ICANN, the GAC, SSAC and gTLDs: Challenges with Dotless Domains and Closed Generics

Last year, Craig Mundie posted about ICANN’s gTLD Reveal Day calling it “another step in the Internet’s evolution.”

Let’s hope we won’t see “one step up and two steps back.”

ICYMI, ICANN (the Internet Corporation for Assigned Names and Numbers organization) approved plans for new generic Top Level Domains (“gTLDs”) to add to the common domains you see today, like .com, .net, and .org among and others. It was impressive to see the level of interest in these new domains, with close to 2,000 applications for new unique domains from around the world. As Craig noted, Microsoft focused on eleven new top-level domain names that correspond to our well-known products, services and brands: .microsoft, .windows, .xbox, .office, .docs, .bing, .skype, .live, .skydrive, .hotmail and .azure…

“Our goal for our new TLDs is to promote responsible utilization of the Web and ultimately better experiences for consumers. Although we’re not yet talking about specific plans for the TLDs for which we’ve applied, we believe that – properly used – this expansion of domains can help deliver new services and capabilities to consumers and the Internet community as a whole. Appropriately utilized, the new TLDs can also protect the rights of trademark holders and brand owners, while promoting a safer and more secure computing experience.

“With so many new gTLD applications, there are bound to be cases where multiple players have applied for the same top-level domain, and ICANN has processes in place to help resolve those cases. We are just now reviewing all of the applications by other companies and organizations. We will work closely with ICANN and others to ensure competition and innovation are preserved for the industry, while also helping protect the rights and expectations of other stakeholders.”

Late last summer, ICANN’s own Security and Stability Advisory Committee (SSAC) published a report to address the issue of dotless gTLDs. This was partly in response to questions on whether or not new gTLD name registry operators would be able to use their gTLD as a valid Internet domain (e.g. http://microsoft instead of the common The SSAC strongly recommended against the use of dotless domains, and opened a comment period on this issue, to get feedback from the community (you can read more here)…

“…the combined effect of these potential ambiguities makes it very difficult in practice to predict how a dotless domain name will be resolved in different situations. The result could be anything from fully expected behavior to a security incident in which the user of a domain name (or URL with the domain name embedded) communicates unknowingly with a party other than intended; or, as in the email example in Section 3.4 above, a failure of the system to provide any service at all. Additionally, this ambiguous behavior could be used to develop methodologies to compromise the session and allow for malicious activities with, for example, DNS redirection.

“The SSAC is aware that there currently exist TLDs that attempt to resolve dotless domain names. Our initial examination reveals that resolution of these names is not consistent or universal, and in particular, applications behave differently when presented with “dotless” responses. These behaviors occur for reasons illustrated in this paper. Recommendation: Dotless domains will not be universally reachable and the SSAC recommends strongly against their use. As a result, the SSAC also recommends that the use of DNS resource records such as A, AAAA, and MX in the apex of a Top-Level Domain (TLD) be contractually prohibited where appropriate and strongly discouraged in all cases.”

As we summarized in our comments, Microsoft supports and endorses the report’s recommendations against use of dotless domains. There are significant security considerations around the use of dotless domains with new gTLDs, generally a bad idea that would create significant security risks for people using the Internet. Dotless domain names are often resolved by operating systems, browsers and other products to addresses on the local network / intranet. Our recommendation is to use Fully Qualified Domain Names (FQDNs) – sometimes referred to an absolute domain name – to ensure that people get where they are expecting when they type in an address on the Internet URL.

Last week, following broad coverage (as briefly noted on TechCrunch) on proposed dotless domains and how new gTLDs might be operated, I had a discussion with the folks over at on the topic.

As we saw in the Governmental Advisory Committee (GAC) recommendation to ICANN last week, we believe it’s contrary to the free and open ideals of the Internet for a private commercial entity to act as gatekeeper to domains that consist of generic industry terms, like .search, .cloud or .app. ICANN should follow the GAC’s clear recommendation that any non-open domains that consist of generic industry terms be required to establish that they serve a public interest goal.

Allowing dominant market leaders to control such generic domains is like trusting a fox to guard the henhouse. We urge ICANN to abide by the GAC’s advice and to follow the SSAC’s conclusions in order to preserve the freedom and openness of the Internet, protect the billions of Internet users, and foster healthy competition.

Also available via