Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Will New Top Level Domains (TLDs) Work Everywhere?

In the physical world, some metropolitan areas manage growth by creating boundaries. In the online world, growth is also controlled with boundaries. And right now, we’re in the middle of setting the course for how the real estate of the Internet will be labeled and accessed for years to come with the Internet Corporation for Assigned Names and Numbers (ICANN) new gTLD Program.

In the physical world, some metropolitan areas manage growth by creating boundaries. In the online world, growth is also controlled with boundaries. And right now, we’re in the middle of setting the course for how the real estate of the Internet will be labeled and accessed for years to come with the Internet Corporation for Assigned Names and Numbers (ICANN) new gTLD Program.

Historically, gTLDs — generic top-level domains — have been simple and easily recognizable. In the 1980s and 1990s, the bulk of them ended with three-letter “labels” like .COM or .NET or .ORG. That changed in 2001 with the introduction of a series of new gTLDs, including ones with four-letter — or more — strings like .INFO and .MOBI and .MUSEUM.


This year we’re on the cusp of another major change that is already having an impact on how TLDs are managed, maintained and secured. That’s because competition for new Internet real estate is now underway in earnest.

In June, ICANN revealed the particulars of 1,930 applications for new gTLD strings. Almost half were from North America, with Amazon and Google applying for dozens of new strings, including .cloud, .buy and .book. To the surprise of many, there were more applications for .app than there were for .sex. In fact, with 13 bids, .app was the most popular of the 231 domain names for which competing applications were received, followed by .home and .inc. Apple — the technology company — applied for .apple, which was not contested by the Beatles’ music company with the same name. Contested domains applied for by more than one legitimate organization will go to auction unless resolved between competitors prior to auction.

Implications of the new gTLD “real estate” extend well beyond the applicants. If you’re responsible for your organization’s online presence, the introduction of new gTLDs offers challenges in how your organization fares — or doesn’t — on the Internet. A recent global benchmarking survey by WTR and Thomson Reuters reported that there is a varying degree of preparedness for what one expert referred to as a “massive” change to the online landscape. One way you can prepare is to ensure your sites and software are programmed for universal TLD acceptance.

Getting to Universal Acceptance of All Domains

Ensuring that Internet software and sites understand all domains — not just the old three-letter domains like .COM and .NET — is called universal acceptance. For example, when is the last time you looked at your company’s online contact forms? If you haven’t revisited them for a while, you might discover that they are hardcoded for certain domains like .NET or .ORG and may reject email addresses that use, say, a four-or-more-character domain like .INFO or .MOBI. (Full disclosure: .INFO and .MOBI are both domains managed by my company, Afilias).

Or have you seen some TLDs that don’t work in your browser? Some browsers, including mobile ones, screen out addresses as either “right” or “wrong,” and many modern TLDs simply don’t resolve because the browser doesn’t understand how to handle the TLD.

A real-life example: as late as 2007, you could not email an article from the New York Times website to anybody with a .INFO email address, which was actually fun for some of my colleagues because they would try to send me articles and say, “Oh, you didn’t see it? Maybe you should get a .COM address.”

Some software and websites contain restraints that limit the scope of what is considered a valid domain name and, in the process, impose artificial — and many times, unintended — boundaries on the emails and websites that will (or won’t) be accepted. Some of these universal acceptance issues are caused by improper logic in software for checking valid domains or older software that requires an upgrade.

Other universal acceptance issues can be caused by a lack of support for Internationalized Domain Names (IDNs), which are domain labels that incorporate accent marks or non-ASCII characters like Chinese, Hindi and Hebrew. IDNs are six percent of all the new gTLDs currently applied for and, given that they haven’t been widely used until now, it’s likely that many websites and Internet applications won’t recognize them as top-level domains.

ICANN has been discussing the issue of universal acceptance for years. And at my own company, Afilias, we had the “fun” in 2001 of launching the first four-letter TLD — .INFO — that wasn’t accepted practically anywhere. From that experience, I developed my three “rules” of TLD acceptance:

1. An old TLD will be accepted more often than a new TLD.

2. An ASCII-only TLD will be accepted more than an IDN TLD.

3. A three-letter gTLD will be accepted more often than a longer string, even if it’s a gTLD.

Universal TLD acceptance must overcome these three rules. And with the upcoming addition of hundreds of new TLDs and IDNs, the problems that result due to a lack of universal TLD acceptance have quickly moved to the front burner as a global issue.

While ICANN has a webpage dedicated to the issue as well as a TLD verification tool, ICANN has no power to address individual sites or software. Universal TLD acceptance is a community effort. So, for site owners and software developers, ICANN offers technical recommendations to help you achieve universal TLD acceptance:

1. Do you need to check domain validity for incoming emails? If not, don’t do it. If so, be sure you understand why you do it. For example, if it’s an email that needs to opt-in, will it be caught that way?

2. Do you need to validate domains for online applications? If so, use a DNS query, which is instant and up to date. Don’t rely on a fixed, hard-coded list.

3. Do you have to use a fixed list of TLDs? If so, make sure it has an update mechanism, preferably one with daily updates.

4. Did you adjust your site or software beyond the “domain name” field? Don’t forget email addresses, Web addresses, name servers and elsewhere.

These kinds of changes are usually easy to implement, but they may be challenging for some. However, with the coming explosion of new TLDs, these issues need to be addressed if you want to meet the long-term needs of your users and customers.

And by the way, I recently recreated my New York Times “article forwarding” test to my .INFO address. This time, it worked.

Related Reading: New gTLDs Represent Internet Security Gains

Related Reading: A Problem Worth Having? Multilingual Single Character Top-level Domains

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...