Exile From the Herd

Hi There,


There is a new DNS Cache poisoning disclosure that has been inadvertently leaked before it was scheduled to be released by Dan

Kaminsky (IOActive). This is a very serious flaw in the DNS protocol that impacts caching resolvers, like the resolvers hosted at your

service provider that help your workstation resolve IP addresses to domain names.


This bug does not directly impact authoritative name servers like the ones used to host your domain names at EasyDNS. Our name servers do not

request answers from external sources, and rely entirely on internal cache files to offer answers. So for example, nobody will be able to change your IP information on our end. That part of the bug is unfortunately located at the caching end.


That being said; this is still a serious flaw, and we are taking this opportunity to upgrade the DNS software on our authoritative name servers to ensure that we are 100% compatible across the board with the newly upgraded caching name servers located at your Internet Service Provider. These upgrades should not impact name resolution if you are using more than one of our name servers to serve answers for your domain name (actually, please ensure that you are).


To make sure your Internet Service Provider is up to speed, you can use Dan Kaminsky's test script at DoxPora Research. If your Internet Service Provider is not yet up to speed, you may want to give them a nudge and/or change your DNS resolver configuration to a more trusted service.

Update It is now making news that an exploit to this attack has been released., please see our post about our newly launched DNSresolvers.com if you are looking for safe resolvers.

We've gotten a few invitations to apply to be a .ME top-level domain registrar, to which we assigned no urgency after we took a straw poll internally and found that pretty well zero of our customers were asking for it. Today, Techcrunch reports that the .ME landrush, at least through one large operator, had degraded into a fracas. We have an unwritten policy here: new Top Level Domain roll outs are to be avoided until they i) get past sunrise without erupting into a malestrom of lawsuits and ii) get past "go-live" without imploding.


It runs contrary to industry standards where registrars whip their customer base into a frenzy over an exaggerated need to protect one's trademarks and claim one's stake in the latest "must have" TLD. The fact is, all you really need to care about are .COM, .NET and .ORG plus the ccTLD of the country you live in or do a lot of business in. (I will probably catch flack for saying .BIZ and .INFO are not crucial must-haves to your domain portfolio - we grabbed ours, at considerable expense in the case of .INFO and it was our experience in the roll out of these two that largely formed our policy.)


That most of these new TLDs roll out with initial 2-year registration period minimums are just an outright cash grab from the registry that most participating registrars are happy to join in on. They know that the sunrise and landrush frenzies they hope to whip up are the single greatest revenue events these TLDs ever experience. After the hoopla dies off and organizations realize how unimportant owning say ".ZX" is in their overall domain strategy and the domainers who piled in find out the aftermarket for the TLD is lackluster at best, the renewal rates predictably fall off a cliff.


So when the next "must have" TLD comes along and participating registrars start lovebombing their customers with reasons why they absolutely must"protect their name" in the new TLD, we often commit the egregious sin among investment bankers, VC's and pundits - that of "leaving money on the table" and we just don't rush in and push the new TLD. If it prevents us from leading our members off a ciff in to a major debacle, we consider ourselves as having done our job. (This was a similar rationale to why we never entered the IDN space, as long as you need a browser plug-in to make internationalized domain names even borderline usable they are, in our opinion, of marginal utility - we stayed out of it)


This is in line with our lifelong strategy of cultivating members who actually use their domains rather than pushing the "get your name before its gone" angle for every TLD under the sun on anybody who can fog a mirror. When we launched back in '98, we couldn't even register domains at all, so our member base was exclusively people who were actively using their domains and wanted outsourced DNS and/or forwarding. That set the tone for our positioning and culture ever since, and while now we do have a lot of customers using us "as registrar", our core is always the active domain users.


We have almost zero "domainers" with large portfolios of parked domains and speculative registrations because our model simply doesn't work for those types of users. It's not a judgement against domainers, it's just not where we came from.



All that said, you would probably think we are opposed to the new "free-for-all" TLD expansion policy hinted to in the recent ICANN meeting in Paris. We are not. We would welcome this new tlds policy (if it ever actually happens) because it removes the artifical scarcity and counteracts that "cashgrab" mentality we sniff at the root of many a new TLD. If new TLDs are coming out all over the place, two things happen:


1) Organizations realize that it is no longer practical to attempt to "protect their name" in every TLD space, so they stop trying. This removes a lot of the "easy money" underwriting new TLDs, some of which would otherwise launch for the thinly disguised reason of trying to milk the Sunrise for all its worth.


2) The above impetus gone, new TLDs will have to compete in a much more open market. Registries, while having de facto localized monopolies within their own TLDs will have to provide actual value to compete with other TLDs.


That appeals to our sense of market freedom: less artificial barriers compelling a drive toward providing more value and benefits. The winners in the end should be the domain registrants, who are, let's not forget, our customers.

We've gotten a few invitations to apply to be a .ME top-level domain registrar, to which we assigned no urgency after we took a straw poll internally and found that pretty well zero of our customers were asking for it. Today, Techcrunch reports that the .ME landrush, at least through one large operator, had degraded into a fracas. We have an unwritten policy here: new Top Level Domain roll outs are to be avoided until they i) get past sunrise without erupting into a malestrom of lawsuits and ii) get past "go-live" without imploding.


It runs contrary to industry standards where registrars whip their customer base into a frenzy over an exaggerated need to protect one's trademarks and claim one's stake in the latest "must have" TLD. The fact is, all you really need to care about are .COM, .NET and .ORG plus the ccTLD of the country you live in or do a lot of business in. (I will probably catch flack for saying .BIZ and .INFO are not crucial must-haves to your domain portfolio - we grabbed ours, at considerable expense in the case of .INFO and it was our experience in the roll out of these two that largely formed our policy.)


That most of these new TLDs roll out with initial 2-year registration period minimums are just an outright cash grab from the registry that most participating registrars are happy to join in on. They know that the sunrise and landrush frenzies they hope to whip up are the single greatest revenue events these TLDs ever experience. After the hoopla dies off and organizations realize how unimportant owning say ".ZX" is in their overall domain strategy and the domainers who piled in find out the aftermarket for the TLD is lackluster at best, the renewal rates predictably fall off a cliff.


So when the next "must have" TLD comes along and participating registrars start lovebombing their customers with reasons why they absolutely must"protect their name" in the new TLD, we often commit the egregious sin among investment bankers, VC's and pundits - that of "leaving money on the table" and we just don't rush in and push the new TLD. If it prevents us from leading our members off a ciff in to a major debacle, we consider ourselves as having done our job. (This was a similar rationale to why we never entered the IDN space, as long as you need a browser plug-in to make internationalized domain names even borderline usable they are, in our opinion, of marginal utility - we stayed out of it)


This is in line with our lifelong strategy of cultivating members who actually use their domains rather than pushing the "get your name before its gone" angle for every TLD under the sun on anybody who can fog a mirror. When we launched back in '98, we couldn't even register domains at all, so our member base was exclusively people who were actively using their domains and wanted outsourced DNS and/or forwarding. That set the tone for our positioning and culture ever since, and while now we do have a lot of customers using us "as registrar", our core is always the active domain users.


We have almost zero "domainers" with large portfolios of parked domains and speculative registrations because our model simply doesn't work for those types of users. It's not a judgement against domainers, it's just not where we came from.



All that said, you would probably think we are opposed to the new "free-for-all" TLD expansion policy hinted to in the recent ICANN meeting in Paris. We are not. We would welcome this new tlds policy (if it ever actually happens) because it removes the artifical scarcity and counteracts that "cashgrab" mentality we sniff at the root of many a new TLD. If new TLDs are coming out all over the place, two things happen:


1) Organizations realize that it is no longer practical to attempt to "protect their name" in every TLD space, so they stop trying. This removes a lot of the "easy money" underwriting new TLDs, some of which would otherwise launch for the thinly disguised reason of trying to milk the Sunrise for all its worth.


2) The above impetus gone, new TLDs will have to compete in a much more open market. Registries, while having de facto localized monopolies within their own TLDs will have to provide actual value to compete with other TLDs.


That appeals to our sense of market freedom: less artificial barriers compelling a drive toward providing more value and benefits. The winners in the end should be the domain registrants, who are, let's not forget, our customers.