A surreptitious effort to introduce so-called "dotless domains" – where you type a single word into your browser to reach a website – has been noticed and shot down.
Despite an explicit ban on the Google-pushed idea – which would, for example, let you simply type the word "search" and be taken to the internet address https://search/ – a paragraph was sneaked into a large set of proposed ideas, which would likely have made it possible in future.
Among the 26 pages of proposed changes [PDF] to the contract signed by the operators of the internet's top-level domains, the following language was inserted:
If Registry Operator wishes to place any DNS resource record type or class into its TLD DNS service (other than those listed in Sections 1.1 or 1.2 above), it must describe in detail its proposal and submit a Registry Services Evaluation Process (RSEP) request.
That of course means nothing to anyone but a small group of DNS policy folk but it was enough to prompt an official rebuke from the security and stability advisory committee (SSAC) of DNS overseer ICANN, which published a strongly worded advisory calling for the text to be deleted.
"The possible use of the RSEP process risks delegating any future evaluation of registry proposals on dotless domains to ICANN staff, effectively circumventing the informed NGPC Board resolution to prohibit dotless domains," the advisory [PDF] reads in part.
Dollar dollar bill y'all
In other words, someone tried to write in some contract language that would have allowed a registry to go through a largely unnoticed technical process, decided by ICANN's staff, to pass something that several internet organizations, including the SSAC itself, the Internet Architecture Board (IAB) and the ICANN Board, have all decided poses a threat to the stability of the internet.
Why? Because then the owners of top-level domains such as "search" or "hotel" or "weather" could bypass search engines altogether and have people go direct to their websites from where they could direct them. In other words, millions of dollars worth of traffic annually.
Perhaps ironically, it was Google that pushed the issue back in 2013 when it sent a letter [PDF] to ICANN saying it intended to change its applications for the top-level domains .app and .search to enable a "redirect service… that, combined with a simple technical standard will allow a consistent query interface across firms that provide search functionality, and will enable users to easily conduct searches with firms that provide the search functionality that they designate as their preference."
In other words, Google would bake-in its search engine into web browsers through technical standards and stop having to pay browser makers millions of dollars to have Google used as their default search engine.
Unsurprisingly this effort to bend the DNS' technical underpinnings for commercial gain was not appreciated by the broader technical community with the IAB saying the plan had "the potential to confuse users and erode the stability of the global DNS."
It continued: "By attempting to change expected behavior, dotless domains introduce potential security vulnerabilities. These include causing traffic intended for local services to be directed onto the global Internet (and vice-versa), which can enable a number of attacks, including theft of credentials and cookies, cross-site scripting attacks, etc. As a result, the deployment of dotless domains has the potential to cause significant harm to the security of the Internet."
The IAB's stance was then formally assumed by the ICANN Board two months later.
But of course, where there is big money to be made, another attempt will always be made. And so it was with the introduction of impenetrable policy language that would have bypassed the normal policy processes and given the final say on introducing dotless domains to ICANN's staff.
This is not the first time this tactic has been attempted as a way to circumvent official policy. And it has even worked in the past.
Back in 2010, the company behind ".jobs" used RSEP as a way to make changes to its charter to enable it to sell "jobs" domains that it had previously been prevented from doing so. Despite the RSEP process usually receiving on average less than half-a-dozen comments, those opposed to the plan noticed the attempt, sparking campaigns on both sides.
Despite thousands of comments however, ICANN's staff failed to flag the issue up and wrote a brief summary to the Board that then approved the change as if it were a simple administrative matter.
That ability to bypass the full policy process later led Amazon to attempt an end-run around the ban on companies having full control over generic words like "book". Earlier this year it put in an RSEP request that to let it run a "registration authentication platform" for its ".moi" top-level domain - the upshot of which would have been that it assumed full control over the sale of ".moi" domains. This was widely seen an attempt to test the waters before attempting the same thing with more profitable names.
This latest effort – presumably pushed by the main proponent of dotless domains, Google – would open the door for RSEP to be used again as a way to get around an official policy.
In this case, the SSAC proposes not only that the relevant paragraph be deleted but that a new paragraph be added to the contract all registries sign that explicitly bans dotless domains. It suggests the paragraph be titled "Dotless Domain Prohibition" just for extra clarity.
Despite only having advisory powers, the SSAC's recommendations are always considered in depth by the ICANN Board largely due to the fact that it is a closed group whose members are picked for their expert technical knowledge. As such, the effort to sneak in dotless domains by the backdoor is almost certainly dead.
What still needs to be fixed however is the RSEP loophole that allows ICANN's staff to decide on important issues without a requirement for them to decide whether it should go through a more formal policy process. ®