTLDs maybe people could get a few free domains and then have to pay for everything extra?
> but not a good reason to pollute the global namespace
What does that even mean though? In what way is the global namespace being "polluted"? Adding more TLDs doesn't affect the existing ones. It's not adding scale problems that DNS can't handle. This seems to be a subjective concern; some people don't like that there are more valid TLDs now than there used to be. That's not pollution though.
> Squatting should be made illegal/against terms and actually prosecuted/applied.
Be very careful about asking for increased enforcement. It's a great way for the authorities to abuse their newfound power. Most people involved in this field do not remotely want more of this.
Also, domains are gonna have to cost $100s/year to fund all of this increased enforcement. How do you even define squatting? How do you prosecute it? This isn't remotely workable.
> Registering domains by 100s or even 100'000s you should not get discounts - you should get unaffordable price hikes.
How? TLD registries typically no longer even know the identity of the registrants. This would leave enforcement up to the registrars. How does a registrar solve the problem of people using multiple accounts to register domains? How do you solve the global problem that there are thousands of accredited registrars, and that people could register domains through many different ones? Without massive centralization, this is not a remotely workable solution, and massive centralization would be a "cure" much worse than the disease.
> On ccTLDs maybe people could get a few free domains
Free, or even low cost, domains are guaranteed to lead to abuse. Also, how do you individually allocate free domains to people?
> In what way is the global namespace being "polluted"?
There was a time you could name your hosts server1.dev and server1.prod. These days, what am I supposed to use for internal server communication, lest it some day resolve to something on the internet or a trusted CA creates a valid certificate for it?
Domain names were organized in a relatively stable hierarchy, with a set of registries. The way TLD registrations are going, all organizations will want their TLD and we will end up with a single centralized tree of unnumerable registries.
You use to know what were the locally relevant domains. Now, is it <company>.co.ccTLD, <company>.ccTLD, or is it <company>.dev, or <company>.<company> or is it <company>.uno, ..gmbh, ..kaufen, ..kinder, or maybe <company>.wazoo, because why not? You get a link to or email from <your-ISP>.talk - is it legit, or a fake in a spamhaus registrar?
If you have a .bank, a .cafe, maybe a .shop, but you also do .trade, and .trading, and of course everyone wants to be .top ... of the hundreds of TLDs, are you supposed to register all that could apply and pay large sums for it, because people are going to type <company>.<whatever-i-think-it-is>?
If we create dozens(?) of new TLDs per year, noone will remember the difference between TLDs run by nigerian scammers and those run by respectable businesses.
There never has been such a time. It has always been a mistake to use a fake domain name, even just on internal networks. This has caused problems as far back as the 90s, e.g. when companies merged and suddenly realized they had conflicting fake domain names upon connecting their networks and now lots of stuff started failing. For more information see: https://jdebp.eu/FGA/dns-use-domain-names-that-you-own.html
So the only time it has ever been safe to name your hosts server1.dev is within the past year, now that .dev is actually live and you can use a real globally unique domain name that you actually own, thus preventing any of the possible issues that have been there all along.
And there aren't any TLDs run by Nigerian scammers. You may be underestimating the difficulty, cost, and technical know how of acquiring and running a TLD.
I'm sure ICANN would love to claim ownership of the entire name hierarchy, but I disagree. At least on my servers.
First problem with your suggestion - you don't own domains, you rent them. That can change, you have to pay, someone can forget to renew, etc. Though I agree, sometimes it is better to use proper registered domains.
When setting up limited scale server-to-server communication I really do not want to interact with DNS. It's all downside and no upside. Servers get names in a subdomain of a widely squatted invalid TLD, names with locally appropriate IPs go in a hosts file and I can be reasonably sure they get resolved to the proper IPs, or as a failure mode - none at all. With the occasional network layer security, it is important to get the IPs right.
If the need should arise, I can change the domain. I don't see how using a proper DNS name would be better instead of a clearly local one I can trust.
> TLD registries typically no longer even know the identity of the registrants.
Maybe they should know? Why do they pester me every year about my contact details? I think they also say my registration can be voided if I use fake info.
If you need a bunch of LLCs to register thousands of domains, your expenses go way up.
Not all registries need to work the same way. It should be sufficient if some applicable ones are rinsed.
> How do you even define squatting? How do you prosecute it?
Registering domains for the purpose of selling at a higher price.
If you look at the top domain holders, I'm sure it would not be that difficult to prove in court what the purpose of all those domain registrations are.
Civil proceedings would probably be better, at least for smaller squatters. If you squat lots of domains, you get a chance of someone hyperactive suing you, or making complaints to the registrar.
The reason is GDPR, plus whois privacy/proxy services.
How do you possibly know which domains were registered with that intent? That seems like it'd require mind reading. And who would be doing the enforcement? National governments? Good luck with that. Squatters would just operate out of the countries that don't care.
I own roughly a dozen domain names. Most aren't in use. I didn't register these with the intent of reselling them, but if someone contacted me offering me a thousand bucks for almost any of them I'd take that deal. I suspect most other people would too. Does that make us all squatters? Should we be arrested and prosecuted?
> Free, or even low cost, domains are guaranteed to lead to abuse. Also, how do you individually allocate free domains to people?
You go to a government site with your electronic national ID (some countries have those) and request 2-3 domains that are free. You only get to change a free domain 1x per year or maybe longer.
Doesn't apply to all countries, but how would that be worse than what we have now? Everyone could have email and websites on their own domains, probably even hosted for free - that's decentralization/freedom.
So you'd have to go wait in line for hours at the DMV to get your domain names? That sounds strictly worse than what we have now, and would be way more expensive for governments to administer (as ccTLDs would now be a cost center rather than a profit center).
We don't have DMVs here, we are required to have national eID cards, which we can use to log in to government sites to do tax returns and stuff. It's government, so it would cost a lot, but it shouldn't be too much to implement limited per-person domain registration. In USA it would be harder.
Administrative costs - additional domains can and should cost more. You can collect fees from companies that don't want to be reliant on that one guy, or just call it a day, give a domain for free to companies and call it administrative expenses. How much does it cost to run a ccTLD?
> Just using websites of the form barclaysfoo.co.uk is obviously unsafe, because it's rife with phishing opportunities since you're training customers to accept these kinds of domains and then some phisher goes out and registers barclaysblah.co.uk and users don't think twice about entering their credentials there.
This is a case for a better structured web, not for giving up meaningful hierarchies altogether. It shouldn't be possible to register a .co.uk domain unless you are a company that is registered in the UK and can be sued. Ideally companies also shouldn't be allowed to use TLD not designated for them so barclays.awesome etc. is suspicious. A namespace like .bank.uk would be even more secure.
> Subdomains off barclays.co.uk are also not great, because cookies can be shared up to the domain level (intentionally or accidentally),
There is no reason we can't treat barclays.co.uk like a top level domain for some purposes, using a mechanism like the public suffix list.
> But I like cyde.dev better, so I'll be migrating stuff over to it.
So the new TLDs encourage people to migrate, thus changing URLs and frequently breaking them by not bothering with redirects.
There are lots of these TLDs with restrictive registration policies based on who you are and they tend not to do very well because they're too much hassle and they suffer from a chicken and egg problem; not many people use them so there's little added benefit since the average user isn't aware that they're more restrictive, and then since it doesn't really matter to users potential new registrants don't bother with the increased hassle and cost.
The problem here is that the hassle-free alternatives exist and are open to entities for which another namespace has been designated in the first place.
I'm not following this argument, because the kind of reorganization you're asking for here is impossible, whereas simply creating new TLDs is relatively easily and has thus actually occurred. There are how many millions of already-existing .co.uk sites that aren't companies registered in the UK, so how is your suggestion even possible? This horse has long left the barn.
You are proposing linkrot on an unimaginable scale. You're talking about breaking the Web, on purpose. It will never happen, and for damn good reasons. This horse left the barn several decades ago.
Your proposal would break it an order of magnitude more, easily.
Also keep in mind that domain names are treated as property in most jurisdictions. You cannot take away someone's foobar.co.uk domain just because you want to retroactively change policies. It's not even possible from a legal standpoint.
I'd agree with this except that they are not selling those TLDs for 10 bucks or 12 bucks - if they like the dictionary word for it or its short enough the .dev tld will charge you 720 dollars per year flat even though there's no pressure on the demand of a million different tlds.
Just checked google for a word earlier this morning that was free and balked at how stupid this TLD land grab is, unless you own or manage one.
If that domain didn't cost that much it's not like you'd be able to buy it for $12 now anyway. Instead, some domainer would've bought it milliseconds after launch, along with thousands of other speculative domains, and you'd be looking at a parking page right now with a listed sale price of 4-5 figures. Domainers play a VC-style game; one sale needs to cover the cost of lots of losers, and there are lots of big players out there with deep pockets and specific needs, so prices are high.
Economically speaking, an auction is the best way to fairly and efficiently allocate scarce resources.
It's not scarce though, its completely artificial scarcity.
Just because an auction means that people cant buy up every domain doesnt help anyone at the end of the system - it just ensures that domain name registrars capture the "value" instead of the scammers, the end user still gets a shitty deal.
So yeah, its stupid, and the system has only been fixed enough to keep getting itself paid.
It's very real scarcity. We're talking about a single unified globally unique namespace, that must serve billions of potential registrants. There are only so many short strings and common dictionary words available, and way more people want them than can get them. So a domain like e.g. clothing.com, or clothing.{some other popular TLD} is absolutely a very scarce economic good in a real sense. It's more scarce than almost anything else I can think of; most products are fungible and more can be manufactured to meet increased demand, but you can't sell multiple copies of the same domain name. A good domain name is like an original artwork by a known artist, in scarcity and in price.
No, way more spammers want them than can get them - most people dont own a domain name hence the word "potential".
Clothing.com is definitely something several people/businesses want, certainly, and having an actual auction for a good multiple users want isn't nefarious, its the "as the domain registrar to prevent middle men from capturing the value I will automatically do it instead" that is.
If you want to make it less so, offer some service to stop ripping off individuals who want to buy one domain - is there possibly of abuse there? sure? but whose making all the money here?
There's no one bidding (except in an abstract sense of wanting to own it all) on the domains I am talking about - they are free to register at any time as long as you can pony up the cash.
So who you propose runs the auction then, and who keeps the proceeds?
As for everything else you're proposing, I'm not sure I understand how it'd work. How do you "stop ripping off individuals who want to buy one domain"? If .web launches tomorrow and a thousand people want clothing.web, how do you allocate it without holding an auction? If you do a lottery, how do you know that each entrant is a bona fide person and not a ticket box stuffer? I'm not seeing workable solutions being proposed here.
On the domains you were talking about, there was an auction when the TLD launched, and those names just weren't taken during said auction. Plenty of others were.
The main issue is not the really scarce ones. As you've said:
> some domainer would've bought it milliseconds after launch, along with thousands of other speculative domains..
This is misallocation, which is an entirely different issue, and a more pressing one. And yes, I would put those guys to jail, as long as it was done fairly - their squatting may be worse than stealing.
So, what, barclaysfoo.bank, barclaysbar.bank, etc.? It's still clunky, and is still training users to accept an even more insecure naming pattern (because now they need to look for the barclays prefix and the .bank TLD; if either of those is off, it could be an attacker's site). Plus, is Barclays supposed to secure some assurance from the TLD operator that the prefix "barclays" is theirs alone, and that no other such domains will be created for other entities? That sure sounds like a namespace of its own at this point, except without the syntax making that obvious.
Never mind that Barclays provides more services than just banking, so a lot of their existing websites aren't suitable for .bank, and now you're gonna have their Web presence scattered to the winds across various TLDs.
Subdomains off barclays.co.uk are also not great, because cookies can be shared up to the domain level (intentionally or accidentally), and you don't want any risk of your potentially less secure marketing websites being compromised through CRSF or something and leaking access to sensitive login cookies on the actual bank's website.
So the best solution here really is to get and use the .barclays TLD. That way, there's no possible cookie/session-sharing security exploits since every website is truly a different domain, and only Barclays itself can register .barclays domains so customers can have trust when they see a .barclays domain that it is actually the bank they're dealing with. Additionally, there's fun security things you can do at the TLD level, like globally applying HSTS preloading, that Barclays isn't doing (but should be) and that we are.
And as for open TLDs, the existing generic namespaces like .com are heavily mined out and it's very expensive to acquire a decent domain name in them. So having all these other alternatives available now makes it much easier to get a decent domain for a reasonable cost, which is good for users (and bad for domainers, who I have no sympathy for). For example, I managed to pick up cyde.dev at the base registration cost, which I'll be putting some real content on at some point in the future. I think that's a pretty darn good, short, domain-specific domain name, and much better than anything I could've gotten on .com. cyde.com, by contrast, was registered way back in 2002, 4 years before I ended up going with my second choice of cydeweys.com. But I like cyde.dev better, so I'll be migrating stuff over to it.
Full disclosure, I run .dev (but not .barclays!).