Go to the top
Download the document

Domain names are vital in a modern society

1 - Top level domains

The domain market: Are the rules of the game changing?

2 - DNSSEC

Norwegian domain names more secure with DNSSEC

The domain market: Are the rules of the game changing?

Fundamental changes are taking place in the domain name market. A thousand new top-level domains have been introduced in the last few years, and competition has increased considerably. At the same time, there are certain indications that the general demand for domain names is decreasing, and the use of mobile devices and apps is making domain names less visible. Also, new players with potentially disruptive ideas are entering the domain market.

In 2012, after more than a decade of stability in a domain market where the number of actors and top-level domains remained relatively constant, ICANN 1 chose to make a change. They opened up registration of top-level domains to anyone, provided applicants met certain financial and technical requirements. The objective of this liberalization of the market was to give customers a wider range of options and to contribute to increased competition and innovation.

Domains and top-level domains

All devices connected to the Internet have their own unique IP addresses, which consist of a long sequence of numbers. The Domain Name System links unique domain names to the IP address.

Examples of domain names many interact with daily include dagbladet.no, vg.no, google.com, and facebook.com.

The last part of the domain name—its “last name”—is the top-level domain the domain name is registered under. There are two different types of top-level domains: country code top-level domains (such as .no or .se) and generic top-level domains (such as .com or .org).

After processing the first round of applications, currently ca. 1200 new top-level domains have been registered2. Plans for a new round of applications are under way, but it is not yet clear when the application window for the next round will open.

So, what has happened in the domain market in recent years? Are players competing on the same terms as before, or have the rules of the game changed? And what does this all mean for end customers and others in the market?

Marked increase in the number of competitors

So far, there are now five times as many top-level domains in the market, compared to 2012. This means increased competition for both new and established actors.

Domain: .amsterdam
.amsterdam
New top-level domains with geographical references.

Most new top-level domains have distinct, meaningful names. Among them are generic descriptions (.top, .club, .global, .app), names of cities and other geographical references (.berlin, .amsterdam), descriptions of industries (.lawyer, .doctor, .ceo), interests (.horse, .cooking), group identities (.mormon) and brand names (.statoil, .gucci, .bbc).

Domain: .horse
.horse
New top-level domains that represent interests.

It will take time for the newcomers to establish themselves in this market. As of July 2016, the new generic top-level domains have a market share of approx. 6.4 percent 3. Certain top-level domains dominate in terms of size, both among well-established top-level domains and new domains. The world’s largest top-level domain, .com, alone has a market share of approximately 39 percent 4. However, the largest newcomer, .xyz, has managed to carve out a place among the world’s ten largest top-level domains.

Global market share
New generic top-level domains (6,4 %)
Established top-level domains (48,8 %)
Country code top-level domains (44,7 %)
Source: CENTR, DomainWire Global TLD Report, ed. 16

For many top-level domains, however, total number of domain names is not a relevant measure of success. The business concept behind .luxury, for example, is to be an exclusive product for the select few, which is not compatible with rapid growth. Another example includes top-level domains that have not been registered for the purpose of resale, such as .statoil and .bbc.

The world’s largest top-level domains
.com(126,6) .tk(28,6) .cn(19,5) .de(16,1) .net(15,6) .org(10,8) .uk(10,7) .xyz(6,2) .nl(5,6) .info(5,5)
Based on the number of domains (millions). The number of domains registered under .tk is based on data from September 2014, which is the most recent information publicly available. Other figures are from August 2016. (Source: CENTR)

Is the market becoming saturated?

For decades, actors in the domain market have seen a stable increase in the demand for domains. Recently, however, there are some indications that the market is maturing. Long-term trends for established top-level domains show growth in demands slowing down. The exception is a short-term spike in late 2015, which was caused by Chinese investors registering a large number of domains. The growth has begun to return to its previous level. The new top-level domains are growing faster than established domains 5, but for these domains, too, Chinese investors has been buying up domains in large numbers over the last year. For example, in April 2016, .xyz reported that more than 50 percent of registrations came from Chinese customers 6.

Growth in total domains
-0,4 % 0,0 % 0,4 % 0,8 % 1,2 % Jan-13 Jan-14 Jan-15 Jan-16
European ccTLD Median
Established top-level domains Median
Source: CENTR

If this trend of slowing growth in new registrations under established top-level domains continues, several top-level domains may soon experience zero growth. A saturated domain market will, in turn, lead to more fierce competition.

One additional explanation for the slowing demands may be that domain names have become less visible. Increased use of mobile devices means increased use of apps and clickable links, where the user does not have to relate to the domain name behind the content. At the same time, however, domain names are a central part of Internet infrastructure, and there is no competing technology in sight.

Branding is still the most common competitive strategy

Technically speaking, all domain names work the same way. As a result, top-level domains must use other means to differentiate themselves from competitors and create value for their customers. The most common strategy is to build an identity for the top-level domain, which, in turn, adds value for customers registering their domain names there. One example in this regard is .com, whose brand is so strong that many prefer a longer and more complicated .com domain over a shorter domain under a lesser known top-level domain. Similarly, .no has built a distinct identity as a Norwegian, high-quality domain; .no is the obvious first choice for companies and private individuals with a connection to Norway.

.no is the obvious first choice for companies and private individuals with a connection to Norway

Building a strong identity, however, is not achieved overnight. With more than a thousand new players now entering the field, it is going to take considerable resources and long-term marketing to just be visible in the crowd. New top-level domains need a strong business concept and a solid foundation for income generation to succeed, and the same could also be said for established top-level domains that haven’t been able to build a clear identity before newcomers flooded the market. 7

Can .Club truly be called a successful gTLD? Certainly it has reasonable registration volumes (at time of writing 156,000 names) compared with other gTLDs. These registrations were achieved through hard work and good marketing, but at what cost? With the larger registrars retailing .CLUB domain names at below $10, the total first year revenue (excluding premium domains) will be a maximum $1.5 million even if all registrars were selling at cost. In order to obtain these hard won registrations, .CLUB has reportedly spent way over $5 million on marketing and will be spending an additional $3.5 million next year.

There is no denying the quality and quantity of the marketing efforts expended by .CLUB to date, and as a marketer I applaud the professionalism of their campaigns. However, looking at these (admittedly speculative) figures, would a financial director consider .CLUB to be a successful business at the moment?

- Andy Churley, CMO at Famous Four Media (Source: Laursen)

In addition, the identity of a top-level domain is more than just branding. Its identity also reflects the “neighbourhood” its customers become a part of. A top-level domain where the majority of domains function as its customers’ primary site on the internet, is more attractive to new customers than if the majority of domains there serve no other purpose than to redirect visitors to other top-level domains 8. The value of a good “neighbourhood” also manifests itself when some security organizations recommend that companies block all traffic leading to specific top-level domains, because more than 90 percent of domains there are used for unwanted activities, such as spam, fraud and malware. 9

Identity is a central aspect in the competition between top-level domains, but they do, of course, also compete in terms of price. For example, .tk (Tokelau) has built one of the world’s largest top-level domains by ignoring the aspect of identity altogether, and instead offering .tk domains for free for the first year. If the customer at the end of the year does not wish to keep the domain, the organization managing .tk takes over, earning money by directing traffic from the domains to advertising sites. The new top-level domain with the highest number of registrations, .xyz, also climbed to this position by offering domains for free when starting up the top-level domain.

.tk built one of the world’s largest top-level domains by offering domains for free for the first year
28 million out of 326 million domain names
Source: Verisign 2016

New players may change the rules of the game

Even though the number of top-level domains has doubled many times over, the way the domain market works has remained relatively unaffected. Market liberalization often lead to changes in the fundamental “rules of the game” over time, however, as seen in other markets. The telecom market is one example in this regard. In principle, disruptive changes can come from any player, but in the domain market, perhaps the greatest potential for disruption lies with major players like Google and Amazon.

Both have a history of disrupting established markets by introducing new business models and new technology. Today, they hold approximately 40–50 top-level domains each 10, and more will follow as the last pending applications are processed. These players control many links in the value chain, and they also control a number of products that may be used with domains. This could give them the opportunity to take full control of the customers’ experience, giving customers a seamless, streamlined solution, provided they use their products. So far, not much has happened with their top-level domains, but one would be wise to keep an eye on these players in the domain market in the time to come.

Competition may also be external. Increased use of social media, such as Facebook and Instagram, offers alternatives to dedicated websites and e-mail. Unlike domain names, this option locks customers to a single provider and this provider’s terms and conditions for use. In exchange, these services are free, easy to use, and offer attractive added functionality, including the ability to connect users in a community with other users.

Where are these changes leading?

Operating a top-level domain has become more challenging. Increased competition is placing more and more exacting demands on established and new top-level domains; they have to generate tangible value for customers, either by the top-level domain’s identity or by additional services. There will most certainly be casualties. .doosan was the first new generic top-level domain to be discontinued, but it will probably not be the last 11.

All top-level domains are facing increased competition, regardless of whether the organization managing it aims to make a profit for owners and investors, or whether it is a non-profit organization tasked with a social mission. Norid’s vision is to run the registry for .no domains to the betterment of Norwegian society, and this still applies in the face of increased competition. The Norwegian top-level domain has a good reputation as a high-quality domain, but the work to keep up with society’s needs will remain a primary concern for us in the future.

For customers, increased competition and the large number of new players in the market mean they have a wider selection of options to choose from. For example, registering domains under several different top-level domains could open up new possibilities for profiling, and reflect an affiliation with specific groups.

The challenge with endless choice, of course, is that it may be difficult to find the right one. Nobody wants to set up the company’s new site under a top-level domain with a reputation for spam and malware. At the same time, this situation is no different from other industries; customers should always look into the reputation of those providing their critical services.

Norwegian domain names more secure with DNSSEC

As the Internet assumes an ever more critical role in society’s infrastructure, it is becoming increasingly more important to ensure that information is not falsified or ends up in the wrong hands. DNSSEC is an important contribution to more secure communication online.

DNSSEC

Why is DNSSEC important?

The Internet has become a key platform for value-creation in modern society. Online retailers in Norway had a total turnover exceeding NOK 8 billion in the first half of 20161. Five percent of all Norwegian domain names with a website has shopping basket functionality built in2 and for many businesses, online sales is the primary sales channel. The Internet is also a primary channel of communication between public agencies and the nation’s inhabitants and businesses, e.g. in connection with tax returns, employer's contributions and access to public services. In all these circumstances, it is extremely important that users actually end up on the website they intended to reach.

Domains and top-level domains

All devices connected to the Internet have their own unique IP addresses, which consist of a long sequence of numbers. The Domain Name System links unique domain names to the IP address.

Examples of domain names many use daily: dagbladet.no, vg.no, google.com and facebook.com.

The last part of the domain name—its “last name”—is the top-level domain the domain name is registered under. There are two different types of top-level domains: country code top-level domains (such as .no or .se) and generic top-level domains (such as .com or .org).

A website can be accessed in different ways: Clicking a link, via an app, via hits from a search engine, or entering the URL into a browser. All these methods of access entail looking up a domain name. The lookup initiates a search for an IP address used to contact the server operating the service the user is requesting access to. Originally, the domain name system was not designed to ensure that the return for a lookup actually came from the right source. This means it is possible for attackers to falsify returns and direct a user to another IP address than the one associated with the domain. For example, a user may be directed to a website that looks like the online retailer they intended to visit, but instead, the website is located on a server controlled by scammers.

What happens behind the scenes when you look up a domain?
1 2 3 4 5 www.bokogbrus.no 158.38.212.101 root .no bokogbrus.no Resolver

Each domain name has a set of servers handling queries about addresses under the domain in question. These servers are called name servers.

A small application in your device contacts a dedicated server set up to handle queries in the domain name system, a so-called recursive resolver. This server is often operated by your Internet service provider.
The recursive resolver is tasked with finding the IP address of www.bokogbrus.no. It forwards the query to one of the name servers for the top level of the domain name system (called the root). Root name servers only know the level below them in the hierarchy, and therefore returns a list of name servers for the top-level domain .no.
The resolver then forwards the query to one of the name servers for .no. These servers also only know the level below them, and therefore return a list of name servers for bokogbrus.no.
The resolver repeats the query to one of the name servers for bokogbrus.no, which returns the IP address for www.bokogbrus.no.
The resolver then forwards the IP address to your device. Once your browser is provided with the IP address, it contacts the web server at this address, and downloads the website you requested.

The resolver normally accepts the first response to its query, and does not verify that it comes from the right source.

DNSSEC (DNS Security Extensions) is a security mechanism that offers a solution to this problem. When a domain is secured by DNSSEC, all returns to domain queries will be signed cryptographically. This makes it possible to verify both that the response comes from the right source, and that it has not been changed along the way.

The signature is created by a private key accessible only to the operator of the domain name. The signature is validated by the device making the query in the domain name system retrieving a public key for the domain. It then pairs the key and signature to validate the answer. Given the hierarchy of the domain name system, a scammer cannot enter false keys in addition to false responses. The public key of a domain is part of an unbroken chain of keys validating each other, all the way to the top level. In order for DNSSEC to work, all levels have to be secured by DNSSEC. A chain is only as strong as its weakest link.

DNSSEC solves the problem of false responses to queries. It is important to be aware, however, that DNSSEC is only a small piece in a large puzzle of security measures needed to keep us safe online. DNSSEC ensures that we reach the address we wanted to reach, not that the contents of the site are safe.

Norway a world leader in securing the domain name system

Norid considers DNSSEC to be a key security component in the domain name system, and believes that the technology should be standard for Norwegian domain names.

Norid introduced DNSSEC as an infrastructure upgrade, and did not require domain holders to be aware of the technology or to actively order it to get the security upgrade for their domain. This approach to DNSSEC, however, required sufficiently sophisticated technology and a considerable effort on the part of domain name traders (registrars). Norid could facilitate for the implementation of DNSSEC, but the registrars had to do the job of signing and maintaining the domains for their customers.

Key DNSSEC milestones

2007: .se is the first top-level domain in the world to allow use of DNSSEC to secure its domains. Because the top level of the domain name system had not yet been secured, .se had to create a temporary solution to compensate for this.

2010: The top level of the domain name system is secured by DNSSEC.

2014: Support for the technology is available in the most common software for domain name system queries. DNSSEC is implemented for Norwegian domain names.

Despite the need for sophisticated technology and limited room for errors, many registrars quickly came on board. In May 2015, six months after Norid introduced the technology, the Norwegian top-level domain was among the world’s leading top-level domains regarding percentage of secure domains, where it has remained since 3. As of 1 December 2016, 416,036 .no domains have been signed using DNSSEC 4, which accounts for 58.2 percent of all domains under .no. Three other European country code top-level domains also stand out, with a large percentage of secured domains 5: Czech Republic (.cz), at 49.9 percent 6, Sweden(.se), at 46.7 percent 7 and the Netherlands (.nl), at 45.5 percent 8.

Norwegian domains secured with DNSSEC
500 100 000 200 000 300 000 400 000 Jan-14 Jan-15 Jan-16 1 December 2016 416 036
Development in the number of Norwegian domains secured with DNSSEC (source: Norid)

Even though .no has a very high percentage of secured domains overall, the degree of implementation among registrars varies considerably. As of December 2016, 66 of 345 registrars offering Norwegian domain names offer secure domains through DNSSEC. Only 14 of these have signed more than 10 percent of their domain portfolio. Consequently, the majority of secured domains are associated with a small number of traders.

Distribution of signed .no domains across traders
The ten traders with the highest number of signed domains account for 98.8 percent of all signed domains.
Domeneshop AS (63,1 %)
One.com A/S (11,2 %)
Uniweb.no AS (8,6 %)
Digital Garden AS (6,8 %)
Pro ISP AS (4,5 %)
Syse AS (3,1 %)
ISPHuset Nordic AS (1,0 %)
Active Data Norge Avd Synnes (0,3 %)
TDC AS (0,2 %)
Domenia Norge AS (0,1 %)
Others (1,2 %)
Source: Norid

Key domains still not signed

With more than half of all Norwegian domain names secured with DNSSEC, this technology has become a new standard here. Even so, only 12 percent of the fifty most popular Norwegian domains 9 are signed, and none of the ten most popular domains.

The ten most popular Norwegian domain names
1. google.no Ikke signert not signed
2. finn.no Ikke signert not signed
3. vg.no Ikke signert not signed
4. nrk.no Ikke signert not signed
5. dagbladet.no Ikke signert not signed
6. yr.no Ikke signert not signed
7. aftenposten.no Ikke signert not signed
8. tv2.no Ikke signert not signed
9. feide.no Ikke signert not signed
10. dnb.no Ikke signert not signed

(Source: alexa.com, Norid)

We see that public agencies lag behind in securing their domains. Less than half (46.3 percent 10) of domains registered by public administrative agencies have been signed using DNSSEC. It is a concern that none of the public domain categories (stat.no, dep.no, kommune.no, herad.no) or the domain category reserved for the Armed Forces (mil.no) have implemented the new technology. This means that domains under one of these domain categories, e.g. nsm.stat.no, cannot choose to secure their site using DNSSEC, because the links above them in the chain are not secured.

The Norwegian Association of Local and Regional Authorities (KS) will, however, transfer operation of the domain categories kommune.no and herad.no to Norid. All Norwegian municipalities will therefore soon be able to secure their domains using DNSSEC.

At the forefront of validation as well

The large share of DNSSEC-secured Norwegian domains means many domain lookups yield signed returns. In order for this to protect the individual user, however, the server retrieving the return for the domain query must check (validate) it, ensuring that returns containing false or inadequate signatures are rejected. This is handled by dedicated servers (recursive resolvers), which are often operated by Internet service providers, hosting providers and service supervisors of internal networks within an organization. In order to fully utilize the potential of DNSSEC, as many as possible of these providers must secure their users by enabling validation.

The degree of validation in Norway has increased considerably since DNSSEC was introduced for Norwegian domains in 2014. As of 5 December 2016, approx. 72 percent of domain lookups in Norway are validated 11. The degree of validation for .no is high on a world-wide basis 12, but lower than for Sweden, at 77 percent, and Iceland, at 73 percent.

DNSSEC validation percentages by country
verdenskart
Source: apnic.net, 5 December 2016

The high degree of validation in Norway can be attributed to the fact that some major providers, such as Telenor Norge, Altibox and Get, whose combined customer base is relatively large, have enabled validation. Several of the other major providers, however, including Nextgentel and Broadnet, have still not enabled lookup validation.

The Norwegian Communications Authority is concerned with ensuring that users of electronic communication services have access to robust, secure and reliable electronic communications networks. DNS response validation is one of several tools to prevent users and systems from being directed to the wrong addresses, e.g. by scammers falsifying responses to domain queries. Most major top-level domains world-wide have implemented DNSSEC, and ICANN now requires all new generic top-level domains to implement the standard. In this context, it is encouraging to see .no leading the way, being at the top of the class world-wide for implementing DNSSEC. This will further contribute to reinforcing .no’s standing as a national top-level domain among the best in the world in terms of security and stability.

Ørnulf Storm, Section Director, Norwegian Communications Authority

DNSSEC in the future—what is possible with a secure infrastructure?

The immediate effect of DNSSEC is to safeguard users from false responses from the domain name system, but a secure domain name system also serves as a foundation on which we can build a whole new set of security features.

We are accustomed to being able to securely send e-mail, even at airports, in Internet cafés and using guest networks, because our devices exchange data with the e-mail server using a secure, encrypted connection that third parties cannot tap into or change. Similarly, we look for the green padlock symbol and HTTPS before transferring data such as credit card numbers, user names and passwords on websites we visit.

In order for these connections to be secure, our device must authenticate that it is communicating with the right service, and exchange the necessary cryptographic data. The authentication process largely relies on certificates issued by certificate authorities.

The problem is that there are very many certificate authorities, and the level of security they offer varies considerably.

The problem is that there are very many certificate authorities, and the level of security they offer varies considerably. Meanwhile, there has been a shortage of good mechanisms to inform users of which certificate authority is authorized to issue certificates for a given services, or which certificate or key the service in question uses. Google is among those who have experienced problems with this issue. In some cases, certificates have been issued for Google’s domains that have not been authorized by Google 13. Such unauthorized certificates make it possible for someone to hijack or tap into traffic to the service.

The domain name system offers a possible solution to this problem. The system’s main purpose is to respond with the IP addresses of a service under a given domain, but the system can also provide certain types of additional information, such as which certificate authority is authorized to issue certificates for a given service 14. DNSSEC enables the user’s device to trust this information, instead of having to accept certificates from every certificate authority.

This application is particularly relevant in Norway, seeing as we have already implemented DNSSEC to a relatively large degree, and most social critical services are available online. Public authorities have a large number of online services for communication with the nation’s residents. So far, only approx. nine percent15 of these web sites use HTTPS, but the Norwegian National Security Authority recommend that all these should be secured with this technology, using certificates issued by certificate authorities subject to Norwegian law 16. The need for public websites to securely be able to communicate which certificate authorities they use is therefore quite pressing.

In the future, the distribution of secure information about services through the domain name system may extend the use of certificates to services that currently do not have that option, e.g. e-mail. Software for mail servers implementing this functionality is already underway.

From theory to practice—some tools to check your DNSSEC status

Check to see if a Norwegian domain is secured using DNSSEC.
Enter the domain and see if the DNSSEC test result at the bottom turns green. A grey result means the domain is not secured.

Find a registrar that can secure your domains with DNSSEC.
Choose to show only registrars that offer DNSSEC.

Check the validation status of your domain lookups.