Hacker News new | past | comments | ask | show | jobs | submit login
As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program (easydns.org)
107 points by ivank on Mar 16, 2014 | hide | past | web | favorite | 63 comments

The title is pretty much linkbait.

If you change registrar-level things about your domain, they're now required to confirm your contact info with you. This isn't a "DDoS", or "deadly", or any of that nonsense: it's a new strategy to ensure whois data stays updated.

Whether or not it's an effective strategy for keeping whois data accurate is another debate (I don't think it is), but talking about it like some malicious act is pointless.

I agree that the title is linkbait, but an ineffective amount of bureaucracy can definitely be turned or perceived as malicious.

I read about this originally when they made the rule and it seemed arcane and ridiculous, I dont know how it ever was passed. I believe everyone who some experience with whois info knows the information is either false or hidden behind privacy emails and contact information. If they are not, they are subject to annoying or even abusive misuse. (I remember someone back in the day calling me repeatedly because they found my website after I beat them in some video game, the internet is filled with nutters.)

If ICANN wants to know the details, I dont care, but if all the internet wants my phone number, they can take a long walk off of a short pier.

The end of the article raised a good point though: this is going to train people to click on links in emails that look like they came from their registrar.

That's bad.

The registrar is public information. The registrant's contact information is public (or at least publicly accessible). So, wait a year for people to get accustomed to clicking on links in emails from their registrar, pick a target domain, forge an email from the registrar, send it to owner contact with a link to a phishing page. Congratulations, enjoy your new domain.

The email address doesn't seem to be the thing registrars should be "validating" about contact information, anyway. Shouldn't my registrar be calling/texting a code to the included phone number, and sending a letter with another code to the included mailing address?

If ICANN really wants whois information to be accurate they should require registrars to provide functional privacy screens including email forwarding for no charge or at most a nominal fee. And then build a common process to break the screen in the event of a reasonable and unresolved complaint (or legal requirement).

If you knew any of the people involved in pushing the agenda that lead to the policy, you wouldn't be so quick to discount the view that this is a malicious act.

It's still dodgy when it comes in via email along with all the usual phishing and 419 crap.

A troll once tried to take one of my websites off-line by reporting to ICANN that the whois info was fake:


That was... interesting.

Good timing on the troll's part as I was migrating from 123-reg to Gandi at just that moment and had to persuade both of them that I was who I said I was and that the info was correct.

If I recall correctly it involved proof that there was a company behind it (company registration documents), proof that the address for the company was correct, and proof that I worked for the company and had the right to represent it.

It's pretty scary to think that your domain might be pulled, and the web properties and email with it, based on a third party report.

At least with this proposal a 15-day window to verify details when you change info is an expected thing.

Oh, and ICANN sent the notification via the registrar to the admin email on the domain... make sure you're monitoring all of those email addresses.

This is apparently so the physical mail spammers can send me more physical mail along the lines of "This is the Domain Registry of America! Pay us $1000 to keep your domain!"

Uh, no. Where's the FTC when I need it...

I got email from the people who run .us domains demanding a photo of my driver's license to prove I'm American. They did not understand why I might think they were scammers and want them to verify their identity first, nor did they understand how to verify their identity.

Are you sure it was them? Having a verified personal identity is not a requirement to have a .us domain. All you need to prove is that you have "a bona fide presence in the United States of America or any of its possessions or territories [Nexus Category 3]."

(It goes into detail claiming that you need to "state" your country of citizenship, but not that you need to "prove" your country of citizenship. An identity document is massively overreaching, IMHO. I never had to prove anything to get jrock.us, and if I have to, I will move the domain.)

I ended up thinking it was not a scam but being uncomfortable. It's possible I had originally put a fake address for my whois info, possibly triggering this, I forget. I'm not 100% sure.

Here's the people, i spoke with them on the phone: http://www.neustar.us

here is their first email in april 2011:


As you may be aware, in November 2001, the United States Department of Commerce ("DOC") selected NeuStar, Inc. ("NeuStar") to be the Administrator of the .US top-level domain ("usTLD"), the official top-level domain for the United States of America. As Administrator of the usTLD, NeuStar has agreed to perform random "spot checks" on registrations in the usTLD to endure that they comply with the usTLD Nexus Requirements which can be found at http://www.neustar.us/content/download/2659/32865/ustld_nexu... ("Nexus Requirements").

Our records indicate that you are the registrant of the domain name CURI.US.

On April 28, 2011, this domain name was selected for Nexus revalidation and confirmation. According to the information you provided with your registration of this Domain Name, you indicated that you qualify under:

Category 1 - You are a US citizen or permanent resident

As part of our verification process, we ask that you provide to us by no later than ten (10) days after the date set forth above, a written response describing how you qualify under the above Nexus category.

In addition, please verify that the name-servers that you have selected to use are also physically located within the United States as required by the Nexus Requirements.

In some instances, we may request additional documentary evidence from you to demonstrate that you meet the Nexus requirements.

You should be aware that if you either (i) do not respond within the ten (10) days, or (ii) are unable to adequately explain or demonstrate through documentary evidence that you meet any of the Nexus Requirements, NeuStar may issue a finding that your entity or organization has failed to meet the Nexus Requirements. Upon such a finding, you will then be given a total of ten (10) days to cure the US Nexus deficiency. If you are able to demonstrate within ten (10) days that your entity or organization has remedied such deficiency, you will be allowed to keep the domain name. If, however, you either (i) do not respond within the ten (10) days of such a finding of noncompliance, or (ii) are unable to proffer evidence demonstration compliance with the Nexus Requirements, the domain name registration will be deleted from the registry database without refund, and the domain name will be placed into the list of available domain names.

Thank you for your cooperation in this matter. Please let us know if you have any questions.

Kind Regards,

John .US Nexus Compliance ___________________________________________ NeuStar .US America's Internet Address Email: nexus-compliance@neustar.us

I would love to hear how that played out, actually, if you don't mind.

Well their SSL cert on their website was invalid (just expired) and there was some kinda mention of them on some government site somewhere that wasn't quite clear enough IMO.

they got bored of trying to prove their identity and just said like "whatever, verify your identity or you'll lose your domain". i ended up phoning them with the number on the site with the invalid SSL certificate, getting the person i'd been emailing with, and she said i could black out the driver's license number on the photo. i ended up sending it that way. i think they were just stupid, not scammers. that was years ago and nothing bad has happened yet to my knowledge.

Is that what they say?

Yes, I have gotten physical mail with exactly that pitch.

Hopefully not since 2003 when the FTC had a court enjoin that specific company from making misleading statements about renewals in their postal mail.

The mails they send out now look like this:

"As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you switch to Domain Registry of America, you can take advantage of our best savings. Your registration for _______ will expire on _____.

You must renew your domain to retain exclusive rights to it on the web, and now is the time to transfer and renew your domain from your current registrar to the Domain Registry of America.


This notice is not a bill. (bold) It is rather an easy means of payment should you decide to switch your domain name registration to Domain Registry of America."

Followed by the pricing table and write-in order form. Still junk mail, but not falsely representing themselves as your current registrar.

I get these mails all the time too, and unfortunately I actually have to pay one of them. Some 12 years ago or so, I helped a neighbor who runs a local charity by creating a website for her annual event, pro bono. Even though she paid for the domain, the billing contact info was changed to my address (perhaps by her, when someone asked for a technical contact), and transferred to DROA. I don't live in that area anymore or have contact with this neighbor, and I'd rather not track her down with a bill nor let the domain of her charity expire, so I've been dutifully paying the marked-up DROA renewal every year.

It was past 2003. I think I registered jrock.us in 2004.

But yes, they may have mentioned "this is not a bill", but if they did, the font was so small as to be unreadable. I knew it wasn't a bill because I knew that my domain was registered through someone else.

Yes, I just got one. It's extremely misleading.

There is print that says "this is not a bill" about 6-10 sentences in, but is hardly discoverable without careful consideration. Considering the whole page is covered by text, most people would skim and think "oh shit I owe money don't I?!"

I still don't understand why you even need to have an 'identity' to register a domain. They should be happy with a valid email address and leave it at that.

Takedowns and law enforcement.

How is this different from all the other online services that require you to click a link in an email in order to verify it, and refuse to give you full membership until you do so?

Some of the registrars I use have implemented this policy lately. Turns out it's a non-issue as long as your contact info is valid and up to date (which it should already be).

It doesn't conflict with whois privacy, either, contrary to all the FUD that gets spread around. Any whois privacy service that is worth the cost will forward the verification request to your real email address, and if it doesn't, you should switch to a better service. Using a crappy whois privacy service with no email forwarding is a surefire way to lose your domain anyway.

"(which it should already be)."

No, why should domains be required to attached to an individual person?

Domains are required to be attached to an email address that can actually receive emails.

An email address is not an individual person.

It's different because in all other services where you are required to verify your identity, your services do not start working until you do so.

This applies to domains that are already working. If you update your whois record and don't do this, it stops working.

Big difference.

The domain name industry is a dirty scummy dishonest business. There isn't a company one can deal with that at some point won't make you feel like you're forced to work with crooks just to get an online presence.

Don't tell my mom I'm a domain registrar! She thinks I'm a webmaster for a cyberporn website.

ICANN is a mafia! They did this to actually force some old domains to get back into the market. ICANN as an organization will profit little from this, but the people bribing them (domainers, auction sites, domain escrows, etc.) will vastly profit from it. Imagine what would happen if somebody sends you a letter and they get back a letter saying that you cannot receive the letter as you didn't verify your name with USPS? It's 2014 and things like redemption period and fees are daylight legalized scams. I cannot believe that we allow ICANN to do whatever they want with us for so long!

Actually, this whole this was included under pressure from law enforcement agencies (LEAs). Registrars, registries, and ICANN themselves would much prefer we stuck with the old WDRP regime where all that happens is that the registrars periodically ask that registrants verify that the information provided is correct. This new LEA-mandated nonsense is nothing but a drain on registrars (which is a business with thin margins as it is).

Also, redemption isn't a scam, it's a fine to discourage people from making ridiculously late payment! You're given a 45 day window after a domain expires to pay for the renewal before the domain ends up in redemption, and registrars are required to send at least three separate reminder emails at specific intervals to tell you the domain is expiring or has expired. If you can't pay your bills within 45 days, ICANN, the registries, and the registrars aren't the problem: you're own incompetence is the problem.

No, ICANN is legitimized fraud. You can be 90-day overdue with utilities and you pay a relatively small fee. Phone companies don't give your phone number to your competitor or auction it. This is ridiculous! If the annual fee is $10-15, one shouldn't charge $150 a redemption (i.e. extortion fee)!

It's called an 'expiration date' for a reason: that's the date you're supposed to have paid for continued service by. The grace period (and the redemption period) are leeway. It's in no way an extortion fee: you're given plenty of notice before the domain expires, and if it ends up in redemption, you only have your own incompetence to blame.

Also, you don't own the domain, it's a lease. If you let a domain expire and a competitor snaps it up, that's on you, not the registrar. You can initiate UDRP actions to recover it, but it's your fault.

Is this supposed to stop people from registering using fake information? That's cute. Any criminal worth their salt will forge that info (including paper scans) in a jiffy. One more inconvenience for 95% of the users.

Okay why are we still using a centralized domain name system with authorities? Do we enjoy the crazy keyholders from various countries meeting in secret thing?

We can have many decentralized ways of registering and transferring domains. Namecoin is one, but how hard is it to decentralize the DNS database?

Alternative DNS roots exist [1] but they're not going to receive widespread adoption as the current system is deeply ingrained into how the Internet works, and works well enough. Even if it was massively flawed, people would still be unlikely to change to something new in a timely manner due to network effect - just look at the poor adoption rate of IPv6 despite IPv4's inadequacies. Or our continued reliance on SMTP with all its problems.

[1] https://en.wikipedia.org/wiki/Alternative_DNS_root

To honestly answer your question: the we you refer to isn't in control / power.

The system is centralized because the control over nations is centralized. It will remain that way so long as political power remains centralized. Particularly given the immense importance of the internet economy now to most major nations. The political powers that be are not about to let go of something so important. The domain name system is a huge point of control over national and global economics. If I were a standard issue politician, I'd make you pry it from my cold dead hands.

What is to prevent an open source DNS server to be deployed all around the world by various people? And browser makers would just add it to the list of servers once it gets big enough.

Until then, people could download a program or instructions that would add it, similarly to Google's DNS or OpenDNS

Except it would not use the regular DNS system on the back end, but supplement it with its own rules eg not taking a domain offline when registrars do.

Nothing except inertia. There are many alternative root operators. It's just that none of them have managed to convince enough people to use them.

Namecoin is a stupid idea, as many/most people can't participate, only people with botnets or dedicated mining hardware.

Alternate DNS roots are just scams, as the intention is to extract more money so people have to protect their name by not only buying many TLDs in the real DNS, but in an extra one as well.

> but how hard is it to decentralize the DNS database

Its an interesting question; how do you decide who to trust?

What is your complaint, exactly? I'd be happy to know that someone cannot transfer my domain out nor change my contact information without verification. 15 days is more than ample time, assuming I initiated the action. And what the hell does DDos have to do with any of it?

Can this be done via a "click here to confirm" email, or does this require phone conversations with the registrar? I don't like registering domains using my real name.

Isn't there some rule that a domain must be registered with a real name, or it doesn't really belong to you (and all anonymization services for domains are therefore suspect)?

Only if the privacy service isn't ran by the registrar the domain is managed by. You should have a read over ICANN's 2013 RAA: http://www.icann.org/en/resources/registrars/raa/approved-wi...

I got such an email from Namecheap yesterday, and confirmed it with one click.

And unlike the intended trigger for verification ("changes to contact information"), I didn't make any changes to my domain. Either a WHOIS cloak expired, or some other action by Namecheap triggered the verification step.

The email Namecheap sends out is very shady looking. I had to google around quite a bit before concluding it was genuine. The verification link leads to the domain raa.name-services.com and is not delivered over https. It looks exactly like I imagine a targeted phishing email to look.

That's the same domain they use in the e-mail you get asking you to review the accuracy of your WHOIS data. They send that e-mail for every domain you own, every year, as required by ICANN. For Namecheap customers, the domain should be familiar, after the first mail at least.

The subject line of those mails is: Important Notice Regarding Your Domain Name(s)

The new mails have a stronger subject line: IMMEDIATE VERIFICATION required for [domain]

It's not Namecheap sending those out: Namecheap is simply an eNom reseller and the email you received was likely directly from eNom, with some Namecheap branding attached. *.name-services.com is used for various eNom-related stuff.

It can also be triggered by using the same contact with another domain being registered. Registrars aren't required to verify any existing contacts, but the moment there's an update, they have to. That said, if they want to, they can.

Also, Namecheap is an eNom reseller, so you actually got that email from them, not Namecheap.

What exactly is the verification step? Do they mail you a verification token? Because it sounds like you simply clicked a link to verify your address.

Yes, I just clicked a link that went to http://raa.name-services.com/raaverification/verification.as...

Everyone who's already screwed themselves with domains by proxy is in for a new world of hurt.

If you're talking about the GoDaddy service, they're not. If you're talking about WHOIS privacy services in general, then possibly.

If you use a registrar's WHOIS privacy service, then the registrar still has the (supposedly) correct details and are simply masking them in WHOIS. There's no issue there. However, if you're not using the registrar's own WHOIS privacy service, then yeah, you're potentially opening yourself up to a world of pain, as (a) the domain is no longer actually registered to you in a manner verifiable to the registrar and (b) you might not be able to receive important notification emails that the registrar is required to send you (such as expiry notices).

What is wrong with domains by proxy?

Cui bono?

Law enforcement agencies. They're the ones that asked for this nonsense.

So much linkbait on HN today.

This bit me kind of bad yesterday.

I was about to drive out of cell range and got a text that client's site had some strange page displaying.

Unfortunately, they repoint the dns servers of the domain, and the client had the contact email mx records associated with same domain.

The actual site gets 'dns hikacked' by icann until you fill out a captcha on your site's new page and it emails the whois email account on record with the link.

Had to log into the registrar, luckily had the client's account info, changed the email, and got it verified.

That was 3am yesterday.

Says it takes 24 to 48 hours to updated, but it was only like 8.

Still, if you had an ecommerce site or conduct time-sensitive business via email, be careful.

Because, if you do not see the email, your site will be hijacked by ICANN.

ICANN didn't 'hijack' the domain.

The domain was suspended from DNS because you hadn't paid your renewal bill. The "strange page" was put up by your registrar to notify any visitors of this and to direct them towards their billing system. The idea is to effectively shame people into paying their bills in a timely manner. Your registrar would've sent you at least three different emails before and shortly after the domain's expiration including a notice of what would happen if you didn't pay on time. If you didn't receive these, then that's on you for not keeping your contact details up to date and correct, which you're required to under your registration contract, and which is why you get those emails out periodically asking that you verify that the details they have for you are correct.

If you don't pay your phone bills, electricity bills, rent, &c. on time, you'd expect the service to be removed. Why would domain names be any different?

How do they email you if your contact email is on the domain they just suspended? Time to set a TTL of 100 years, or something, I guess.

You should never use a contact email that is on the domain for the DNS record in question. Only bad things can result. I use my most basic fastmail.fm email for that purpose.

google.com appears to use a google.com email address in its DNS record.

Google probably have a real live person they can call if this gets messed up, or even has the potential to get messed up a few months from now.

You get the emails before the DNS suspension date. Here's the policy in question: http://www.icann.org/en/resources/registrars/consensus-polic...

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact