The fact that private entities can monopolize gTLDs, including words that aren't even made-up or reasonably copy-written (e.g. the MAN group in Europe owns .man) was an embarrassing and dishonorable decision by ICANN. I'm all for having tons of weird, awesome gTLDs, and I'm even for brand-specific gTLDs like .google, but the cost these entities should incur by asking for one to be created is: Anyone can use it.
1. A set number of slots should be opened every 10 years (e.g. 250 new gTLDs every ten years).
2. Entities submit bids for the gTLD slots, in terms of dollars. The 250 highest bids win.
3. If your entity wins a slot, you submit the gTLD you want, and there's a public comment period where claims against the gTLD being created are heard (e.g. if you own the copyright in some jurisdiction and someone else is trying to register it, submit a claim).
4. If it passes, your entity is allowed to register a set number of TLDs on the gTLD (e.g. 100) before anyone else gets access. This is what you bought: The fact that the gTLD exists, and the first 100 domain names on it without competition).
5. It then becomes a real gTLD.
Some variant of this is how it always should have worked, and entities like Google should be forced into a sophie's choice: They could fight .google indefinitely, win, and it'll never become a gTLD, or they could sponsor it, claim the first N domain names, but otherwise make it available to everyone. Of course, they might actually have valid jurisdictional claims against anyone else who tries to register a .google domain on copyright grounds, so maybe they fight and win in the courts against anyone who tries to use it; but the point is that it shouldn't be ICANN's decision.
Nah. Don’t make it complicated. Open the root zone to everyone, we don’t need suffixes anymore other than for leeches to make money. Distribute the responsibility for the root zone, kill off the pest that is the TLD industry once and for all. Domain owners can pay a uniform flat fee to IANA shared among all participating entities that keep the infrastructure up. Everyone can have their own, freely choosable TLD. Trademark holders have a right to claim, with some dispute process similar to what we have now.
This requiring it to be open to everybody is an odd wish, to me. It would seem to discourage something that I don't think is a harm to anyone else: Getting your brand as a TLD (.google being a great example). Google has a trademark on "Google," so no one else can make non-mischeivous use of .google anyway. If they had to let random internet critics and trolls register theworst.google and ihate.google they just wouldn't make one, but that wouldn't make anyone else any better off, especially in the real world we live in where most people still do a double take at TLDs that aren't com, org, edu, or gov (or their nearest country code).
Maybe if we'd always had .yahoo and .aol from the beginning these brand TLDs would be a big signifier of legitimacy and thus we'd be worried about how only big corporations can afford them, but not being able to afford one in our current universe is no handicap in my humble opinion.
Well it's tricky. I don't really have a problem with google owning the .google TLD, because that is a pretty unique name, and is unlikely to be useful for anything besides unrelated to Google. Similarly for .walmart or .microsoft. But .apple is a problem, because it is a common English word, and it isn't unreasonable for say an apple orchard, or an apple cider company to want a .apple domain. Similarly for other brand names like target, zoom, uber, plaid, etc. Even .amazon fits here since it is also the name of a river, a rain forest, and mythological group of women.
But where do you draw the line? How do you decide if a company should be allowed to get a gTLD for their brand? Clearly, having a trademark is not sufficient, as it is possible to get a trademark on a common word, and it is possible for multiple companies to trademark the same word as long as there isn't a risk of confusing them. Is it fair to let google and microsoft get such TLDs for their brands, but not apple and amazon?
Is it tricky? If you have a trademark, you can have a gTLD - simple as that.
Because the problem is how can apple have a trademark on the word “apple”?
For me, the same rules should be enforced for trademarks because an apple orchard might also like to have a trademark but that’s difficult because “apple” is already a trademark.
Edit: as pointed out in the comments, this position doesn't take into account that trademarks are very much national and cultural.
Perhaps one day gTLDs will become free (once the gold rush is over) just as SSL/TLS certificates did with the arrival of Lets Encrypt.
Trademarks are not globally unique (even within a single country!).
A good example of this is the long running legal dispute between Apple Computer and Apple Music, who each held a trademark on "Apple" in their respective domains, and which prevented the Beatles from playing on iTunes for a decade...
The problem isn’t that trademarks are country-based but that trademarks are business area based. You can have multiple trademarks for the same word for different companies if the companies do different things. Apple doesn’t have the right to prevent you from using the word „apple“ to sell lawn mowers.
there was a fight between Apple, the computer company and Apple, the record company (initially owned by The Beatles).
They initially resolved it by The Beatles allowing the other to one to keep its name on the condition they would refrain from entering the music business.
Quotas are sometimes applied to create value of a simple asset aka scarcity (or a bureaucrat tax). Think limited number of taxi medallions or street vendor or liquor licenses. That makes the medallion/license/gtld hold value.
I’m not making an argument for quotas, just explaining why they usually are included. It’s a cheap way to add “market” value to something aka scarcity.
The issue would occur in the suggested system when ICANN decides to one day stop creating 250 domain names down to 25 domain names or some such change that increases the value of the gtlds to ridiculous numbers only the wealthy/well-connected can afford.
Because capitalists run ICANN. Or because adding a monetary barrier reduces spam. If creating a tld is free then there is no system or at least no ICANN.
That was the idea, but from my memory, people chose their own meaning and conventions pretty much from the start. So much about the internet was envisioned with a completely different use case than what it actually was used for, it’s amazing things even kinda worked out in the end.
DNS allows search so we really should have started rejecting everything that isn't qualified with an end dot as punishment to ICANN.. Instead random common names might be treated differently on every network to make sure these people can't issue certs that will be trusted for them in your own network, etc.
Now prioratizing unambiguos naming would be somewhat acceptable if ICANN was tacobell and just a steward of naming on the side.
I'm not sure what you mean by "DNS allows search" -- by the usual definition of "search", the DNS doesn't: it is a lookup mechanism. I'm also not sure who "we" are in your idea or what you mean by "qualified with an end dot": all domains that get looked up implicitly have a "." (a zero length label that signifies the end of the query name) if it isn't explicit.
If you are not a consumer on an ISP emulating dialup it is quite likely that a popular name in a naming convention I.e. 'mercury' resolves to something for you and something for someone at a different firm (mercury.intranet.[firm].not-so-stupid-tld). A cert is possibly not a fully qualified one so when ICANN gives away mercury you need to append .asshat to everything ICANN names.
(Two firms have an unambiguous situation because they don't trust each others private roots but they both trust a cert issued for the public trust as a fqdn which is why TLDs expanding is a form of theft/breakage against every intranet..)
Ah, resolver (not DNS) search paths. They were a really bad idea that can and do lead to leaked queries that can result in all sorts of unpleasantness and risks.
As for certs, AFAIK, you can't get a certificate for a non-fqdn from a public CA since 2015.
If icann sells www as a tld domain then your use of www as a machine name you may refer to unqualified is a risk because virtually every piece of software in the world respects public issuance until you delete it all if you can.
The DNS naming confusion was largely dealt with by having a small number of TLDs and rarely referring to complex things like partially specified subdomains, but every once in a while a fool named their machine com, org, or net. (Though these as subdomains were far more toxic.)
I've done plenty of interesting things but a distributed correction attempt for ICANN's incompetence is never going to be adequate. You can read their own work on gTLDs in the past to know they understand this.
There's no leak being discussed. Everyone in the world sets resolving and it is what it is with the current TLDs when ICANN needs more coke money they possibly break every node in the world and a distributed group of thousands has to look if something bad happened.
There is the argument that ICANN should no longer be consulted ever by nodes of consequence but that is an argument that they have failed 100% in their responsibilities.
If you don't care at all about zone delegation and global resolution then you obviously don't have an opinion on how to evaluate ICANNs stewardship of global domain delegation.
We have run out if IPv4 addresses but there is NAT is not a satisfying answer to start. But we have let ICANN polute naming so let's implement shadow naming everywhere is an even less satisfactory answer.
I think that the scenario here is where the queries are explicitly not leaking, and you've raised a red herring.
If I understand correctly, the scenario is an internal machine named "george", which is being properly search-pathed and looked up as "george.example.org." with nothing leaking anywhere, becoming vulnerable to Walmart being able to issue certificates in the name "george", because the DNS client library's search pathing is not read out by the layers that simply know the machine as "george".
I'm not totally convinced by the premise here that certificate checkers never read out the final fully-qualified domain name from getaddrinfo().
This isn't a red herring at all. This is DNS resolution and client PKIX implementation. You could fix your whole network to not import anything from outside, ban all BYOD, etc, or you could fire ICANN clowns who think they need to make changes to the reserved list because, why? Money, corruption, self importance?
HN is full of people from SaaS startups who in essence want to buy the perfect 900 number. But DNS and delegation goes far deeper than selling one name for $20 and going to other $20 names to store your code and email at other SaaS providers.
With AI churning out a pretend blog or news site or web shop in a few minutes, that would be hard to enforce. I’m with you on the necessary death to TLDs, though.
The weird thing is, are they even meaningfully used? I don't think I've ever seen a .google URL in the wild, neither for their websites nor for API endpoints.
The Open Root Server Confederation has long since been wound up. But some of the other alternative root servers are still around even now. One example:
Blame ICANN for allowing any public or private organization who can meet the requirements to buy and operate a gTLD back in 2012: https://newgtlds.icann.org/en/applicants/global-support/faqs...
And as per another comment in this thread, they’re doing another round of this in 2026: https://news.ycombinator.com/item?id=45068328