ICANN has received a request to redelegate the .CO domain, a country-code top-level domain representing Colombia, to .CO Internet SAS. ICANN Staff have assessed the request, and provide this report for the ICANN Board of Directors to consider.
The “CO” ISO 3166-1 code is designated for use to represent Colombia, a country located in South America with a population of approximately 45 million people.
In accordance with IANA practice to delegate ISO 3166-1 codes as country-code top-level domains, the .CO top-level domain was initially delegated on 24 December 1991 to the Universidad de los Andes (“the University”).
At some point around 2001, the University explored the exploitation of the domain for commercial purposes, such as treating it as a de-facto generic top-level domain like .COM targeted globally for use by companies. In response to these efforts, some legal action and activity was taken to prevent this, and the Minister of Communications wrote to the University asking them not to proceed with this course of action.
The University wrote to ICANN that it disputed the objections raised by the Colombian Government, and that it considered there are issues that still need to be resolved. In the mean time it considered it within its rights to proceed and that “the University intends to proceed with the appointment of a [subcontracted] registry operator and the commercialisation of the .CO TLD”.
On 11 December 2001, in Radication 1376 the Council of State was asked by the Minister of Communications to consider the public nature of the .CO domain, whether it is a subject intrinsically linked with telecommunications, and “where the resources coming from its exploitation should go”. In the discussion it was noted the trusteeship of .CO was granted to the University under the auspices of IANA and ICANN. She informed the meeting that the University had plans to develop a bidding process to look for an international operator of the domain, to transition it into a domain that “would no longer exclusively be used to identify Colombia and would become a generic domain [as a synonym for] ‘company’.”
The meeting considered whether “the regulations of private and foreign coordinating bodies of the Internet prevail” with respect to the management of .CO, and concluded that “those regulations cannot prevail over the national legal order.”
The meeting concluded that the .CO domain is of public interest, intrinsically related to communications, and by virtue of this the Ministry may put into action planning, regulation and control of the domain.
On 12 February 2002, the University wrote to ICANN informing that it had “terminated the .CO country-code top-level domain commercialisation process and has further decided not to appoint a new registry operator.” It further went on to say that the University was experiencing “great difficulty” in operating .CO in light of the December 2001 council decisions, as well as the legal actions concerning the commercialisation. It stated that the University “believes that it can no longer bear the administrative and operational responsibilities” of operating the domain, and sought to terminate its activities as soon as possible while “offering its fullest cooperation with ICANN in order to ensure that this process is conducted as smoothly and successfully as possible”.
On 10 May 2002, representatives of the University, as well as the Minister and Vice-Minister of Communications, met at ICANN’s offices in Los Angeles, USA, to discuss the future administration of .CO. The meeting was positive on the continued operation of .CO by the University.
Unbeknownst to the University at the time, on 7 May 2002, the Government of Colombia issued Resolution 600 of 2002, “on partial regulation of administration of the domain name .CO”, noting that Law 72 of 1989 “confers on the Ministry of Communications the authority to plan, regulate and control all services in the communications sector, including certain elements and resources necessary for the provision of such services.” This resolution resolved in part that “.CO is a public asset in the telecommunications sector, the administration, maintenance and development of which shall be planned, regulated and controlled by the State, through the Ministry of Communications” and that the Ministry “shall coordinate application of the system laid down in this resolution with the international bodies responsible for managing top-level domain names.”
The Ministry wrote to ICANN on 24 June 2002 advising of the resolution, and that the Ministry was taking steps to implement the decision. It informed that the Ministry was happy for the University to continue in its role of administering the ccTLD, so long as they complied with regulation by the Ministry. However, the University wrote to ICANN on May 21, advising that they considered it disturbing that the meeting on May 10 was conducted without the Ministry faithfully disclosing the resolution the government had passed three days earlier.
On 12 August 2003, the Minister of Communications of Colombia wrote to ICANN advising that “the Council of State in Colombia ordered the Colombian Minister of Communications to take over administrations of .CO domain from the University ... as a consequence the Minister has been doing its best efforts in order to assume, directly or indirectly, the .CO administration. This process embraces several consultations to the Colombian Internet community and the University of Los Andes, as the actual administrator.”
On July 29, 2006, the Government of Colombia issued Law 1065 of 2006, regulating the administration of domain name registration service for the .CO domain. It reads, in part, “the administration of the register of names in the .CO domain is an administrative function for which the Ministry of Communications is responsible and its exercise may be conferred on private parties in accordance with the law. In this case, the duration of the agreement may be for up to 10 years, open to renewal on one occasion only, for a term equal to the original term.”
A three year period of public consultation commenced after the enactment of the law. It commenced with a public enquiry held on November 9, 2006, posing the questions:
In June 2007, representatives of ICANN’s Root Zone Management staff met with representatives of the Ministry and explained the requirements of redelegation. They were encouraged to take an open and transparent bottom-up consensus driven approach to selecting an appropriate trustee for the .CO domain. Staff also explained the process of evaluating and implementing redelegation requests.
This was followed by a number of exchanges with ICANN where the Ministry made it clear they were keen to redelegate the .CO domain to the Ministry prior to any decision or process to select a future operator of the .CO domain. The Ministry wanted to take responsibility for the .CO domain, so they could have the ability to in practice delegate the domain to whomever they chose. ICANN representatives met with the Minister and the Rector of the University in Bogatá on 19 September 2007, strongly advising against this course of action. Ultimately, ICANN’s CEO wrote to the Minister on 28 May 2008, that unless there was a proposed operator for .CO the “due diligence [for redelegation process] could not be made”.
Subsequent outreach was coordinated by the Government, including a meeting on operational models held in September 2007, and creation of an advisory committee to consider community opinions regarding .CO policy in April 2008. On 30 April 2008, a draft policy was published for public comment for 10 days.
A distillation of the comments received during this period was published by the Ministry. Of particular note was one comment relating to the potential monetisation of non-existent domains within .CO, as follows:
We would suggest a new role for the administrator, as follows: The administrator of .CO will be responsible for the economic exploitation of all unregistered domain names and errors. It shall:
- Provide information to potential owners of domains in .CO;
- Inform potential holders of .CO domains how they can get domains;
- Provide the necessary technology to assist potential holders of domains in .CO how to access the site or the desired direction.
On 19 May 2009, a public procurement process was commenced regarding the operation of the .CO domain. A hearing was held shortly after for potential bidders and other interested parties concerning the Request for Proposal process, allowing for concerns to be raised with the Ministry. In that consultation, the issue of wildcards in the .CO domain was specifically raised by a representative of the registry services provider Afilias:
We ask that the Ministry of Communications clarify its policies and explicitly prohibit the practice of “comodin” or “wildcarding” as it is known in English. This clarification is important to protect .CO from a practice that has been internationally condemned ... but is permitted under the present terms of reference. Without immediate and clear instruction from the Ministry, the current specifications give rise to ... exposure to abusive monetisation through the use of wildcards [in .CO].
Afilias went on to propose specific language that prohibited the use of this technique, citing ICANN’s SSAC findings. Representatives of .CO Internet SAS then also wrote to the Ministry, commenting on the issue:
Although it is a subjective issue, we would like to strongly endorse the recommendation made by Afilias regarding the use of wildcard in the .CO space. Although their speech was aimed at highlighting the impact that such practice may have on the economic proposal of the various bidders, and the potential disadvantage that it could have on its bid, the real concern that all bidders should have is that the use of a wildcard would have negative consequences to the background image of our country and that of its domain at an international level. This issue has been widely discussed in the forums of ICANN, where it is now permanently banned.
However, in their submission, .CO Internet SAS further went on to ask the Ministry not to implement Afilias’ suggestion to specifically prohibit the practice:
We are very concerned that the Ministry will decide on this particular issue, as it opens a debate against what was established in the RFP and in the previous studies, that is the “technical, operational and financial autonomy of the concession contracts” and, in general, with the different options that could lead to the best economic output of the domain to benefit the income of the Country, and the robustness of .CO’s operations. ... In short, it would create permanent doubt on what steps can be taken commercially to optimally generate resources from .CO.
In their written response to the issue, the Ministry elected not expressly prohibit wildcards, writing:
The ministry makes clear that, in the event of finding in the future that there are practices used in .CO that jeopardise its image, that it will exercise the functions of regulation and control conferred by Act 1065 of 2006, [whereby it] “is responsible for defining and providing policy on delegation of domain names under the ccTLD”. ... Additionally, we believe that the specifications provide a definition of enabling factors and technical factors that are sufficiently rigorous to guarantee that applicants are global and have a high reputation in the domain industry.”
On 15 July 2009, a preliminary evaluation report on two bidders was published and open for seven days comment from interested parties, followed by a public award hearing on 13 August. The assessment of the two bidders — Proposed Company .CO Internet SAS and VeriSign Switzerland SA — was that only .CO Internet SAS was in compliance with the requirements of the tender. VeriSign was deemed non-compliant with the requirement of “specific experience, individually or by at least one member of the joint venture, consortium, proposed company and/or any other form of association or participation, of at least 500,000 registrations within a ccTLD.”
On 19 August, the Ministry announced the selection of .CO Internet SAS (“the Concessionaire”) as the new administrator of the .CO top-level domain.
In early September, the University wrote to ICANN asking for advice on what is required of them with respect to any possible future transfer. They were advised to honestly present their views on the current operator should they be asked to consent to any future transfer. With respect to migration of registry data, staff advised that the actual transfer of registry operations should not be conducted prior to the successful completion of a redelegation process with ICANN, and in the interim they may wish to work with any future operator on ensuring they can read their data formats using sample data.
On 17 September 2009, IANA received a request to redelegate the .CO top-level domain to the Ministry.
During the October 2009 international ICANN meeting held in Seoul, South Korea, representatives of both the Concessionaire and the Ministry met with ICANN staff to discuss aspects of the request. One area of discussion was the nomination of the Ministry as the sponsoring organisation in the application. Reiterating earlier discussions in 2007, ICANN Staff noted that the Ministry’s role was that of a regulator that had no real direct operational role in the domain, rather entrusting the concessionaire to manage all aspects of the domain under a regulatory umbrella imposed by the Ministry.
In light of this discussion, the Ministry wrote on 5 November 2009 to amend the application, specifically: “We have considered it appropriate to authorise the change in the registry [such that] .CO Internet SAS appears as the “sponsoring organisation” in lieu of the Ministry”.
The University wrote on 8 October 2009 confirming it had provided example data to the Concessionaire to ensure they can read it correctly. The actual registry data will be provided following any approval of this request by ICANN.
On 19 November 2009, a new template was provided to IANA reflecting the Concessionaire as the sponsoring organisation. IANA staff successfully confirmed with the proposed administrative and technical contacts the particulars of the proposal, and that they are willing to operate the domain on behalf of the Colombian Internet community.
The proposed sponsoring organisation is .CO Internet SAS, a legally established sociedad por acciones simplificada in Bogotá, Cundinamarca, Republic of Colombia, NIT number 900308815-5, registered in the Bogotá Chamber of Commerce under registry number 01925986. The entity is a joint venture between Arcelandia SA (a Colombian company), and Neustar Inc. (a US company).
The proposed administrative contact is Eduardo Santoyo, .CO Internet SAS, Calle 100 No. 8A-49, Torre B, Oficina 916, Bogotá, Colombia. The administrative contact is understood to be based in Colombia.
The proposed technical contact is Ronald Ferraro, .CO Internet SAS, Calle 100 No. 8A-49, Torre B, Oficina 916, Bogotá, Colombia.
The top-level domain “CO” is eligible for delegation under ICANN policy, as it is the assigned ISO 3166-1 two-letter code representing the country Colombia.
A lengthy consultation process over a number of years has arrived at this proposal. Participation from a number of entities from the community has occurred through various steps in recent years. The manner in which the framework for selecting a new trustee for .CO was developed has been made public throughout the process. The process resulted in a procurement process with two bidders of which one was deemed qualified, and ultimately selected.
The government has been consulted in this process, and is indeed the principal driver of the redelegation effort dating back to 2001. The proposal to transfer the domain has the explicit endorsement of the Minister of Communications, relying on powers granted to her under Colombian law that specifically relate to the .CO domain.
The application is consistent with known applicable local laws within Colombia.
The applicant undertakes to operate the domain in a fair and equitable manner, through a policy framework that has been stipulated by the Government in Resolution 1652 of 2008.
Future evolution of the policy framework will be assisted by an Advisory Committee comprised from diverse local interests including representatives of business, academic, intellectual property interests, government, the University and .CO Internet SAS.
The proposed sponsoring organisation is constituted in Colombia. The proposed administrative contact is understood to be resident in Colombia. Significant operations will be conducted in the country, and the registry data will be locally escrowed and recoverable within Colombia.
The request is deemed uncontested, with the current sponsoring organisation consenting to the transfer and agreeing to work with the proposed new operator on transferring domain registration data.
The proposed new operator has proposed a transfer process that should maintain the stability of the .CO domain for its users throughout the transition period.
The applicant has provided comprehensive operational and technical plans regarding how the .CO domain will be operated. Its plans have further been reviewed through an RFP process within the country. The operator is partly owned by Neustar, an experienced provider of domain registry services for top-level domains such as .US.
The registry back-end operation will utilise Neustar’s established Registry, DNS and WHOIS implementations, including their UltraDNS platform that has been in operation since 1999, and their Registry SRS platform that has been in production for eight years.
Due to both its visual similarity and keystroke proximity to “.COM”, it has been reported the .CO domain is an attractive target for those wishing to capitalise on mis-directed communications that were intended for existing .COM domains. The .COM domain, with 83.9 million registrations as at August 2009, is the world’s most popular top-level domain and therefore is particularly attractive for this for a variety of reasons including monetisation, or attempts at vulnerability exploitation like phishing.
One method of exploiting the confusability between .CO and .COM is to configure the authoritative name servers for .CO to return valid answers — implying the domain exists — in response to DNS queries for domains that have not been registered and do not exist. The most broad implementation of this is the implementation of a “wildcard”, which is an entry in a DNS zone that returns answers for any record within a domain for which no specific registration exists. However the practice is not limited just to wildcards, but more broadly includes other forms of domain synthesis where domains are conjured through some programmatic way in the domain registry, in the authoritative name server software, and so on. The net result of these various methods of synthesis, collectively known as “NXDOMAIN substitution”, is that domains that are not registered do not properly return the NXDOMAIN DNS error signifying such. They instead return valid DNS answers that can cause a host of technical problems.
The issue of NXDOMAIN substitution has been explored in some detail by ICANN over a number of years, most recently resulting in clear decisions by the ICANN board to prohibit their usage within top-level domains. In June 2009, the ICANN Board passed the following resolutions:
Resolved (2009.06.26.19), that new TLDs, including ASCII and IDN gTLDs and IDN ccTLDs, should not use DNS redirection and synthesized DNS responses. Staff is directed to revise the relevant portions of the draft Applicant Guidebook to prohibit such redirection and synthesis at the top-level for new gTLDs, and to take all available steps with existing gTLDs to prohibit such use.
Resolved (2009.06.26.20), the Board further directs staff to communicate and disseminate in July 2009 the concerns regarding harm caused by the redirection and synthesizing of DNS responses with appropriate parties, including the ccNSO, ccTLD operators and the GAC, who might be able to ensure measures are taken to assure the integrity of error responses as well as name resolution for ccTLDs.
Resolved (2009.06.26.21), the Board requests that the ccNSO provide a report on mechanisms that could be employed to ensure that redirection and synthesis at the top level is effectively prohibited.
Resolved (2009.06.26.22), the Board invites the GAC to consider what measures could be taken to alleviate harm that can be caused by redirection and synthesis of DNS responses at the top level.
In light of the discussions in the .CO community about the possible deployment of NXDOMAIN substitution, and noting ICANN’s clear position on the matter, staff explicitly asked the applicant to respond on this issue of what the proposed .CO policy on this practice is, and whether they would be deployed.
The applicant responded highlighting their letter of 24 May 2008 to the Ministry indicating the opposition to the practice. Further they excerpted from their response to the Ministry’s RFP as follows:
According to ICANN recommendations, .CO INTERNET proposes NOT to implement a wildcard ... the implementation of a wildcard in the .CO space would have negative consequences that would put the security and stability of DNS at risk.
By virtue of this language in their proposal, and under the terms of the procurement the proposal being contractually obligating upon the concessionaire, the applicant have stated they are now legally bound not to implement NXDOMAIN substitution. They have noted that in their application they have undertaken, more generally, to “conform to industry best practices and observe changes in the domain name system in an effort to preserve security and stability.” Moreover, under the terms of the RFP, “[The registry operator must] ...maintain a relationship with ICANN (by participating in the ccNSO), LACTLD, and other supporting organisations in which, beyond providing financial support, agrees to participate in the construction of policies related to the operation of ccTLDs and support the collaborative regional and international development of the Internet to provide confidence in its use.” They therefore assert there are sufficient safeguards against this practice to give confidence that they will adhere to best practice and remain in-line with ICANN’s position on this matter.
The Internet Corporation for Assigned Names and Numbers (ICANN) is tasked with managing the Domain Name System root zone as part of a set of functions governed by a contract with the U.S. Government.
A subset of top-level domains are designated for the local Internet communities in countries to operate in a way that best suits their local needs. These are known as country-code top-level domains, and are assigned by ICANN to responsible trustees (known as “Sponsoring Organisations”) who meet a number of public-interest criteria for eligibility. These criteria largely relate to the level of support the trustee has from their local Internet community, their capacity to ensure stable operation of the domain, and their applicability under any relevant local laws.
Through an ICANN department known as the Internet Assigned Numbers Authority (IANA), requests are received for delegating new country-code top-level domains, and redelegating or revoking existing country-code top-level domains. An investigation is performed on the circumstances pertinent to those requests, and, when appropriate, the requests are implemented. Decisions on whether to implement requests are made by the ICANN Board of Directors, taking into account ICANN’s core mission of ensuring the stable and secure operation of the Internet’s unique identifier systems.
The evaluation of eligibility for country-code top-level domains, and of evaluating responsible trustees charged with operating them, is guided by a number of principles. The objective of the principles is to ensure the secure and stable operation of the Internet’s unique identifier systems. The evolution of the principles has been documented in “Domain Name System Structure and Delegation” (RFC 1591), “Internet Domain Name System Structure and Delegation” (ICP-1), and other informational memoranda.
In considering requests to delegate or redelegate country-code top-level domains, input is sought regarding the proposed new Sponsoring Organisation, as well as from persons and organisations that may be significantly affected by the change, particularly those within the nation or territory to which the ccTLD is designated.
The assessment is focussed on the capacity for the proposed sponsoring organisation to meet the following criteria:
To assess these criteria, information is requested from the applicant regarding the proposed sponsoring organisation and method of operation. In summary, a request template is sought specifying the exact details of the delegation being sought in the root zone. In addition, various documentation is sought describing: the views of the local internet community on the application; the competencies and skills of the trustee to operate the domain; the legal authenticity, status and character of the proposed trustee; and the nature of government support fort he proposal. The view of any current trustee is obtained, and in the event of a redelegation, the transfer plan from the previous sponsoring organisation to the new sponsoring organisation is also assessed with a view to ensuring ongoing stable operation of the domain.
After receiving this documentation and input, it is analysed in relation to existing root zone management procedures, seeking input from parties both related to as well as independent of the proposed sponsoring organisation should the information provided in the original application be deficient. The applicant is given the opportunity to cure any deficiencies before a final assessment is made.
Various technical checks are also performed on the proposed sponsoring organisation’s DNS infrastructure to ensure name servers are properly configured and are able to respond to queries for the top-level domain being requested. Should any anomalies be detected, IANA staff will work with the applicant to address the issues.
Assuming all issues are resolved, an assessment is compiled providing all relevant details regarding the proposed sponsoring organisation and its suitability to operate the top-level domain being requested. This assessment is submitted to ICANN’s Board of Directors for its determination on whether to proceed with the request.