I was admin of a country code ccTLD once (let's call it .xx) and I created aliases and a forward for 'i' to my inbox. and put a 5 minute MX record on it. From a shell elsewhere in the world I sent email to i@xx ...
And it arrived! The shortest fully qualified email address in the world!
Against policy tho. I took out the MX record. It was a fun nerd moment.
There really was a bit of an enterprise gold rush for these gTLDs in the late 00s.
They saw .google and .mcdonalds and thought "we should have our own one of those"..
And I guess after a while of paying the non-trivial gTLD fees to ICANN, companies eventually looked at the ROI and realized they actually didn't need their own one of those...
Funny how different brands in the same industries figured it out many years before others did.
It's crazy to me that a decision to buy your own gTLD would even be approved outside the most rich and tech literate companies. The evaluation fee alone is $185,000 USD and you have to pay quarterly fees too if I'm not mistaken.
This is the answer. Same thing happened in the early-to-mid 90s. The corporate web site money didn’t come from the IT budget, it came from marketing. The money for the Leased Line Internet connection too, for all but the most R&D focussed companies in the UK. Corporate email for employees and (shudder) actual Internet access for them, often only came later.
People thought it was going to be like the AOL keywords of yore - but it was already so late in the game that nobody gives a shit, you either use google to search for bing or you just don't care.
There's probably ten or twenty domains (not counting my own or my work's) that I can type from memory, the rest I just search for.
The other killer is that "clownfarts.com" looks like a website but www.mcdonalds looks like a typo, even to non-tech people who don't understand any TLD besides the big three.
I think it can make sense for smaller companies as long as the costs aren't unbearable. There's value in being your own registry operator, especially when it comes to stuff like intellectual property claims, etc..
By being a registry instead of a registrant you get an extra layer of protection that helps to ensure your domain is untouchable. I think it makes a lot of sense to use for long term infrastructure if, again, the costs aren't prohibitive.
For a company like Dodge (well, I guess their parent company) that's like selling 6-7 cars a quarter. Massive corporations look at numbers like $185,000 and don't even blink.
I just priced a fully loaded Hellcat[1] Charger (even with stupid stuff like "real carbon fiber inserts" on the interior) on Dodges site, and it was $109 705. Unless you are proposing it costs less than $9.7k to build and transport one, how are they making six figures of margin?
1: "SRT® Hellcat Redeye Jailbreak" actually. I think the marketing department is staffed with 12 year olds.
MSRP was $96k. Dealers would charge extra because... they forcefully injected and monopolized their position as being the only entity that can actually sell you the car.
Let’s say it’s 7 cars a quarter, that is 28 cars in a year. To cover a $185,000 fee, they would need to be generating $6,607 profit per car. Seems doable?
Yeah sorry my timeline was off there... I knew someone who worked on a gTLD platform and I mistakenly thought it was while I was at a certain job but it was the job after.
They all have the same oeuvre that typo squatted and oddly hyphenated domains have and immediately make me suspicious just looking at them. Which is bad enough for the commercial purposes most of these were probably purchased for, but I can only imagine that they would be exceptionally useless for sending emails or other communications.
Another "ghost mining town" left behind from the wild west that was the first decades of the commercial internet.
This isn't exactly accurate. Google and McDonalds didn't have some early exclusive launch. There were hundreds that launched at around the same time, when ICANN opened the process, and not in the 00s.
I'm too lazy to research them all here, but I recognize a number of them here from their initial applications, which would have all happened at the same time as the two you mentioned.
Yeah sorry I had the timeline off... I also wasn't implying any exclusivity but I remember when these were first announced/marketed that those two domains were prevalent?
This whole scam was so disappointing, although par for ICANN's course. When we heard that they were opening up TLDs, I thought that finally limited TLDs would be abolished.
But nope. ICANN turned the whole thing into another disgraceful money grab... taken to a new level. Now that it has flopped, we can just hope that someday we'll be able to end a domain name with any valid string.
As far as I know, there's no technical reason. I've seen people raise trademarks as an issue, but that's a red herring. There are already trademark-dispute resolution procedures in place.
Technically speaking, it is possible to use an approach similar to IDN to provide a flat namespace without actually making the root zone itself flat. Namely, an arbitrary TLD .abcdefgh can be translated to .xx--abc.def.gh--yy internally if .abcdefgh itself results in NXDOMAIN. Each level would then have less than 10^5 labels at worst.
This isn't anymore "flat" that then TLD nameservers like com., net., etc. It's just one level down.
ICANN could certainly afford to run servers for a "flat" TLD system.
The problem for ICANN is that it will sour relations with all the existing TLD registrars, and there are security problems with allowing any TLD. For example, I might be able to redirect traffic for a particular local network host name (e.g. "router", "fileserver", "raspberrypi", "linksys", etc.) to an external IP address of my choosing. Or I can make something that is normally a local file (e.g. "cmd.exe") and make it also a valid hostname.
Not just ICANN, but how many technical systems are optimized for having a few hundred TLDs? Going to millions / billions seems like it’s likely to uncover a lot of implementation shortcuts.
Not necessarily a reason not to do it, just a reason to be a little careful in rollout.
"I might be able to redirect traffic for a particular local network host name (e.g. "router", "fileserver", "raspberrypi", "linksys", etc.) to an external IP address of my choosing"
Interesting idea. Can you give an example of how that would actually happen? Also the cmd.exe one. So what if it's a valid hostname?
If the search domain list is empty or contains "." or "", or the search algorithm is flawed (maybe an IoT device), trying to connect might lead to a bare TLD lookup.
CMD.exe is either a program accepts either a filename or URL in the same context (VLC does this), or the user is confused about the URL/file distinction. The .ZIP TLD was concerning for this reason.
Thanks for the reply. Maybe I just don't know enough about all the scenarios. I don't know what "the domain search list" is or what user action would involve it.
I was looking more for specific dangerous use cases; for example, "The user types such-and-such in the address bar, and instead of getting this he gets that." In other words, how is this a problem in actual practice.
The attacker posts a message to a forum, chatroom, etc. like:
Download: 2024YourCompanySalaryData.zip
When the user clicks "2024YourCompanySalaryData.zip", it is actually a domain name, and loads that website. This website then asks you to enter your corp credentials, or executes a 0-day on the victim's browser, etc.
The forum doesn't need to allow file downloads (i.e. a real .zip might not even work), and even if it does, client or server side virus scanning doesn't have a .zip to inspect.
The user is less wary of phishing, having never seen the .zip TLD. They assume they are downloading a file.
Thanks. I don't really see how that's worse than today, where a bad actor can do exactly the same thing in a forum post. Typically the post shows the text you enter, but can go to any URL.
In terms of the user going to a site instead of a zip file: If a user is willing to unpack and run a random file he downloaded and give it credentials to something... what's the difference? Not being argumentative, but this seems like a stretch.
The difference is that many forums or chat programs will automatically linkify valid hostnames/URLs.
Now "foo.zip" is a valid URL.
You could have a forum or chat program that you think is quite safe, since it doesn't allow file uploads, and doesn't allow arbitrary link text, and this would upend that.
I have a customer with one of these vanity gTLDs. And always go to wonder why... Oh it is cool with all the subdomains and services, but still... Is it really worth the money for profile of company it is... Which is not exactly high profile or known...
After seeing that list it doesn't surprise me anymore that companies like Avianca filled for bankruptcy. I'm sure they paid for than domain per year more than what they spend now in customer support.
Browsers don't like to route directly to TLDs. In theory, Amazon could have a web site at
amazon
but browsers interpret that as a search request, not a request for a rooted domain name. Even
amazon.
which means to treat that as a fully qualified domain name doesn't work in browsers any more.
(That's what the trailing "." means. Relative domain names were a thing. If you're on a machine within "bigu.edu", and you want "ourteam.bigu.edu", you can supposedly just use "ourteam" as a domain. This rarely works right, because few clients have domain names any more. Is it even still implemented in most DNS lookup clients?)
ICANN expressly forbid google, and other companies from operating these gTLDs as "dotless" domains back when they approved them. Annoyingly, URLs like "maps.google" aren't set up to go where you'd expect.
Those .new TLDs have specific requirements as in you are required to use it for creating a new "YOUR_DOMAIN" resource.
Maps is a little weird because while originally they were bundling maps and search and a bunch of products together they have had to back off on that strategy due to the recent antitrust concerns and bundling so now they are purposefully separating the products and the domains further.
I’ve found that it works pretty well, at least in my home environment. The first time going to a new host, it has to include https, but subsequent visits auto-complete to the host rather than a web search.
For example, I can type “opnsense” and hit enter, which loads https://opnsense, whose FQDN is opnsense.home.my.domain. This works on all machines on my network; most are configured to use home.my.domain as the primary search domain (through DHCP), but my DNS server also properly responds to queries for just the host portion. And, I’ve configured opnsense to hijack all (standard) DNS traffic on my network, so even if a device is specifically ignoring the DHCP-provided search domain and DNS server, it should be able to query all local hosts.
HTTPS for dotless domains (a bit of a misnomer but it can help in finding good reading material about it) should also work fine on the same browsers. That said, most dotless domains don't run it because they've historically not been given certs due to security concerns. As an example: https://uz./ likely just had the *.cctld.uz cert applied to the whole virtual server block and uz was just one of the names assigned to that block.
Bonus fact: https://. works on Firefox (triggers an A/AAAA DNS query for root) but not Chrome.
Note the trailing ., it's an FQDN. Your system/application shouldn't use search domains if provided a fqdn.
hence under a properly set up DNS and application: system with search domain for `.internal` and a host named `amazon` will be hit the internal host for `https://amazon` and `https://amazon.internal` but not `https://amazon.`
I’ve used search domains in corporate networks, yes it’s still a thing and fully supported. I’d always tell somebody to type [name][forward-slash] in their browser, like ‘jira/‘ to get to our internal Jira server, which would always convince the browser to actually do a DNS lookup and not a search. Worked well.
I liked alway having a rule in the web server to redirect to the fully qualified hostname on requests to the internal ones, so links could be shared and would always work even if the search domain wasn’t set up (could happen on the VPN for example).
There’s an entire library, libpsl, dedicated to checking the public suffix list, and that needs to be updated whenever some marketing department has a brain fart because ICANN needed more cash for its CEO’s cocaine budget.
I believe http://go isn’t special cased, but instead (ab)uses DNS search domains - the server is actually something like go.corp.google.com, and all Google PCs are configured to use corp.google.com as a search domain
Unofficial TLDs work fine without being special cased (well, so long as the browser is being pointed at the appropriate DNS server which knows about these entries), it's when the TLD itself is used as a URL you have to enter "http://tld." instead of just typing "tld." but any sub like "example.tld." still works automatically.
They got .travelers and .travelersinsurance , maybe some others.
https://en.wikipedia.org/wiki/The_Travelers_Companies - with a 32 billion dollar yearly revenue, they can afford a lot of boondoggle nonsense projects. They probably assigned a bunch of people with insufficient technical knowledge and a vague project scope the objective of updating their cloud and web presence.
You only get silly TLD projects if the overall revenue of your company exceeds some threshold; other companies can't afford that level of mistake. Profits and loss don't matter as much as how much money is coming and going - look at ISPs, with the massive amounts of money shuffling that goes on between the top 5 at a global scale. Quantity is a quality all its own, in these cases; it might only be a fraction of a percent of a budget over the course of a decade, but the real world gets to see tens or hundreds of millions of dollars essentially wasted.
Project managers and MBAs get to rationalize their degrees and theories, because after all, they wouldn't be getting paid by ABCXYZ, Inc and managing million dollar budgets if their project wasn't top-class and 100% justified. You might have to keep firing new hires that mention anything about the whole TLD thing being ridiculous, but they were just negative energy anti-social people who wouldn't have fit the company culture anyway.
And that's why they're bad using gTLDs anyone would actually ever want to use. "Hey, fellow youths, check out our snazzy new website: statefarm.travelersinsurance! So easy to type on your IBM keyboard, amirite?"
That doesn't explain why Travelers Insurance thought that they needed their own gTLD. Size as measured in dollars isn't really relevant—Berkshire Hathaway is #5 and doesn't have one—what matters is size as measured in registered domain names (for internal or external use).
Basically no one outside of big tech has the volume of domain names to justify paying for their own gTLD, Fortune 500 or not.
Berkshire Hathaway is not a consumer brand; Travelers Insurance is. And some consumer brands are willing to spend very large amounts of money to forestall brand confusion, squatting, impersonation, etc. They probably bought their TLDs for the same reason they own travlers.com and many other variations: so no one else can use it either.
I noticed the one punycode TLD at the bottom: xn--4gq48lf9j (Wal-Mart Stores, Inc). That decodes to "一号店", which is apparently Chinese for "No.1 Store".
It's not even a rounding error on their income statement so they don't care. ICANN, in their infinite wisdom, somehow couldn't foresee corporations squatting on TLDs.
ICANN has staunchly refused to even think about combatting squatting.
Have you ever participated in ICANN? My company did. ICANN's mailing-list traffic was pathetic; never accomplishing anything, as members endlessly bickered about procedure. I don't recall that we ever made a single decision on anything.
They registered oui.sncf initially during their rebrand. Once the guy who initiated that left, they switched back to .com domain (https://www.sncf-connect.com/).
The only one I’ve actually seen used is .fage (e.g https://uk.fage). They seemed to go all in on it and it’s their main web presence. I believe they use it internally as well.
On one library I work on, we ended up writing a bot to fetch the list for us and open a pr in order to maintain it. I suspect anyone having to validate TLDs faces a similar problem.
We have something similar that keeps it updated on a regular basis as well. We used to wait until someone complained, but it changes so often it’s the only reasonable way to deal with it.
Agreed. I use .works and maybe 5% of places don't accept it (the biggest I can think of off the top of my head is Ubisoft). There are some, like my local groceries store chain, that accepts it for account registration but it fails somewhere in the sign-in process. This is not the first time it has happened either.
If I were a GTLD registrar I'd make it so that (for example) all .works domains were also aliased by .worksdomain.com or something similar as a backup.
The linked PDFs contain censored sections, but it's just a black rectangle placed above the content. So by removing that rectangle the original content is still visible below...
If you're bored for a few hours, I can only recommend to take a look at the ICANN Zone File Access / CZDS. [1]
There you can get a list of all delegated second-level domain names of most vanity TLDs. Most are quite small (less than 10 entries, most or all technical like nic.<whatever>), i.e. the domain is basically unused.
(They, however, sometimes also contains obviously internal domains which sometimes resolve to public IPs. One company also allows an enumeration of all sales staff, as everyone gets their own domain. ¯\_(ツ)_/¯)
Was the idea that typing the word “McDonalds” into my browser’s URL box would take me directly to that company’s website, instead of to a search query for the same term?
That seems like a scurrilous end-run around default search behaviour that one could hardly believe the major browsers would allow it. (For example, only treating your text as a domain lookup if the location had a dot in it, and was free of spaces or other punctuation.)
When I was knee high to an elf I recall that a couple browsers (IE5 and Netscape were the ones I tested) did seem to lookup .com for the term. This was before the URL bar became a search box. But you could reliably type something like hotmail or cute or joke and get to the correct website. The problems from there are super obvious and I am not surprised this no longer works.
ABSOLUTELY. TLDs other than government and educational ones should be abolished at this point. Trademark disputes are already accommodated, so we needn't pretend that a trademark crisis would result.
You should be able to register something.whatever at the same registrar you'd use for something.com.
Of the 134 entries, I find only two where ICANN decided to keep the tld and transition it. For .wed and .desi. I guess these are tlds that actually allowed others / third parties to have domains, while for instance .wolkswagen was mostly enterprise use by themselves?
It actually seems to be only .desi. Or does it? For .wed, I see a document titled "Final Determination by ICANN to Not Transition Operation of the gTLD (19 May 2021)", but it says that "ICANN org will
proceed to make arrangements towards a transition of the .wed TLD to a successor Registry
Operator following the Registry Transition Process with a Request for Proposals."
Probably. Our security team insists that we purchase ourname.[everything]. Not a stretch to imagine that the risk / cyber teams of those large organisations were thinking along the same lines.
I think that’s true but I also think maybe some companies set this up hoping to differentiate their brand with a slick branded TLD before realizing that no one wants to use it. To the general public a .com gives you trust.
I would hazard to guess that plenty of spam filters would nope these too.
And it arrived! The shortest fully qualified email address in the world!
Against policy tho. I took out the MX record. It was a fun nerd moment.