That seriously devalues MarkMonitor's services. MarkMonitor claims to be a
"an ICANN-accredited registrar and recognized industry leader since 1999".
The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains and are not allowed to screw up. GoDaddy should not be involved here at all.
GoDaddy Registry operates the .us registry. You cannot have a .us domain without their involvement. Consider whether you wanted a .com domain instead (which is operated by Verisign).
Interesting. I used to buy Zoom modems in the 80s-90s (https://en.wikipedia.org/wiki/Zoom_Telephonics), but apparently they have nothing to do with either of the other two Zoom companies mentioned here. I had occasionally wondered but never looked into it until now.
I always assumed that Zoom reacted to security/privacy concerns about its association with China by getting a "*.us" domain that sounded very United States.
But the dot com domain is now owned by Zoom Communications or just Zoom (as we know it). If you type "zoom.us" in your browser, you will be redirected to https://www.zoom.com/
> “I loved this fun little book as much as my kids, and hoped to use the name someday for the perfect company that embodied the same values of creativity, exploration, happiness, and trust. And the name works perfectly with a product that connects us visually to one another and that always works so fast and seamlessly.“
The reference to "Zoom City" is from an article published in 2020. It seems like a remarkably fitting ret-conning of what is probably a very boring branding decision.
Are there any actual recent examples of this? The major examples I've always heard are solidly in the 20th century. It's not like Google has had any problem holding their trademark.
Kleenex and Xerox were both (somewhat) recently in danger of loosing theirs. They both pulled pretty big campaigns to un-verb their trademarks. Google still has a bunch of other products that people are familiar with, so they are in less danger of loosing theirs right now, but give it some time (like 50 years, not 10) and it may happen, especially if they get broken up for being a monopoly. (Which has been mentioned)
BlueJeans is one of those absolutely catastrophically stupid branding decisions. There's just........ no justification. It's confusing at best, and abbreviated as BJ at worst.
Added context: Zoom delivered a step change in video conferencing quality for the many, vs the few, and in a lot of ways did seem to force others to be better.
During the pandemic many people used zoom more than their cell phones.
I immediately agreed with this, but at the same time it’s not “fast” is it? It’s higher quality or more reliably, something like that. But emotionally I agree it does feel “faster”.
> The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains
A while ago and, out of curiosity, I did a Whois Lookup to see what big tech companies are using as their domain registrar and found that Microsoft, Google, Amazon, Tesla, Netflix and Shopify are all using MarkMonitor. On the other hand Apple uses "Nom-iq Ltd. dba COM LAUDE", Meta (and its children) uses RegistrarSafe and Nvidia uses SafeNames.
It’s both. Some domains do not allow WHOIS privacy (.us is one of them), some have it built-in, while most don’t care and registrars can fill in with fake data.
They probably meant "whois privacy"[1] (without the space). Whois is basically a way to get information about a domain name (and many other stuff).
Whois privacy just ensures that your address, name and other stuff is not public.
They were probably joking when they asked that question.
Your reply doesn't seem sarcastic, so I take it you genuinely r/whoosh'ed (that's a reference to a subreddit about situations where someone is acting clueless).
Yeah I'm increasingly seeing these reddit-style low effort jokes on here, hopefully it's transient as folks acclimatize to the culture and customs here.
They are operated by important entities. Not companies that release sexy commercials featuring Danica Patrick. I keep getting confused between GoDaddy and Carl’s, Jr.
I think its clear from context they mean the .us TLD, and not the root zone, since obviously it wouldn't make sense to talk about the root zone for .us.
Its also very reasonable to use the more well-known name of the parent company to describe sonething done by its subsidary.
Hence 'for .us'. The trouble with this form of pedantic is that the nicer way to interpret the misunderstanding is that the pedant is ignorant either of language or the structure of dns.
"He runs the Internet routers for our company." -> "Your company doesn't run the Internet" -> wtf?
It actually didn’t help at all. Read the part quoted again, OP specifically indicated .us, not “root zone”. The registrar for .us (GoDaddy) is in fact the “root dns for .us”
The original clarification was perfectly fine to and arguing about the correction is reply-all-unsubscribe line noise. There was confusion, it error corrected, move on.
> The registrar for .us (GoDaddy) is in fact the “root dns for .us”
“root DNS” has a very specific meaning, and you’ve misused it again.
Root DNS means ‘.’ and only ‘.’ There is no other “root”. That’s why it’s called “root” to be unambiguous.
In fact, in recent history, the root name servers use their own domain for convenient forward DNS resolution: ‘root-servers.net’ GoDaddy doesn’t run this either... Surprise, surprise!
> Your company doesn't run the Internet
Yeah well as a fragment, the statement makes sense, more or less, because there’s no “term of art” being abused there in your reductio ad absurdum.
Indeed you can run your own private root DNS, if you don’t want to interact with the real Internet, but your private roots are different from your private/hidden/split-horizon TLD. Another thing GoDaddy isn’t running. Did you know that GoDaddy doesn’t run news.ycombinator.com? Not even a subsidiary!
GoDaddy doesn’t run any “root DNS”, and they never have: period, full stop. [Pun intended]
Well, another point of MarkMonitor is to get access to ccTLDs with requirements that are more difficult for you to meet yourself. Like needing to have a physical address within the country. MarkMonitor has offices in a bunch of countries just to meet that requirement, so they can sell ccTLD domains to customers.
The legality of that system seems a little questionable to me, but IANAL.
If you register a ".ps" domain, it doesn't matter if you use MarkMonitor or Namecheap, they can't help you when the ongoing genocide results in the removal of Palestine as a country and ".ps" no longer is a valid country code top level domain.
Similarly, if you register a .us domain instead of a ".com", ".net", or ".org", MarkMonitor can't help you when GoDaddy inevitably screws up.
History has borne this out: .com domains are well-managed. ccTLDs like '.io', '.su', and '.fj' have all had significant security or availability issues because they're run by "eh, whoever the hell the country picks" with no standards.
Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Them being subject to the pretty draconian laws of Germany is a minus for most people if they had no other reason to have to follow those laws (such as not being in Germany).
Somebody that is based in Germany (which is what GP was recommending .de for) is usually subject to German law, due to... being in Germany.
And conversely, when not based in Germany, you'd need a proxy Administrative Contact anyway. (Registrars can probably provide that for you, but it seems like asking for trouble.)
If it's not strictly non-commercial then you have to publish your fill name and home address prominently on it. You can't say anything insulting about anyone, even if true. And you can't criticize what Israel did because it's considered antisemitism.
> If it's not strictly non-commercial then you have to publish your fill name and home address prominently on it.
Under German law, as far as I understand this is true for publications "addressed to a German audience" regardless of your domain's TLD, your server location etc.
There are definitely exceptions, and having a connection to the country in question helps, but unfortunately countries seem to enshittify in different but similar ways as old companies.
>>> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
That sounds like MarkMonitor is at least partly at fault here.
> Mark Monitor have issued a correct request for the `serverUpdateProhibited`, but GoDaddy changed the code to `serverHold` instead.
I’m curious about where are you seeing what Mark Monitor requested? It doesn’t appear in the official status update. Is this public information formally posted somewhere we can all see?
I mean, one person is saying what to do and the other person is doing it. And the person doing things is taking down zoom.us... Also knowing who godaddy is and what they do...
> Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Look into what’s happened with pricing on domains like .org and .info. They’re increasingly absurd, with the restrictions on price increases that once were there largely being removed, at the pushing of the sharks that bought the registrar. Why are these prices increasing well above inflation rate, when if anything the costs should go down over time? Why is .info now almost twice as expensive as .com?
Although the .org price caps are gone, the registry has to raise prices uniformly for all domains. They can't target popular domains for discriminatory pricing. ccTLDs can.
> They can't target popular domains for discriminatory pricing.
That's not completely accurate. Section 2.10c of the base registry agreement says the following in relation to the uniform pricing obligations:
> The foregoing requirements of this Section 2.10(c) shall not apply for (i) purposes of determining Renewal Pricing if the registrar has provided Registry Operator with documentation that demonstrates that the applicable registrant expressly agreed in its registration agreement with registrar to higher Renewal Pricing at the time of the initial registration
Most registrars have blanket statements in their registration agreement that say premium domains may be subject to higher renewal pricing. For registry premium domains, there are no contractual limits on pricing or price discrimination. AFAIK, the registries can price premium domains however they want.
You omitted key portions of that section. Here's the full quote (emphasis added):
> The foregoing requirements of this Section 2.10(c) shall not apply for (i) purposes of determining Renewal Pricing if the registrar has provided Registry Operator with documentation that demonstrates that the applicable registrant expressly agreed in its registration agreement with registrar to higher Renewal Pricing at the time of the initial registration of the domain name following clear and conspicuous disclosure of such Renewal Pricing to such registrant
Furthermore:
> The parties acknowledge that the purpose of this Section 2.10(c) is to prohibit abusive and/or discriminatory Renewal Pricing practices imposed by Registry Operator without the written consent of the applicable registrant at the time of the initial registration of the domain and this Section 2.10(c) will be interpreted broadly to prohibit such practices
Yes, premium domains can be priced higher, but the Renewal Pricing has to be "clear and conspicuous" to the registrant at the time of initial registration. Are you aware of any litigation related to this?
The exact pricing isn’t disclosed. All they do is tell you the price will be “higher”. Anyone registering a premium domain is getting higher than uniform renewal pricing, so whatever they’re doing right now is considered adequate and that’s just generic ToS in the registration agreement AFAIK.
It sounds like you think I’m being deceptive. Do you know about any registry premium domains where someone has a contractually guaranteed price?
Also, based on my own anecdotal experience, ICANN doesn’t interpret 2.10c broadly and they allow the registries to push the boundaries as much as they want.
Agreed. This is a whole lot of screw ups that I would have expected from the indie company down the street, not an ICANN accredited registrar. It's pretty pathetic when it takes public pressure for the ICANN to finally start doing their goddamn job.
These big companies spend tens of millions on homegrown tooling, even their own languages and databases, but they can't assign one dev to write a domain-monitoring tool?
You are thinking like a developer. In reality that means that now they are responsible for it, if MarkMonitor messes something up they can use their relationship to all the registrars to fix the problem and MarkMonitor is on the hook in case anything goes wrong.
This is a better situation to be in than some internal tooling that failed to notify someone because it got forgotten after the developer left.
Because it's cheaper and more reliable to outsource that to a company specializing in it.
If one dev had written it, how many times would that tool have failed by now? When the original dev left the company a decade ago, the tool has been transferred between teams six times, it failed a migration and the email address it used to send errors to no longer exists so nobody noticed, and it's literally gotten lost in the shuffle?
Markmonitor is much more about the people and service behind it rather than the software. To replace markmonitor you don't need a dev to write a tool. You need a dev to write a tool, and then a team of people who build relationships with everyone in the domain world and are available 24/7 to make calls and deal with issues if they come up.
To try to convince my employer at the time to drop Zoom, I decided to see how many security vulns I could find in 2-3 hours.
Found 12 confirmed bugs in that window using only binwalk and osint.
The worst was that I noticed the zoom.us godaddy account password reset email address was the personal gmail account of Eric S Yuan, the CEO.
So, I tried to do a password reset on his gmail account. No 2FA, and only needed to answer two reset questions. Hometown, and phone number. Got those from public data and got my reset link, and thus, the ability to control the zoom.us domain name.
They were unable to find a single English speaking security team member to explain these bugs to, and it took them 3 months to confirm them and pay me $800 in bug bounties, total, for all 12 bugs.
The one bright side is this did convince my employer to drop them.
How long ago was this? A few years ago they were hiring aggressively for security team members in the US, including a dedicated fuzzing team. I’m guessing this was from early on when Zoom was just getting popular?
The story says that the password reset link was received, which proves the vulnerability without actually denying service, causing loss, etc. As an analogy, the attacker found a key to a door but did not proceed to open the door.
It doesn't say the password reset link was used to change the password, which would deprive the account owner access and grant unauthorized access which of course would be illegal.
It's easy to blame GoDaddy, but 'miscommunication' takes two.
You pay Markmonitor a shitload of money to make sure this doesn't happen. They should have dedicated people at GoDaddy and direct communication channels.
This is a significant fuckup on Markmonitor's part, even if GoDaddy did something different than was requested from them.
I can guarantee you that miscommunication doesn't always require 2 people.
Source: Have been OH SO EVER PRECISCE AND EXACT in my communication with certain idiots, and they still screw it up. Several instances of "put this here carefully", only to return and find it all the way across the room upside-down and broken, come to mind.
Where are you getting that from? I don't see that info anywhere on the linked page. Is there more information published elsewhere, or do you have insider knowledge?
A few years ago I had a .us TLD. I eventually decided that I probably shouldn't be reliant on a country code for my domain, it's the same reason why I don't use .io
I'm not saying that this couldn't have happened with a gTLD But why put your brand at the mercy of a government like that?
What TLD is not subject to a country's laws? .aq? .su?
Edit: .eu might be an even better candidate for this requirement, but you can ask British former domain owners how that worked out
gTLDs just subject you to an additional layer of incompetence, namely from the company running it. The government where they're located can still come knocking. It's also not like e.g. .nl is run by the Dutch government officials, it's a nonprofit started by some people in the 80s iirc
gTLDs are regulated by ICANN. As much as an organization can achieve to be a global multistakeholder group, at least the intention is to be global.
ICANN have a mostly hand-off approach to ccTDLs. The intention is that each country decide on their own regulations and management when it comes to their country code specific domains.
.nl is a very special case, and it is true that the Dutch government was not involved. .nl was the first country code TLD created outside of the US, when the domain system still was part of ARPANET and operated by the United States Department of Defense. .nl was then transferred to a foundation 10 years later, and that's where ownership now resides.
ccTLDs are somewhat of a mess. Many are created in universities, then transferred to a company or foundation. Others were sold to companies from the start. In some cases, government have sold their ccTLD to other countries.
.se for example was created in a Swedish university, and then later the government took possession of it (or the university gave it to them, can't really say). Now there are laws that explicitly defines how it should be used and governed, which then a non-profit foundation manage the implementation.
After the breakup of Yugoslavia in 1992 there was a dispute between Slovenia and FYR Serbia and Montenegro over the .yu domain that lasted until 1994 when Jon Postel intervened.
As you might notice from the dates and names, this was very early in the history of TLDs.
> gTLDs just subject you to an additional layer of incompetence, namely from the company running it.
ccTLDs also have to be run by some organization, which is often a private company. Maybe the country's oversight over this organization is better than ICANN's oversight over gTLD operators. Maybe it's not. Historically, the worst technical incidents have occurred at ccTLDs.
Wait, we're talking about buying domain names right? Not about buying countries in order to own a ccTLD rather than a 'regular' TLD
So then you don't have to produce an offence that takes the TLD down (whichever kind) but one that makes a judge within the country that the TLD operator operates in approve a takedown notice for your domain name or even get the TLD operator to cooperate voluntarily
They wrote that they were talking about country code TLDs vs not, not about US vs. other countries. (Which is what I would've said too, it's a more general point than thinking about anything specific to one country.)
Ironically that one country happens to be the one that also controls gTLDs like .com, as others have pointed out, so arguably .us is the one ccTLD that isn't any more or less likely to be reliable.
Zoom are already at the mercy of the government by virtue of being incorporated in the US, and having the majority of their staff there. "Generic" TLD's like .com come under US purview also anyway.
Dodged a bullet there given that .io is at risk of being discontinued altogether. It hasn't been decided yet, but better to not have that dangling over your head.
You can bet it wouldn't be actually discontinued, but you can bet when/if the UK gives away the island to Mauritius or whatever, they'll lease the rights to the highest bidder, and those people will be free to extort everyone with a valuable .io domain.
It's going to be interesting to see what they do. One of the core arguments when claiming the domain industry enjoys a competitive market is that switching costs are bearable and that switching TLDs is an option if registries increase prices too much.
So ICANN has a non-trivial choice to make. Either they maintain the position that switching costs are bearable and let .io disappear, or they admit that TLD switching is impossible and save .io, which will make it hard to argue the threat of (registrants) TLD switching keeps the industry competitive.
It wouldn't be the first time a ccTLD has been retired after its country ceased to be, though it would be the most disruptive given how popular it is, hence the uncertainty as to what they'll do this time.
The Chagossians are not by any meaningful standards indigenous. The land was uninhabited when George Washington was rebelling against the British. If the Chagossians are indigenous so are old stock white Americans.
And Mauritius have treated the Chagossians like dirt for decades, with no signs of that changing.
None of this is to deny the Chagossians were extremely ill treated by the British, but the idea that the Mauritanians have any interest in the welfare of the Chagossians is ridiculous.
I have some sympathy for your position, but I'll add that the prevailing moral opinion seems to be "whoever got there first is the rightful owner". Of course you have to allow for armchair ethnologists not being particularly good at distinguishing between similar groups and later revisionism.
A lot of Pacific islands territories have complicated histories like this (e.g. Hawaii, New Zealand), but the focus usually ends up on whatever bastards most recently took over from the previous bastards (relative levels of bastardy notwithstanding).
Absolutely. For example, the Maoris are not the original indigenous. What happened to them you may ask? They became literal dinner for the Maoris. This has happened elsewhere too. True original indigenous are rare.
The thing with the island of Diego Garcia is quite strange and I strongly suspect there is corruption involved. The UK wishes to divest itself? Instead of holding an auction where the rest of the planet can bid on purchasing the territory, the UK decided that Mauritius would take it (who doesn't really want it) and to entice them, the UK is going to PAY Mauritius to take the territory and leave the base alone. The amount is £90 million annually, adjusted for inflation for 99 years.
This is a lot of money, why not just NOT turn it over and not have to give away £90 million a year for a century? So, it begs the question.. is someone from the UK side benefiting from this no-bid deal?
Give the island to me, and I won't charge the UK to have the base.
Hopefully that doesn't happen as not everyone who uses a .io is a tech company. I've been using a .io domain for my personal email for something like a decade now, when I just thought "oh that's a cool TLD" and had no idea it was even a country TLD. I don't much relish the idea of getting soaked for money to stick it to the man when I haven't done anything morally wrong.
I think '.su' is already that precedent, since it had many active domains, recently had active registration, and ICANN has announced plans to phase it out.
The fact that the country ceased to exist a year after .su was created and yet the TLD still exists 34 years later is probably precedent for the opposite.
> But why put your brand at the mercy of a government like that?
I tend to trust my government (Canada) and I appreciate that WHOIS information is hidden by default for .ca domains. I live here and always will so it seems fit to use the national TLD for representing myself and my work.
same here with .ch! I trust Switzerland’s stability way more than I’d trust any business or country. I’m not actually sure if there’s any ccTLD more trustworthy. (yes I know that the TLD is ‘managed’ by a private company but still)
IIRC CIRA who is the delegated ccTLD manager of .ca is not a government entity (this is quite common in the ccTLD space actually, a lot of ccTLD are being managed by foundations or non-profits).
They're not, they're a (refreshingly transparent) non-profit -- but the government has the ability to reassign management of .ca to another organization as they wish.
> .com itself is under jurisdiction of USA and operated by Verisign
Barely. The NTIA gave up all their leverage over .com in 2018. The only thing the US can do at this point is let the cooperative agreement auto-renew to limit price increases.
I wouldn't be surprised if the US withdrew from the agreement altogether at this point. Then .com would fall under the joint control of ICANN and Verisign.
> Literally every single TLD is administered by a government.
False. I’m not sure what you’re trying to assert, but governments don’t necessarily need to control/admin gTLDs, and as far as ccTLDs go, they’re under jurisdiction of the corresponding nation, usually, but they’re going to be “administered” by a tech company that holds a contract.
Anyway, “.com” does indeed answer to U.S. jurisdiction, despite being technically a gTLD, but registrations are not restricted to US-based entities. The main things that keep “.com” associated with the USA include the history/legacy of this quintessential “original” domain, as well as a general support from major countries that provide a “second-level” commercial domain, such as “.co.uk”.
This kind of possibility is why Fastmail purchased fastmail.com and migrated away from our old 'fastmail.fm' domain. .fm was cool, but we ran into a couple of outages on the .fm servers meaning we went offline. No such issues since we've been on .com.
Sure, but probably when zoom got the zoom.us domain, Neustar was running the .us registry. Godaddy acquired Neustar's registry business in 2020 when everyone was busy looking at other things.
Also after dividing the number of outages by the number of customers?
I'm not a customer (wouldn't buy my domain overseas) and have no solid opinion on GoDaddy besides that I hate the name. I hear the horror stories also. I'm just wondering if this is a knee-jerk reaction
I've used about 12 registrar's and dns providers and they are trash top to bottom - literally the worst and most difficult to do everything from basic setup to how they do things just plain weird compared to other hosting providers. They also aren't the cheapest option so other than brand recognition I don't get why people use them.
I bought my first domain from GoDaddy in high school. I remember them having the slowest dns portal in the world, and having to call support at least once about something they screwed up. Don't really remember the details, but I remember them causing problems and losing my business within a year. I've used at least 3 other registers since then and never had a single problem.
Here's something you all need to learn about site (or for that matter, tool) reliability:
Nobody gives a shit about how many good outcomes between incidents there are. They care about how many good hours happen between incidents, and they care how big the incidents are.
So if you make a tool that your coworkers use 5 times as much as the old process, that tool better make things at least 6x more stable or people will start talking about how the process fails 'all the time'.
"all the time", as near as I've been able to figure out, after people have been yelling at me, my team, or a team I'm privy to, is not "every day". No, all the time just means that it happens every couple of weeks and one time happened twice in one day, twice in consecutive days, or with two customers in rapid succession. Usually the day they're screaming about.
So if you're doing that thing every day all day long, where you used to do it rarely, but you made some progress on making it more frequent, nobody cares that it's every 100th run that fails, when it used to be every 10th. They just see the drama has gotten more frequent (and nowhere near as frequent as their narrative says, but you've already lost that argument)
They need to implement secondary and tertiary domains—with diverse registrars and hosting infrastructure—for the Zoom client’s calling home. Maybe even a fallback anycast ip address for service discovery. Given how much companies like mine pay for service, it’s reasonable to expect that level of engineering foresight. But hindsight will do—let’s get it fixed. #HugOps to all employees working overtime and taking care of this.
Zoom CEO: Hi, we'd like an SLA credit for the global outage you caused our company.
GoDaddy: I am so sorry about that. I can offer you a one-time coupon for $10 off your next purchase or renewal. Would you like me to apply this to your account?
---
Most companies just hope an apologetic zoom call is enough to retain your business, and most of the time it works. Not enough has been written about the asymmetry of your SLA credits to your revenue impact for a given vendor outage and how that should guide your build vs buy decision framework.
You probably don’t want to optimize for the SLA credit making up for a significant part of your lost revenue — because that would mean when things are operating normally, you don’t have much of a profit margin.
SLA’s are generally more helpful for getting out of long term contracts with unreliable vendors than actually making up for revenue lost during an outage.
SLA credits are an incentive for the service provider not making up for lost revenue from the outage.
If you have 100% SLA credit under 99% availability you can't aford to be less than 99% available and I know that your SLA means something to you, not just an aspirational bullet point.
Why would you use godaddy for a service as large as Zoom? They have been garbage for years. The way they locked out their ACME api for anyone but top tear clients sealed the deal for me. I would never trust them.
> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
Markmonitor is used by some fairly large corps and web properties. It’ll be interesting to find out exactly what this miscommunication was.
Never heard of MarkMonitor before. Not a great start.
I had Google Domains for years, until they abruptly and bizarrely abandoned it, then I left for Porkbun. Never had a problem with either of them. I get yearly auto-renewal notices. Everything works, and it’s very boring, which is precisely what I want from a registrar.
I worked at a company that used MM and was involved in some of the domain work.
One of the really nice things about the service is they handle a lot of the general business continuity and security stuff that can really suck with traditional registrars. One of their main lines of work is they’ll work with you to resolve tld-squatting and typo-squatting by working directly with the registrars.
Even before an infinite number of vanity or scammy tlds started showing up it would be pretty difficult to find <your-growing-unicorn-startup>.biz to add to your portfolio of domains since the owner may just have forgotten to update their email in their registrar and were coasting on a 10 year registration. Maybe the squat was intentional and it’s now a 1:1 replica of your homepage with a phishing or other credit card scam going. Stuff like that really sucks to do yourself while handling your other responsibilities. MM was pretty successful at getting in touch with the owners in the first place and having the registrar yank and transfer in the latter case. YMMV of course.
Once a lot of tlds started showing up, and especially the porn related ones, they worked with the new registrars directly (like GoDaddy in the .us case here) in the “sunrise period” to make sure something like google.xxx doesn’t become a front page article about an actual porn site (in case you’re wondering, that one doesn’t go anywhere at all). Your other options are to work directly with each registrar or ICANN.
Oh, I didn't know they'd been around since '99. They called me on behalf of a Hollywood titan about one of my hobby domains, which happened to partially coincide at a dictionary word with one of their client's trademarks, some time around 2006. I don't recall that the approximate paralegal I spoke with actually identified the company; I never forgot the call, but hadn't thought to check who manages the studio's own domain. Go figure.
I found them surprisingly easy to deal with, and happy to have me on record that my toy domain had nothing to do with either their client or any money. I assumed as long as that remained the case I would never hear from them again, and for the decade or so longer I kept the domain, that was exactly how things went.
I may be wrong but I think I saw MarkMonitor changing hands a year or two ago so the MarkMonitor of today might not be at the same level and quality of service as before.
Yeah, in 2022 acquired by some kind of sketchy rollup of lots of legacy/web-1.0 firms or what remained of them, it looks like.
Oh, well. It's been a long time since I was so naïve as not to do a quick informal trademark/brand search before I register a new domain, so I don't really expect to hear from them again any time soon, either.
I'd argue the ability of a private company to exert control over all TLDs on the behalf of their clients is indicative of a problem in the domain registrar system. Not a "service"
That’s because you are maybe not in the market for MarkMonitor. If you check the whois for any global brands chances are they are held by MarkMonitor. Just like you don’t use EY as your tax advisor.
The are supposed to also filter things like complaints. If somebody complains I'm sending spam and I only pay $20/year then my registrar might lock my domain and then I have to work to get it back online.
Mark Monitor will apply a lot more filtering to complaints.
Ironically this is allegedly what happened in this case, a complaint about the domain got it taken offline.
They generally do full service brand monitoring to protect IP and maintain continuity. You would outsource monitoring for trademark infringement to them, and be certain that domain renewals are done perfectly for a portfolio of high value domains.
Which is why this outage is so weird: the entire point of paying MarkMonitor is ensuring that absolutely nothing goes wrong with a very fraught process, and they seem to have just taken down one of the biggest brands they support.
Precisely. You pay a company like this the nosebleed-inducing fees they charge so that this exact event never happens. That assurance, and not the mechanics of domain registration or canned web searches or whatever else, is their product.
It's like, as I'm sure I'm paraphrasing from something I read God alone knows how many years ago, if your publicist lets you walk into a press event with a giant blob of snot hanging out of your nose. There surely is a reason why that error occurred, and it probably is at least a pretty good reason. But no one is very surprised to see the intro invite from your new publicist.
It isn't a relationship you blow up on a whim, but Zoom that can't route call traffic is Zoom that's not generating revenue, and while the reputational impact is negligible if it happens once, it had really better happen only once. Zoom is the incumbent; no one remembers they were revolutionary once, now everyone only notices the parts they don't like. (Being a skilled but politically naïve sysadmin is much the same.)
Basically, this is why Ma Bell - which had about the only stronger possible "uptime" expectation, in that no one uses Zoom for 911 - was so uptight you couldn't even plug in a modem until about five minutes before divestiture, and specified everything down to the number of turns in the splices their technicians made. There was a fad among programmers, when I was a child, to consider such practices stodgy.
Like others said, uptime for a registrar barely matters. For an important domain, I don't want anything to change, and if the registrar is down, nothing will change, so that's good.
What MarkMonitor can provide is things like facilitating RegistryLock, which makes it even harder for changes to be made. And account reps that know what's going on. I hate working with account reps, but if they're knowledgable and easy to work with, it's ok.
They do some trademark monitoring (thus the name), if you want to get your own related app taken down from Google Play :p (I'm not bitter, it was amusing). And presence services if you need to hold a domain in a weird location that wants a presence, they can probably arrange it, which is handy at times.
I'd love to know more details on this incident, MarkMonitor had a bulletproof reputation as a registrar that won't fuck up. Godaddy doesn't, but then I didn't realize they had taken over the contract for .us
They can offer humans in the loop, and those cost a lot. Like, a real live human will contact you and ask if you really want to transfer microsoft.com to Shady Shell Company (Bermuda) Ltd. Porkbun's pricing model is less attractive when your domains are worth billions to you.
MarkMonitor has been around forever. It's used by many of the largest companies. I remember quite a few Google outages that could be tracked down to MM issues.
If there were symmetry, then renewing the domain would cost millions instead of $20 or whatever it is, to cover the payouts. Is that what you want?
If it is, you can buy custom insurance for the event from an insurance company, and pay the same kind of yearly fee.
And remember that with build vs buy, what you build will often be worse than what you buy, because at least what you buy is getting bugs fixed from bug reports across the world from other customers. An internal tool will rarely be as stress-tested and battle-hardened as what you can buy.
This smells like something happened with MarkMonitor, they accidently flagged zoom.us as brand spoofing and filed copyright complaint with GoDaddy who runs .us TLD. GoDaddy suspended the domain per the complaint.
It's possible, but MarkMonitor is Zoom's registrar, so there are plenty of other ways for a miscommunication between MarkMonitor and GoDaddy to cause this. Copyright complaints would be a more reasonable theory if MarkMonitor were mentioned and didn't have any other involvement.
At one point on a trip to Hawaii I was detained in my room by hotel security for fifteen minutes after requesting a room key to replace the one I lost.
It turns out that they had typo’d 12 into the request type field instead of 1, and type 12 was “Covid lockdown protocol with security enforcement” leftover from 2020 and latent in their systems.
Depending on MarkMonitor have chosen to integrate with each other to handle the sort of trademark management that is MarkMonitor’s premium offering, either or both parties could have simply been off-by-one or typo’d in a transaction to cause this. It’s absolutely plausible to create a confusing nightmare outcome with a one-byte error. (And we’re having quite incredible cosmic rays today, so I hope they’re using ECC RAM!)
If this is the case, then it seems to be a very clear-cut example as-to why we should reject these sort of automated "take downs". They can and are abused, including copyright violations on Github, YouTube, etc.
Since when did we accept, as a society, guilty until proven innocent? I recognize GoDaddy is not the government - but this is unacceptable. A human spending 3 seconds looking at the domain would understand it's a false-positive and should not be removed.
The article lists a lot of facts, but it doesn't actually explain what happened.
IE, it explains what DNS is, but it doesn't explain why the outage happened. Instead, it merely gives a timeline with a lot of context that's useful for someone who's still learning about what DNS is and how it works.
Thanks, this is really helpful. I had not even realized that every DNS query for .us (for example) goes through a single root registry before going to the actual nameservers.
If only it were so, then they would have kind of deserved it. TIL GoDaddy wormed it’s way into administering the .us TLD on behalf of the federal government.
4 hour catastrophic outage because of a shitty domain registrar makes me wonder if zoom will be switching critical services to a different tld sooner or later as a result of this
What do relatively large corporations use for their authoritative nameserver? Do they use PowerDNS, knot, bind, or just use the registrar's nameservers?
And if you’re wondering about the hidden authoritative servers (that the company uses to generate and administer the zones then synced to a global DNS provider such as the ones you listed) two rather popular products for companies that aren’t also cloud providers are Infoblox and BlueCat.
Lots of “glad Teams is working at least” commentary today across various meetings. Everyone had a good laugh, as it is usually typical to complaint about the how crappy Teams is. +1 for Teams today
"This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain. "
Something is fishy about this. A communication error would not result in a domain being placed on hold. On hold is usually the result of a legal order or in the case of the .us TLD a nexus compliance violation. I've transferred thousands of domains from assorted dodgy registrars into MarkMonitor and can not even imagine a scenario where a miscommunication results in a domain being placed on hold.
Correctness doesn't scale. If something has six nines of reliability, you'll probably never see the one-in-million outlier yourself. But if the other side deals with a million requests a month, they are a common occurrence.
Yeah I'm not saying errors don't happen. I've been called into gazillions of them including many that "should not happen". Those make for the best root cause analysis and after action reports.
Rather this does not sound like a communication error unless they are leaving out a lot of critical details and context or the domain management interface has been de-frictioned and dumbed down too much.
I hear ya but this would more than likely be something like a really sloppy human error such as following the wrong process vs. a miscommunication otherwise I would expect these outages to be much more frequent. I do remember when a fat-finger at UUNET took out most of the internet long ago but that was a human error and is a bit harder to have the same impact today.
To me a communication error implies someone followed erroneous instructions without asking the obvious, " ... but isn't this a big business that is still live and why don't I have a legal order in my hand?" In fairness this did happen recently with he.net because a sub-domain was reported but it was done intentionally even if they failed to do even basic due diligence. After Covid I would expect most people would know zoom.us would be in use by a lot of people whereas only specific groups of people would know what he.net is.
I am curious if the process has changed due to laziness and now registrars can just select any number of domains and click a button to place them on hold without management or executive approval. If so that should be in some audit trail and should require confirmation and approval by a senior leader.
Every place I've been we measured such weirdness outside of the 95'th and 99'th percentile. Anything out of common occurrence beyond the 99'th could be weird or interesting or fascinating. I still wish I could share the incident of a single NIC on a single server taking down an entire data-center, that was both weird and fascinating.
If there is a "default" then "everything else" is not weird. The conclusion is "this thing doesn't work most of the time so it wouldn't be weird if it doesn't".
What's the escalation theory here mean? The US shut it down to damage a company it doesn't like? And 2-4 hours is meaningful? or China did it? Maybe it was shutdown and used as negotiating leverage and brought back when some agreement was reached?
GoDaddy's involvement really makes me believe that it's a genuine screw up.
Well, Zoom also lied about their encryption (or, perhaps more charitably, described it in a misleading way. nah, they just lied) and was directing traffic through chinese servers with no reason for doing it -- it was occurring when all meeting participants and the company paying for the zoom account were outside China -- besides enabling spying.
MarkMonitor is a registrar (one of many). GoDaddy Registry is the .us registry operator (the only one); they actually operate the TLD on behalf of the government. In this capacity they are not operating as another registrar, but as the TLD operator.
"It would be amiss not to start without a reference to AI, as 2024 saw the movements toward legal definitions and prohibited AI practices with the EU’s AI Act. 2024 also saw more innovative integration of AI into registrars’ service offerings, from “chatbots” to registration process flow to domain name generators. We also witnessed the rise of LLM (or Large Language Models) being used in Brand Protection Services and the identification of abusive registrations. This trend will definitely be increasing in 2025."
It's translated through several layers of people who don't know anything.
Their domain expired because at some level people made some pretty boneheaded mistakes.
Whomever their actual registrar actually was (GoDaddy it seems) stopped pointing the zoom.us nameserver record (NS) at AWS Route 53 which Zoom obviously uses.
GoDaddy is the root registry for all .us ccTLD, MarkMonitor is the actual registar Zoom is working with. The issue seems to be more how GoDaddy assigned to the domain to MarkMonitor not something Zoom itself likely controls (such as NS records)
.us (and other many TLDs) uses EPP to communicate between registars (MarkMonitor here) and Registry (GoDaddy). It is probably an admin error rather than code[1], some manual approval or other human review workflow for high value domain and someone clicked/filled in the wrong value at GoDaddy or MarkMonitor would be my first guess.
[1] would have been observed and fixed long before today, transfers happen all the time after all
Ip's can (easily) be hijacked by nefarious BGP requests and offer no easy SSL. You could maybe add cert pinning to fix that, but it's quite inflexible.
Another added bonus of domains is the potential for subdomains to be used. This could be usful for many purposes: as load balancing/pooling mechanism (fictive example us4.zoom.us) and for compartmentalisation (api.zoom.us).
Back in 2008, when my fiancée invited me to visit Catalonia, I was in the market for transatlantic airline tickets. And I'd never flown internationally before, and I applied and obtained a US Passport, and I figured out with my father how to get a Travelex prepaid debit card with Euros loaded, and my fiancée was prodding me anxiously about buying a ticket, and I eventually threw caution to the wind and flew on an airline called "ZOOM".
Now "ZOOM" was supposedly based in Canada and they were supposedly giving bargain-basement fares to Americans as well, from select origins to select destinations. All I needed to do was to get to Lindbergh Field (San Diego International) and ZOOM Airlines would fly me to London Gatwick. And their aircraft had cute friendly livery with big "ZOOOOOOOOM" lettering on the side. And the price was totally cheap.
Well they did their job fine; I landed in Gatwick, took a train to Heathrow, and flew on Iberia into and back out of Barcelona. Unfortunately, before I departed, my father phoned my fiancée to break the news that "ZOOM Airline" was bankrupt, and all their flights were grounded. They had run out of fuel in Scotland, and nobody would top up the tanks. My return ticket from London to San Diego was worthless.
So Dad puts me on a British Airways flight and I got home safe. But from August 2008, or before, I have harbored a visceral animosity towards any foreign actors named "ZOOM".
Can you explain what that last article has to do with MarkMonitor? To me it just sounds like MarkMonitor once bought a company from a law firm which was sued for fraud 5 years after the sale was completed. So it doesn't appear that MarkMonitor was in any way related to the fraud which occurred.
Good call out! If Schlüter didn't continue doing work for DtecNet after the sale to MarkMonitor then we can't really blame MarkMonitor for the things he was doing 5 years later.
The endless stream of news on privacy problems and vulnerabilities that have come to light since then have only made me feel better about that initial opinion.
Someone in the Zoom company management forgot to update the billing credit card for that domain, I bet you $1000. Happens all the time with our clients.
Except while it probably wasn’t a credit card expiry it did result in the domain being suspended. Looks pretty bad for MarkMonitor. They didn’t do the “monitor” part of their name.
That seriously devalues MarkMonitor's services. MarkMonitor claims to be a "an ICANN-accredited registrar and recognized industry leader since 1999". The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains and are not allowed to screw up. GoDaddy should not be involved here at all.
GoDaddy Registry operates the .us registry. You cannot have a .us domain without their involvement. Consider whether you wanted a .com domain instead (which is operated by Verisign).
zoom.com is an audio equipment manufacturer, which was there before zoom.us.
I guess that's what happens where they had to accept substandard domain, because they were unwilling to be creative about their name.
> zoom.com is an audio equipment manufacturer
False, the audio equipment manufacturer uses: https://zoomcorp.com/
The https://zoom.com domain shows content from the video chat platform.
They did buy zoom.com from someone in 2019, though, for $2M.
https://domainnamewire.com/2019/03/23/did-zoom-pay-2-million...
Interesting. I used to buy Zoom modems in the 80s-90s (https://en.wikipedia.org/wiki/Zoom_Telephonics), but apparently they have nothing to do with either of the other two Zoom companies mentioned here. I had occasionally wondered but never looked into it until now.
Back in the day, wasn't it either Zoom or Hayes?
Don't forget US Robotics
I always assumed that Zoom reacted to security/privacy concerns about its association with China by getting a "*.us" domain that sounded very United States.
Maybe it’s just simple word play of “Zoom us” as in call us. As opposed to “Zoom me” which might be just for one person rather than group chat.
Do English speakers pronounce .us domains as dot us instead of dot u s?
It would only be pronounced as "uhhss" as part of a domain hack. Otherwise "you ess". Source: am from USA.
Zoomus
Dot yoo ess. Source: am European.
Me too: 'you ess' (British)
Noting that we British would always call our country "you kay" so .us would be derived from that. I suspect similar reasoning from Europe.
I also say 'dot you ess' and I was born in the USA.
AFAICT they've used that domain since day one, so probably not.
But the dot com domain is now owned by Zoom Communications or just Zoom (as we know it). If you type "zoom.us" in your browser, you will be redirected to https://www.zoom.com/
This is … Zombocom.
You can do anything at ZomboCom.
Anything at all.
The only limit ... is yourself.
They've had zoom.com since at least 2019 or so. It used to just be a redirect to Zoom.us though they've made a switch since then.
Maybe after recent US events, everything will move to .ru TLD
Incidentally, Zoom seems a terrible name for a video conferencing app - anyone know why they chose it?
The Wikipedia editors know, https://en.wikipedia.org/wiki/Zoom_Communications#Early_year... :
> In May 2012, the company changed its name to Zoom, influenced by Thacher Hurd's children's book Zoom City.
It cites https://vator.tv/2020-03-26-when-zoom-was-young-the-early-ye... where Jim Scheinman says:
> “I loved this fun little book as much as my kids, and hoped to use the name someday for the perfect company that embodied the same values of creativity, exploration, happiness, and trust. And the name works perfectly with a product that connects us visually to one another and that always works so fast and seamlessly.“
The reference to "Zoom City" is from an article published in 2020. It seems like a remarkably fitting ret-conning of what is probably a very boring branding decision.
What would be the point of ret-conning some other decision?
> In May 2012, the company changed its name to Zoom, influenced by Thacher Hurd's children's book Zoom City.
To save people the agony of visiting Wikipedia for themselves to check, changed from Saasbee. Which, good call.
It is a one-syllable word, easy to pronounce in many languages, quite distinct from other words and brands, and can easily be turned into a verb.
Why does that make it a good name for video in particular?
Cameras often have zoom lenses for close ups.
Fits great with the idea of bringing people together with video.
Why does it have to be -- ever "googled" something? ;-)
Verbing your nouns is a great way to lose your trademark.
Are there any actual recent examples of this? The major examples I've always heard are solidly in the 20th century. It's not like Google has had any problem holding their trademark.
Kleenex and Xerox were both (somewhat) recently in danger of loosing theirs. They both pulled pretty big campaigns to un-verb their trademarks. Google still has a bunch of other products that people are familiar with, so they are in less danger of loosing theirs right now, but give it some time (like 50 years, not 10) and it may happen, especially if they get broken up for being a monopoly. (Which has been mentioned)
When they came up with it that would be a best case scenario.
Subjective, Zoom is a pretty cool name
It’s all relative. Is “Webex” better? “Skype”? “BlueJeans”??
BlueJeans is one of those absolutely catastrophically stupid branding decisions. There's just........ no justification. It's confusing at best, and abbreviated as BJ at worst.
Fair. They are worse.
Especially Skype, which is getting shit down. In favour of Teams, which is so much worse it’s hard to describe.
That's a really fantastic typo. I know it was unintentional, but still...
We use Skype and it is worst atm. Skype freezes every minute.
One guess - fast video.
Added context: Zoom delivered a step change in video conferencing quality for the many, vs the few, and in a lot of ways did seem to force others to be better.
During the pandemic many people used zoom more than their cell phones.
I immediately agreed with this, but at the same time it’s not “fast” is it? It’s higher quality or more reliably, something like that. But emotionally I agree it does feel “faster”.
Fair point - it's smoother video that gives a better quality experience.
The speed of starting a call sometimes could take a bit more but once established was higher quality than the alternatives at the time.
> The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains
A while ago and, out of curiosity, I did a Whois Lookup to see what big tech companies are using as their domain registrar and found that Microsoft, Google, Amazon, Tesla, Netflix and Shopify are all using MarkMonitor. On the other hand Apple uses "Nom-iq Ltd. dba COM LAUDE", Meta (and its children) uses RegistrarSafe and Nvidia uses SafeNames.
RegistrarSafe is a registrar spun up by Meta for precisely the purpose of guarding their own domains and isn't open to external customers.
> COM LAUDE
Someone had fun with that one.
[dead]
That’s interesting, Apple used to use CSC, which is the “other” big corporate registrar, competitor to MarkMonitor.
Many of those also run their own gTLDs, too: .apple, .google, etc
I guess they are paying markmonitor because of their ability to reach out to Godaddy and get stuff resolved.
Imagine being a small startup with a similar problem. Godaddy will not even entertain you.
GoDaddy runs the root dns for .us
GoDaddy is the rot of us domains, besides being rotten culturally as well
Wait really? I use a .us domain for personal stuff, that.. makes me want to reconsider.
Also .us domains don't have who is privacy.
Yeah I found that out when I stupidly used my real contact info, and ended up getting spammed all to hell.
WHOIS privacy isn't a registry-level service. It's a registrar-level service.
It’s both. Some domains do not allow WHOIS privacy (.us is one of them), some have it built-in, while most don’t care and registrars can fill in with fake data.
Please don't keep us in suspense ... who is privacy?
They probably meant "whois privacy"[1] (without the space). Whois is basically a way to get information about a domain name (and many other stuff). Whois privacy just ensures that your address, name and other stuff is not public.
[1]https://en.wikipedia.org/wiki/Domain_privacy
They were probably joking when they asked that question.
Your reply doesn't seem sarcastic, so I take it you genuinely r/whoosh'ed (that's a reference to a subreddit about situations where someone is acting clueless).
Realistically, I don't think HN is the place for those kinds of jokes, which are best kept for reddit/twitter.
Yeah I'm increasingly seeing these reddit-style low effort jokes on here, hopefully it's transient as folks acclimatize to the culture and customs here.
I know ;) Some people still value an explanation though.
I understood what you meant. I can understand why someone would want to clarify the terminology for those who don't know DNS well.
> GoDaddy runs the root dns for .us
.us is not the “root DNS” and your misidentification is muddying the waters.
.us is a TLD (Top-Level Domain) and more specifically, a ccTLD (cc = ‘Country Code’).
https://en.wikipedia.org/wiki/.us
And the English Wikipedia says that its registrar is a subsidiary of GoDaddy named “Registry Services, LLC”.
The root DNS servers and registry are not run by GoDaddy or a subsidiary.
https://en.wikipedia.org/wiki/Root_name_server
They are operated by important entities. Not companies that release sexy commercials featuring Danica Patrick. I keep getting confused between GoDaddy and Carl’s, Jr.
I think its clear from context they mean the .us TLD, and not the root zone, since obviously it wouldn't make sense to talk about the root zone for .us.
Its also very reasonable to use the more well-known name of the parent company to describe sonething done by its subsidary.
[flagged]
That's not what they said.
.us is not a root name server. The root name servers are one more degree removed.
Hence 'for .us'. The trouble with this form of pedantic is that the nicer way to interpret the misunderstanding is that the pedant is ignorant either of language or the structure of dns.
"He runs the Internet routers for our company." -> "Your company doesn't run the Internet" -> wtf?
It was a clarification that GoDaddy's ability to fuck everything up isn't quite as broad as suggested.
It actually didn’t help at all. Read the part quoted again, OP specifically indicated .us, not “root zone”. The registrar for .us (GoDaddy) is in fact the “root dns for .us”
The original clarification was perfectly fine to and arguing about the correction is reply-all-unsubscribe line noise. There was confusion, it error corrected, move on.
> The registrar for .us (GoDaddy) is in fact the “root dns for .us”
“root DNS” has a very specific meaning, and you’ve misused it again.
Root DNS means ‘.’ and only ‘.’ There is no other “root”. That’s why it’s called “root” to be unambiguous.
In fact, in recent history, the root name servers use their own domain for convenient forward DNS resolution: ‘root-servers.net’ GoDaddy doesn’t run this either... Surprise, surprise!
> Your company doesn't run the Internet
Yeah well as a fragment, the statement makes sense, more or less, because there’s no “term of art” being abused there in your reductio ad absurdum.
Indeed you can run your own private root DNS, if you don’t want to interact with the real Internet, but your private roots are different from your private/hidden/split-horizon TLD. Another thing GoDaddy isn’t running. Did you know that GoDaddy doesn’t run news.ycombinator.com? Not even a subsidiary!
GoDaddy doesn’t run any “root DNS”, and they never have: period, full stop. [Pun intended]
The whole point of a tree is that every node is the root of its subtree.
Well, another point of MarkMonitor is to get access to ccTLDs with requirements that are more difficult for you to meet yourself. Like needing to have a physical address within the country. MarkMonitor has offices in a bunch of countries just to meet that requirement, so they can sell ccTLD domains to customers.
The legality of that system seems a little questionable to me, but IANAL.
>The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains
the whole point of MarkMonitor is more in the trademark realm, rather than a cloud sysop role.
"Mark" is what trademarks are called in the ... trade.
MarkMonitor isn't at fault here.
If you register a ".ps" domain, it doesn't matter if you use MarkMonitor or Namecheap, they can't help you when the ongoing genocide results in the removal of Palestine as a country and ".ps" no longer is a valid country code top level domain.
Similarly, if you register a .us domain instead of a ".com", ".net", or ".org", MarkMonitor can't help you when GoDaddy inevitably screws up.
History has borne this out: .com domains are well-managed. ccTLDs like '.io', '.su', and '.fj' have all had significant security or availability issues because they're run by "eh, whoever the hell the country picks" with no standards.
Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Do not use a ccTLD.
There are countries whose ccTLD registrars are impeccably well-run and have been for decades, such as DENIC, the entity that oversees the .de ccTLD.
If you're based in Germany, I don't see a reason why you would want to avoid .de domains.
Them being subject to the pretty draconian laws of Germany is a minus for most people if they had no other reason to have to follow those laws (such as not being in Germany).
Somebody that is based in Germany (which is what GP was recommending .de for) is usually subject to German law, due to... being in Germany.
And conversely, when not based in Germany, you'd need a proxy Administrative Contact anyway. (Registrars can probably provide that for you, but it seems like asking for trouble.)
Mind ellaborating what draconian laws you are talking about?
If it's not strictly non-commercial then you have to publish your fill name and home address prominently on it. You can't say anything insulting about anyone, even if true. And you can't criticize what Israel did because it's considered antisemitism.
> If it's not strictly non-commercial then you have to publish your fill name and home address prominently on it.
Under German law, as far as I understand this is true for publications "addressed to a German audience" regardless of your domain's TLD, your server location etc.
There are definitely exceptions, and having a connection to the country in question helps, but unfortunately countries seem to enshittify in different but similar ways as old companies.
>>> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
That sounds like MarkMonitor is at least partly at fault here.
Mark Monitor have issued a correct request for the `serverUpdateProhibited`, but GoDaddy changed the code to `serverHold` instead.
100% on the GoDaddy staff.
> Mark Monitor have issued a correct request for the `serverUpdateProhibited`, but GoDaddy changed the code to `serverHold` instead.
I’m curious about where are you seeing what Mark Monitor requested? It doesn’t appear in the official status update. Is this public information formally posted somewhere we can all see?
I mean, one person is saying what to do and the other person is doing it. And the person doing things is taking down zoom.us... Also knowing who godaddy is and what they do...
> Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Look into what’s happened with pricing on domains like .org and .info. They’re increasingly absurd, with the restrictions on price increases that once were there largely being removed, at the pushing of the sharks that bought the registrar. Why are these prices increasing well above inflation rate, when if anything the costs should go down over time? Why is .info now almost twice as expensive as .com?
Although the .org price caps are gone, the registry has to raise prices uniformly for all domains. They can't target popular domains for discriminatory pricing. ccTLDs can.
> They can't target popular domains for discriminatory pricing.
That's not completely accurate. Section 2.10c of the base registry agreement says the following in relation to the uniform pricing obligations:
> The foregoing requirements of this Section 2.10(c) shall not apply for (i) purposes of determining Renewal Pricing if the registrar has provided Registry Operator with documentation that demonstrates that the applicable registrant expressly agreed in its registration agreement with registrar to higher Renewal Pricing at the time of the initial registration
Most registrars have blanket statements in their registration agreement that say premium domains may be subject to higher renewal pricing. For registry premium domains, there are no contractual limits on pricing or price discrimination. AFAIK, the registries can price premium domains however they want.
You omitted key portions of that section. Here's the full quote (emphasis added):
> The foregoing requirements of this Section 2.10(c) shall not apply for (i) purposes of determining Renewal Pricing if the registrar has provided Registry Operator with documentation that demonstrates that the applicable registrant expressly agreed in its registration agreement with registrar to higher Renewal Pricing at the time of the initial registration of the domain name following clear and conspicuous disclosure of such Renewal Pricing to such registrant
Furthermore:
> The parties acknowledge that the purpose of this Section 2.10(c) is to prohibit abusive and/or discriminatory Renewal Pricing practices imposed by Registry Operator without the written consent of the applicable registrant at the time of the initial registration of the domain and this Section 2.10(c) will be interpreted broadly to prohibit such practices
Yes, premium domains can be priced higher, but the Renewal Pricing has to be "clear and conspicuous" to the registrant at the time of initial registration. Are you aware of any litigation related to this?
The exact pricing isn’t disclosed. All they do is tell you the price will be “higher”. Anyone registering a premium domain is getting higher than uniform renewal pricing, so whatever they’re doing right now is considered adequate and that’s just generic ToS in the registration agreement AFAIK.
It sounds like you think I’m being deceptive. Do you know about any registry premium domains where someone has a contractually guaranteed price?
Also, based on my own anecdotal experience, ICANN doesn’t interpret 2.10c broadly and they allow the registries to push the boundaries as much as they want.
[flagged]
ICJ judges in The Hague, including Israel’s appointed judge, deemed it necessary to remind Israel to respect the Palestinians’ right to not be genocided away. https://en.m.wikisource.org/wiki/South_Africa_v._Israel_(Ord...
[flagged]
Please don't defend Hitler on Hacker News.
[dead]
[dead]
[flagged]
Agreed. This is a whole lot of screw ups that I would have expected from the indie company down the street, not an ICANN accredited registrar. It's pretty pathetic when it takes public pressure for the ICANN to finally start doing their goddamn job.
These big companies spend tens of millions on homegrown tooling, even their own languages and databases, but they can't assign one dev to write a domain-monitoring tool?
You are thinking like a developer. In reality that means that now they are responsible for it, if MarkMonitor messes something up they can use their relationship to all the registrars to fix the problem and MarkMonitor is on the hook in case anything goes wrong.
This is a better situation to be in than some internal tooling that failed to notify someone because it got forgotten after the developer left.
Because it's cheaper and more reliable to outsource that to a company specializing in it.
If one dev had written it, how many times would that tool have failed by now? When the original dev left the company a decade ago, the tool has been transferred between teams six times, it failed a migration and the email address it used to send errors to no longer exists so nobody noticed, and it's literally gotten lost in the shuffle?
Markmonitor is much more about the people and service behind it rather than the software. To replace markmonitor you don't need a dev to write a tool. You need a dev to write a tool, and then a team of people who build relationships with everyone in the domain world and are available 24/7 to make calls and deal with issues if they come up.
It’s one of those ‘this problem is so simple, our big corporation cannot hope to solve it’ type of problems.
[dead]
To try to convince my employer at the time to drop Zoom, I decided to see how many security vulns I could find in 2-3 hours.
Found 12 confirmed bugs in that window using only binwalk and osint.
The worst was that I noticed the zoom.us godaddy account password reset email address was the personal gmail account of Eric S Yuan, the CEO.
So, I tried to do a password reset on his gmail account. No 2FA, and only needed to answer two reset questions. Hometown, and phone number. Got those from public data and got my reset link, and thus, the ability to control the zoom.us domain name.
They were unable to find a single English speaking security team member to explain these bugs to, and it took them 3 months to confirm them and pay me $800 in bug bounties, total, for all 12 bugs.
The one bright side is this did convince my employer to drop them.
How long ago was this? A few years ago they were hiring aggressively for security team members in the US, including a dedicated fuzzing team. I’m guessing this was from early on when Zoom was just getting popular?
About 7 years ago
You're admitting to committing a felony?
White hat hacking is fine.
If you password reset my personal Gmail account I will sic the FBI on your tail without a second thought. Not cool.
The story says that the password reset link was received, which proves the vulnerability without actually denying service, causing loss, etc. As an analogy, the attacker found a key to a door but did not proceed to open the door.
It doesn't say the password reset link was used to change the password, which would deprive the account owner access and grant unauthorized access which of course would be illegal.
You can try, but they will not do anything unless I do actual harm.
https://www.justice.gov/archives/opa/pr/department-justice-a...
If you do not want your gmail password reset, I recommend hardware 2FA.
Godaddy is such an incompetent organisation. Should not be allowed to administer anything of importance.
It's easy to blame GoDaddy, but 'miscommunication' takes two.
You pay Markmonitor a shitload of money to make sure this doesn't happen. They should have dedicated people at GoDaddy and direct communication channels.
This is a significant fuckup on Markmonitor's part, even if GoDaddy did something different than was requested from them.
I can guarantee you that miscommunication doesn't always require 2 people.
Source: Have been OH SO EVER PRECISCE AND EXACT in my communication with certain idiots, and they still screw it up. Several instances of "put this here carefully", only to return and find it all the way across the room upside-down and broken, come to mind.
Mark Monitor have correctly asked for `serverUpdateProhibited`, GoDaddy changed the code to `serverHold` instead.
I don't know why you're trying to spin it as Mark Monitor fault.
Where are you getting that from? I don't see that info anywhere on the linked page. Is there more information published elsewhere, or do you have insider knowledge?
Who knew a company who ran ads with women dressed like Hooters waitresses would turn out to be a fucking clowncar. I mean what are the odds?
A few years ago I had a .us TLD. I eventually decided that I probably shouldn't be reliant on a country code for my domain, it's the same reason why I don't use .io
I'm not saying that this couldn't have happened with a gTLD But why put your brand at the mercy of a government like that?
What TLD is not subject to a country's laws? .aq? .su?
Edit: .eu might be an even better candidate for this requirement, but you can ask British former domain owners how that worked out
gTLDs just subject you to an additional layer of incompetence, namely from the company running it. The government where they're located can still come knocking. It's also not like e.g. .nl is run by the Dutch government officials, it's a nonprofit started by some people in the 80s iirc
gTLDs are regulated by ICANN. As much as an organization can achieve to be a global multistakeholder group, at least the intention is to be global.
ICANN have a mostly hand-off approach to ccTDLs. The intention is that each country decide on their own regulations and management when it comes to their country code specific domains.
.nl is a very special case, and it is true that the Dutch government was not involved. .nl was the first country code TLD created outside of the US, when the domain system still was part of ARPANET and operated by the United States Department of Defense. .nl was then transferred to a foundation 10 years later, and that's where ownership now resides.
ccTLDs are somewhat of a mess. Many are created in universities, then transferred to a company or foundation. Others were sold to companies from the start. In some cases, government have sold their ccTLD to other countries.
.se for example was created in a Swedish university, and then later the government took possession of it (or the university gave it to them, can't really say). Now there are laws that explicitly defines how it should be used and governed, which then a non-profit foundation manage the implementation.
IIRC one of the Balkan countries physically stole the DNS servers of another one's ccTLD.
After the breakup of Yugoslavia in 1992 there was a dispute between Slovenia and FYR Serbia and Montenegro over the .yu domain that lasted until 1994 when Jon Postel intervened.
As you might notice from the dates and names, this was very early in the history of TLDs.
> gTLDs just subject you to an additional layer of incompetence, namely from the company running it.
ccTLDs also have to be run by some organization, which is often a private company. Maybe the country's oversight over this organization is better than ICANN's oversight over gTLD operators. Maybe it's not. Historically, the worst technical incidents have occurred at ccTLDs.
Presumably the idea is that fabricating a legal offense to shut down a ccTLD would be easier than it would be for regular TLDs.
I don't know if that's actually the case, I've heard some shady sites are using .su(Soviet Union) to avoid judicial actions.
Wait, we're talking about buying domain names right? Not about buying countries in order to own a ccTLD rather than a 'regular' TLD
So then you don't have to produce an offence that takes the TLD down (whichever kind) but one that makes a judge within the country that the TLD operator operates in approve a takedown notice for your domain name or even get the TLD operator to cooperate voluntarily
It's the specific country being referenced, I think.
They wrote that they were talking about country code TLDs vs not, not about US vs. other countries. (Which is what I would've said too, it's a more general point than thinking about anything specific to one country.)
Ironically that one country happens to be the one that also controls gTLDs like .com, as others have pointed out, so arguably .us is the one ccTLD that isn't any more or less likely to be reliable.
Zoom are already at the mercy of the government by virtue of being incorporated in the US, and having the majority of their staff there. "Generic" TLD's like .com come under US purview also anyway.
.us is more special, e.g. the owner should be a US entity, and must be public (Private Domain functionality is disabled for .us).
> it's the same reason why I don't use .io
Dodged a bullet there given that .io is at risk of being discontinued altogether. It hasn't been decided yet, but better to not have that dangling over your head.
You can bet it wouldn't be actually discontinued, but you can bet when/if the UK gives away the island to Mauritius or whatever, they'll lease the rights to the highest bidder, and those people will be free to extort everyone with a valuable .io domain.
It's going to be interesting to see what they do. One of the core arguments when claiming the domain industry enjoys a competitive market is that switching costs are bearable and that switching TLDs is an option if registries increase prices too much.
So ICANN has a non-trivial choice to make. Either they maintain the position that switching costs are bearable and let .io disappear, or they admit that TLD switching is impossible and save .io, which will make it hard to argue the threat of (registrants) TLD switching keeps the industry competitive.
Fortunately, ICANN is based in America, where there's no law that markets have to be fair or that you can't lie.
I don't think that's a real risk
It wouldn't be the first time a ccTLD has been retired after its country ceased to be, though it would be the most disruptive given how popular it is, hence the uncertainty as to what they'll do this time.
If I were Mauritius, I would be hitting tech companies left and right to secure a permanent income stream.
You guys want to kick indigenous people off their land for military bases? Enjoy your new bill for .io domains.
The Chagossians are not by any meaningful standards indigenous. The land was uninhabited when George Washington was rebelling against the British. If the Chagossians are indigenous so are old stock white Americans.
And Mauritius have treated the Chagossians like dirt for decades, with no signs of that changing.
None of this is to deny the Chagossians were extremely ill treated by the British, but the idea that the Mauritanians have any interest in the welfare of the Chagossians is ridiculous.
I have some sympathy for your position, but I'll add that the prevailing moral opinion seems to be "whoever got there first is the rightful owner". Of course you have to allow for armchair ethnologists not being particularly good at distinguishing between similar groups and later revisionism.
A lot of Pacific islands territories have complicated histories like this (e.g. Hawaii, New Zealand), but the focus usually ends up on whatever bastards most recently took over from the previous bastards (relative levels of bastardy notwithstanding).
Absolutely. For example, the Maoris are not the original indigenous. What happened to them you may ask? They became literal dinner for the Maoris. This has happened elsewhere too. True original indigenous are rare.
The thing with the island of Diego Garcia is quite strange and I strongly suspect there is corruption involved. The UK wishes to divest itself? Instead of holding an auction where the rest of the planet can bid on purchasing the territory, the UK decided that Mauritius would take it (who doesn't really want it) and to entice them, the UK is going to PAY Mauritius to take the territory and leave the base alone. The amount is £90 million annually, adjusted for inflation for 99 years.
This is a lot of money, why not just NOT turn it over and not have to give away £90 million a year for a century? So, it begs the question.. is someone from the UK side benefiting from this no-bid deal?
Give the island to me, and I won't charge the UK to have the base.
Māori were the first settlers of NZ. There’s no record of any earlier population being “dinner” for anyone.
Hopefully that doesn't happen as not everyone who uses a .io is a tech company. I've been using a .io domain for my personal email for something like a decade now, when I just thought "oh that's a cool TLD" and had no idea it was even a country TLD. I don't much relish the idea of getting soaked for money to stick it to the man when I haven't done anything morally wrong.
Whatever happens is going to set some really important precedent for sure.
I think '.su' is already that precedent, since it had many active domains, recently had active registration, and ICANN has announced plans to phase it out.
https://en.wikipedia.org/wiki/.su
See also '.yu' and friends, which have already been deleted.
The fact that the country ceased to exist a year after .su was created and yet the TLD still exists 34 years later is probably precedent for the opposite.
How many domains are we talking though, and how many .io are there? Genuine question since I have no idea.
That territory is not going to "cease to be", it's just going to change hands. The uncertainty was entirely created as an easy way to get views.
This news to me, thanks for sharing.
> But why put your brand at the mercy of a government like that?
I tend to trust my government (Canada) and I appreciate that WHOIS information is hidden by default for .ca domains. I live here and always will so it seems fit to use the national TLD for representing myself and my work.
same here with .ch! I trust Switzerland’s stability way more than I’d trust any business or country. I’m not actually sure if there’s any ccTLD more trustworthy. (yes I know that the TLD is ‘managed’ by a private company but still)
IIRC CIRA who is the delegated ccTLD manager of .ca is not a government entity (this is quite common in the ccTLD space actually, a lot of ccTLD are being managed by foundations or non-profits).
They're not, they're a (refreshingly transparent) non-profit -- but the government has the ability to reassign management of .ca to another organization as they wish.
> But why put your brand at the mercy of a government like that?
Literally every single TLD is administered by a government.
.com itself is under jurisdiction of USA and operated by Verisign
> .com itself is under jurisdiction of USA and operated by Verisign
Barely. The NTIA gave up all their leverage over .com in 2018. The only thing the US can do at this point is let the cooperative agreement auto-renew to limit price increases.
I wouldn't be surprised if the US withdrew from the agreement altogether at this point. Then .com would fall under the joint control of ICANN and Verisign.
> Literally every single TLD is administered by a government.
False. I’m not sure what you’re trying to assert, but governments don’t necessarily need to control/admin gTLDs, and as far as ccTLDs go, they’re under jurisdiction of the corresponding nation, usually, but they’re going to be “administered” by a tech company that holds a contract.
Anyway, “.com” does indeed answer to U.S. jurisdiction, despite being technically a gTLD, but registrations are not restricted to US-based entities. The main things that keep “.com” associated with the USA include the history/legacy of this quintessential “original” domain, as well as a general support from major countries that provide a “second-level” commercial domain, such as “.co.uk”.
https://en.wikipedia.org/wiki/.com
> “.com” does indeed answer to U.S. jurisdiction
... which is a problem lately ... and may have been even in the past for some niches ...
What about .name?
also verisign. https://icannwiki.org/.name
This kind of possibility is why Fastmail purchased fastmail.com and migrated away from our old 'fastmail.fm' domain. .fm was cool, but we ran into a couple of outages on the .fm servers meaning we went offline. No such issues since we've been on .com.
Amazing how many service outages are caused by doing business with GoDaddy.
Sure, but probably when zoom got the zoom.us domain, Neustar was running the .us registry. Godaddy acquired Neustar's registry business in 2020 when everyone was busy looking at other things.
Also after dividing the number of outages by the number of customers?
I'm not a customer (wouldn't buy my domain overseas) and have no solid opinion on GoDaddy besides that I hate the name. I hear the horror stories also. I'm just wondering if this is a knee-jerk reaction
I've used about 12 registrar's and dns providers and they are trash top to bottom - literally the worst and most difficult to do everything from basic setup to how they do things just plain weird compared to other hosting providers. They also aren't the cheapest option so other than brand recognition I don't get why people use them.
Let’s not get carried away.
Network Solutions still exists.
I bought my first domain from GoDaddy in high school. I remember them having the slowest dns portal in the world, and having to call support at least once about something they screwed up. Don't really remember the details, but I remember them causing problems and losing my business within a year. I've used at least 3 other registers since then and never had a single problem.
Here's something you all need to learn about site (or for that matter, tool) reliability:
Nobody gives a shit about how many good outcomes between incidents there are. They care about how many good hours happen between incidents, and they care how big the incidents are.
So if you make a tool that your coworkers use 5 times as much as the old process, that tool better make things at least 6x more stable or people will start talking about how the process fails 'all the time'.
"all the time", as near as I've been able to figure out, after people have been yelling at me, my team, or a team I'm privy to, is not "every day". No, all the time just means that it happens every couple of weeks and one time happened twice in one day, twice in consecutive days, or with two customers in rapid succession. Usually the day they're screaming about.
So if you're doing that thing every day all day long, where you used to do it rarely, but you made some progress on making it more frequent, nobody cares that it's every 100th run that fails, when it used to be every 10th. They just see the drama has gotten more frequent (and nowhere near as frequent as their narrative says, but you've already lost that argument)
They need to implement secondary and tertiary domains—with diverse registrars and hosting infrastructure—for the Zoom client’s calling home. Maybe even a fallback anycast ip address for service discovery. Given how much companies like mine pay for service, it’s reasonable to expect that level of engineering foresight. But hindsight will do—let’s get it fixed. #HugOps to all employees working overtime and taking care of this.
It certainly was frustrating that the status host was also in the zoom.us domain.
Zoom CEO: Hi, we'd like an SLA credit for the global outage you caused our company.
GoDaddy: I am so sorry about that. I can offer you a one-time coupon for $10 off your next purchase or renewal. Would you like me to apply this to your account?
---
Most companies just hope an apologetic zoom call is enough to retain your business, and most of the time it works. Not enough has been written about the asymmetry of your SLA credits to your revenue impact for a given vendor outage and how that should guide your build vs buy decision framework.
You probably don’t want to optimize for the SLA credit making up for a significant part of your lost revenue — because that would mean when things are operating normally, you don’t have much of a profit margin.
SLA’s are generally more helpful for getting out of long term contracts with unreliable vendors than actually making up for revenue lost during an outage.
SLA credits are an incentive for the service provider not making up for lost revenue from the outage.
If you have 100% SLA credit under 99% availability you can't aford to be less than 99% available and I know that your SLA means something to you, not just an aspirational bullet point.
Why would you use godaddy for a service as large as Zoom? They have been garbage for years. The way they locked out their ACME api for anyone but top tear clients sealed the deal for me. I would never trust them.
From the linked article
> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
Markmonitor is used by some fairly large corps and web properties. It’ll be interesting to find out exactly what this miscommunication was.
They don't use Godaddy directly. Godaddy is the registry for .us. Zoom's registrar is MarkMonitor, who appear to be at fault for this outage.
No, Mark Monitor have requested the correct change (EPP status code `ServerUpdateProhibited), GoDaddy messed it up.
(I'm not affiliated with either, but happen to know the technical details of the outage)
Could you let us know how you know the technical details? Is there some public info the rest of us haven't been clued into?
Never heard of MarkMonitor before. Not a great start.
I had Google Domains for years, until they abruptly and bizarrely abandoned it, then I left for Porkbun. Never had a problem with either of them. I get yearly auto-renewal notices. Everything works, and it’s very boring, which is precisely what I want from a registrar.
I worked at a company that used MM and was involved in some of the domain work.
One of the really nice things about the service is they handle a lot of the general business continuity and security stuff that can really suck with traditional registrars. One of their main lines of work is they’ll work with you to resolve tld-squatting and typo-squatting by working directly with the registrars.
Even before an infinite number of vanity or scammy tlds started showing up it would be pretty difficult to find <your-growing-unicorn-startup>.biz to add to your portfolio of domains since the owner may just have forgotten to update their email in their registrar and were coasting on a 10 year registration. Maybe the squat was intentional and it’s now a 1:1 replica of your homepage with a phishing or other credit card scam going. Stuff like that really sucks to do yourself while handling your other responsibilities. MM was pretty successful at getting in touch with the owners in the first place and having the registrar yank and transfer in the latter case. YMMV of course.
Once a lot of tlds started showing up, and especially the porn related ones, they worked with the new registrars directly (like GoDaddy in the .us case here) in the “sunrise period” to make sure something like google.xxx doesn’t become a front page article about an actual porn site (in case you’re wondering, that one doesn’t go anywhere at all). Your other options are to work directly with each registrar or ICANN.
Oh, I didn't know they'd been around since '99. They called me on behalf of a Hollywood titan about one of my hobby domains, which happened to partially coincide at a dictionary word with one of their client's trademarks, some time around 2006. I don't recall that the approximate paralegal I spoke with actually identified the company; I never forgot the call, but hadn't thought to check who manages the studio's own domain. Go figure.
I found them surprisingly easy to deal with, and happy to have me on record that my toy domain had nothing to do with either their client or any money. I assumed as long as that remained the case I would never hear from them again, and for the decade or so longer I kept the domain, that was exactly how things went.
I may be wrong but I think I saw MarkMonitor changing hands a year or two ago so the MarkMonitor of today might not be at the same level and quality of service as before.
Yeah, in 2022 acquired by some kind of sketchy rollup of lots of legacy/web-1.0 firms or what remained of them, it looks like.
Oh, well. It's been a long time since I was so naïve as not to do a quick informal trademark/brand search before I register a new domain, so I don't really expect to hear from them again any time soon, either.
I'd argue the ability of a private company to exert control over all TLDs on the behalf of their clients is indicative of a problem in the domain registrar system. Not a "service"
That’s because you are maybe not in the market for MarkMonitor. If you check the whois for any global brands chances are they are held by MarkMonitor. Just like you don’t use EY as your tax advisor.
Genuinely, I don’t understand how anything other than uptime matters for a domain registrar.
What services are they offering that makes them attractive to corporations?
The are supposed to also filter things like complaints. If somebody complains I'm sending spam and I only pay $20/year then my registrar might lock my domain and then I have to work to get it back online.
Mark Monitor will apply a lot more filtering to complaints.
Ironically this is allegedly what happened in this case, a complaint about the domain got it taken offline.
They generally do full service brand monitoring to protect IP and maintain continuity. You would outsource monitoring for trademark infringement to them, and be certain that domain renewals are done perfectly for a portfolio of high value domains.
Which is why this outage is so weird: the entire point of paying MarkMonitor is ensuring that absolutely nothing goes wrong with a very fraught process, and they seem to have just taken down one of the biggest brands they support.
Precisely. You pay a company like this the nosebleed-inducing fees they charge so that this exact event never happens. That assurance, and not the mechanics of domain registration or canned web searches or whatever else, is their product.
It's like, as I'm sure I'm paraphrasing from something I read God alone knows how many years ago, if your publicist lets you walk into a press event with a giant blob of snot hanging out of your nose. There surely is a reason why that error occurred, and it probably is at least a pretty good reason. But no one is very surprised to see the intro invite from your new publicist.
It isn't a relationship you blow up on a whim, but Zoom that can't route call traffic is Zoom that's not generating revenue, and while the reputational impact is negligible if it happens once, it had really better happen only once. Zoom is the incumbent; no one remembers they were revolutionary once, now everyone only notices the parts they don't like. (Being a skilled but politically naïve sysadmin is much the same.)
Basically, this is why Ma Bell - which had about the only stronger possible "uptime" expectation, in that no one uses Zoom for 911 - was so uptight you couldn't even plug in a modem until about five minutes before divestiture, and specified everything down to the number of turns in the splices their technicians made. There was a fad among programmers, when I was a child, to consider such practices stodgy.
Obligatory Indiana Bell building rotation link.
https://www.archdaily.com/973183/the-building-that-moved-how...
I did not know that story!
What a paragon of engineering.
Like others said, uptime for a registrar barely matters. For an important domain, I don't want anything to change, and if the registrar is down, nothing will change, so that's good.
What MarkMonitor can provide is things like facilitating RegistryLock, which makes it even harder for changes to be made. And account reps that know what's going on. I hate working with account reps, but if they're knowledgable and easy to work with, it's ok.
They do some trademark monitoring (thus the name), if you want to get your own related app taken down from Google Play :p (I'm not bitter, it was amusing). And presence services if you need to hold a domain in a weird location that wants a presence, they can probably arrange it, which is handy at times.
I'd love to know more details on this incident, MarkMonitor had a bulletproof reputation as a registrar that won't fuck up. Godaddy doesn't, but then I didn't realize they had taken over the contract for .us
They can offer humans in the loop, and those cost a lot. Like, a real live human will contact you and ask if you really want to transfer microsoft.com to Shady Shell Company (Bermuda) Ltd. Porkbun's pricing model is less attractive when your domains are worth billions to you.
Why would uptime matter that much for a registrar?
(As opposed to a DNS server, including root servers - and even then DNS has provisions for downtime, not to mention redundancy in configurations)
MarkMonitor has been around forever. It's used by many of the largest companies. I remember quite a few Google outages that could be tracked down to MM issues.
I just remembered, they also can't do DKIM correctly. What good is a DNS provider that can't follow standards?
Companies as big as zoom are still perfectly capable of having a high level VIP decide "we're going to use GoDaddy because I saw their Superbowl ad".
Can’t have an apologetic zoom call when zoom is down …
If there were symmetry, then renewing the domain would cost millions instead of $20 or whatever it is, to cover the payouts. Is that what you want?
If it is, you can buy custom insurance for the event from an insurance company, and pay the same kind of yearly fee.
And remember that with build vs buy, what you build will often be worse than what you buy, because at least what you buy is getting bugs fixed from bug reports across the world from other customers. An internal tool will rarely be as stress-tested and battle-hardened as what you can buy.
I remember crowdstrike outage offers starbucks coupons? that’s way to go.
This smells like something happened with MarkMonitor, they accidently flagged zoom.us as brand spoofing and filed copyright complaint with GoDaddy who runs .us TLD. GoDaddy suspended the domain per the complaint.
It's possible, but MarkMonitor is Zoom's registrar, so there are plenty of other ways for a miscommunication between MarkMonitor and GoDaddy to cause this. Copyright complaints would be a more reasonable theory if MarkMonitor were mentioned and didn't have any other involvement.
I guess but if MarkMonitor accidently suspended it, it would be ClientHold but it was widely reported it was showing as ServerHold.
ServerHold is used with Registry (GoDaddy in this case) is disabling vs ClientHold is when registrar is pulling the plug (MarkMonitor)
So what would have MarkMonitor said to GoDaddy to cause them to ServerHold a domain?
At one point on a trip to Hawaii I was detained in my room by hotel security for fifteen minutes after requesting a room key to replace the one I lost.
It turns out that they had typo’d 12 into the request type field instead of 1, and type 12 was “Covid lockdown protocol with security enforcement” leftover from 2020 and latent in their systems.
Depending on MarkMonitor have chosen to integrate with each other to handle the sort of trademark management that is MarkMonitor’s premium offering, either or both parties could have simply been off-by-one or typo’d in a transaction to cause this. It’s absolutely plausible to create a confusing nightmare outcome with a one-byte error. (And we’re having quite incredible cosmic rays today, so I hope they’re using ECC RAM!)
Possibly MarkMoniter failed to renew the domain on time? Or there was a miscommunication around payment that led to the domain expiring?
There are status codes around that which would contain the word renew.
serverHold is generally only set by registry when they have some pending action which almost always legal related.
You can see a list of Status Codes here: https://www.icann.org/resources/pages/epp-status-codes-2014-...
Renewal date is April 24, so unlikely. Even if it expired this year they would still have a week to renew.
I don’t know if I’m misremembering, but I remember getting automated service emails about how Zoom.us will be a deprecated domain in favor of Zoom.com
When this outage happened, I assumed that they finally “made the switch” over but something went wrong.
Something I heard is that there was a Twitter account @zoom_us that was also deleted today.
If this is the case, then it seems to be a very clear-cut example as-to why we should reject these sort of automated "take downs". They can and are abused, including copyright violations on Github, YouTube, etc.
Since when did we accept, as a society, guilty until proven innocent? I recognize GoDaddy is not the government - but this is unacceptable. A human spending 3 seconds looking at the domain would understand it's a false-positive and should not be removed.
> Since when did we accept, as a society, guilty until proven innocent?
At least since the Digital Millennium Copyright Act.
ThousandEyes analysis of the outage: https://www.thousandeyes.com/blog/zoom-outage-analysis-april...
The article lists a lot of facts, but it doesn't actually explain what happened.
IE, it explains what DNS is, but it doesn't explain why the outage happened. Instead, it merely gives a timeline with a lot of context that's useful for someone who's still learning about what DNS is and how it works.
Thanks, this is really helpful. I had not even realized that every DNS query for .us (for example) goes through a single root registry before going to the actual nameservers.
It's usually cached
I was really hoping to find out they were hosting their DNS on GoDaddy. I still want it to be true.
If only it were so, then they would have kind of deserved it. TIL GoDaddy wormed it’s way into administering the .us TLD on behalf of the federal government.
That makes two reasons to avoid .us domains, the other being that you're not allowed to redact the WHOIS information on those.
This shafted me hard when I registered the domain I used to research and write a company blog post (https://www.guidepointsecurity.com/blog/tunnel-vision-cloudf...).
I’ll never deal with a .us domain again, even if it means missing out on a good text string.
wormed it is
[flagged]
GoDaddy is the registrar. They (Zoom) host their DNS using Amazon.
Flush the cache instructions were posted under zoom.us :)
https://status.zoom.us/incidents/pw9r9vnq5rvk
I thought it was funny that they posted information about the outage on the same domain that had the outage.
having a status page on the same domain seems... unfortunate. Other big players have it right, see githubstatus.com
But please also make status.github.com redirect there or I won't know how to find it.
4 hour catastrophic outage because of a shitty domain registrar makes me wonder if zoom will be switching critical services to a different tld sooner or later as a result of this
Maybe they will use multiple domains.
See for example that AWS Route53 uses com, org, net and uk domains for the nameservers.
It’s always DNS!
The domain status on the whois record was "serverHold" earlier in the day
What do relatively large corporations use for their authoritative nameserver? Do they use PowerDNS, knot, bind, or just use the registrar's nameservers?
Google runs their own, Facebook runs their own, Amazon used AWS, Microsoft uses Azure. Netflix uses AWS.
Most likely all are running some version of Bind, or something custom.
And if you’re wondering about the hidden authoritative servers (that the company uses to generate and administer the zones then synced to a global DNS provider such as the ones you listed) two rather popular products for companies that aren’t also cloud providers are Infoblox and BlueCat.
Paradoxically, productivity spiked.
I remember when Kristen McIntyre owned zoom.com back in the early days as her hobby domain.
Lots of “glad Teams is working at least” commentary today across various meetings. Everyone had a good laugh, as it is usually typical to complaint about the how crappy Teams is. +1 for Teams today
Noob here: could this issue have been worked around if you had a personal list of the IP addresses that the domain resolved to?
Most DNS issues can, yes. Your hosts file is going to be thick though, and a pain to keep up to date ;P
> Your hosts file is going to be thick though, and a pain to keep up to date
I'm guessing you already know, but for the others: This is precisely what the DNS protocol was created for.
"This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain. "
Something is fishy about this. A communication error would not result in a domain being placed on hold. On hold is usually the result of a legal order or in the case of the .us TLD a nexus compliance violation. I've transferred thousands of domains from assorted dodgy registrars into MarkMonitor and can not even imagine a scenario where a miscommunication results in a domain being placed on hold.
Correctness doesn't scale. If something has six nines of reliability, you'll probably never see the one-in-million outlier yourself. But if the other side deals with a million requests a month, they are a common occurrence.
Yeah I'm not saying errors don't happen. I've been called into gazillions of them including many that "should not happen". Those make for the best root cause analysis and after action reports.
Rather this does not sound like a communication error unless they are leaving out a lot of critical details and context or the domain management interface has been de-frictioned and dumbed down too much.
Could it have been something as simple as "hey, zoonn.us is violating Zoom's copyright, please block it" and then someone typos "zoom.us".
Nah, weird stuff that “shouldn’t” happen almost always happens more often than things that “should” happen.
I hear ya but this would more than likely be something like a really sloppy human error such as following the wrong process vs. a miscommunication otherwise I would expect these outages to be much more frequent. I do remember when a fat-finger at UUNET took out most of the internet long ago but that was a human error and is a bit harder to have the same impact today.
To me a communication error implies someone followed erroneous instructions without asking the obvious, " ... but isn't this a big business that is still live and why don't I have a legal order in my hand?" In fairness this did happen recently with he.net because a sub-domain was reported but it was done intentionally even if they failed to do even basic due diligence. After Covid I would expect most people would know zoom.us would be in use by a lot of people whereas only specific groups of people would know what he.net is.
I am curious if the process has changed due to laziness and now registrars can just select any number of domains and click a button to place them on hold without management or executive approval. If so that should be in some audit trail and should require confirmation and approval by a senior leader.
What? Weird stuff happens less by definition.
Not necessarily. The default could happen 49% of the time, and everything else happens way less than 1%, but is weird.
So 51% of the time it’s weird, but not the same weird.
Every place I've been we measured such weirdness outside of the 95'th and 99'th percentile. Anything out of common occurrence beyond the 99'th could be weird or interesting or fascinating. I still wish I could share the incident of a single NIC on a single server taking down an entire data-center, that was both weird and fascinating.
If there is a "default" then "everything else" is not weird. The conclusion is "this thing doesn't work most of the time so it wouldn't be weird if it doesn't".
[flagged]
Isn't the stated reason, a miscommunication with the registrar, far far more likely?
In normal times, absolutely. These aren’t normal times.
What's the escalation theory here mean? The US shut it down to damage a company it doesn't like? And 2-4 hours is meaningful? or China did it? Maybe it was shutdown and used as negotiating leverage and brought back when some agreement was reached?
GoDaddy's involvement really makes me believe that it's a genuine screw up.
Well, Zoom also lied about their encryption (or, perhaps more charitably, described it in a misleading way. nah, they just lied) and was directing traffic through chinese servers with no reason for doing it -- it was occurring when all meeting participants and the company paying for the zoom account were outside China -- besides enabling spying.
Companies pay MarkMonitor to NOT make these mistakes. So... GoDaddy failed?
Or... they did make a mistake. It happens to the best of us.
Yeah I don't understand this. MarkMonitor themselves are a registry, so is the potentially a mistake in migrating from GoDaddy to MarkMonitor?
GoDaddy operates the .us TLD, so Zoom registered the domain through Markmonitor, who acquired it from GoDaddy, who shit the bed and broke everything.
ah-ha! Didn't consider that GoDaddy operates the TLD (in my mind I assumed it was just Verisign). Thank you for pointing that out.
It used to be operated by Neustar, but GoDaddy bought out their domains business in 2020.
MarkMonitor is a registrar (one of many). GoDaddy Registry is the .us registry operator (the only one); they actually operate the TLD on behalf of the government. In this capacity they are not operating as another registrar, but as the TLD operator.
"It would be amiss not to start without a reference to AI, as 2024 saw the movements toward legal definitions and prohibited AI practices with the EU’s AI Act. 2024 also saw more innovative integration of AI into registrars’ service offerings, from “chatbots” to registration process flow to domain name generators. We also witnessed the rise of LLM (or Large Language Models) being used in Brand Protection Services and the identification of abusive registrations. This trend will definitely be increasing in 2025."
https://www.markmonitor.com/blog/2024-markmonitor-year-in-re...
What does “shutting down” the domain even mean? Has to be a DNS thing, right?
It's translated through several layers of people who don't know anything.
Their domain expired because at some level people made some pretty boneheaded mistakes.
Whomever their actual registrar actually was (GoDaddy it seems) stopped pointing the zoom.us nameserver record (NS) at AWS Route 53 which Zoom obviously uses.
GoDaddy is the root registry for all .us ccTLD, MarkMonitor is the actual registar Zoom is working with. The issue seems to be more how GoDaddy assigned to the domain to MarkMonitor not something Zoom itself likely controls (such as NS records)
.us (and other many TLDs) uses EPP to communicate between registars (MarkMonitor here) and Registry (GoDaddy). It is probably an admin error rather than code[1], some manual approval or other human review workflow for high value domain and someone clicked/filled in the wrong value at GoDaddy or MarkMonitor would be my first guess.
[1] would have been observed and fixed long before today, transfers happen all the time after all
It didn't expire
This wouldn't happen if it were distributed or decentralized like pre-MS Skype used to be.
Earlier: https://news.ycombinator.com/item?id=43709266
Is it just a coincidence that Spotify and Zoom both had massive outages on the same day?
Would it be safer to hard-code a static IP than a domain?
Ip's can (easily) be hijacked by nefarious BGP requests and offer no easy SSL. You could maybe add cert pinning to fix that, but it's quite inflexible.
Another added bonus of domains is the potential for subdomains to be used. This could be usful for many purposes: as load balancing/pooling mechanism (fictive example us4.zoom.us) and for compartmentalisation (api.zoom.us).
It should not cause issue as your company should have BCP on this and can switch to other conferencing service.
NoDaddy!
Lol, they use GoDaddy? Aka scammers and racketeers? Aaah .us TLD, too bad they have control over it.
Back in 2008, when my fiancée invited me to visit Catalonia, I was in the market for transatlantic airline tickets. And I'd never flown internationally before, and I applied and obtained a US Passport, and I figured out with my father how to get a Travelex prepaid debit card with Euros loaded, and my fiancée was prodding me anxiously about buying a ticket, and I eventually threw caution to the wind and flew on an airline called "ZOOM".
Now "ZOOM" was supposedly based in Canada and they were supposedly giving bargain-basement fares to Americans as well, from select origins to select destinations. All I needed to do was to get to Lindbergh Field (San Diego International) and ZOOM Airlines would fly me to London Gatwick. And their aircraft had cute friendly livery with big "ZOOOOOOOOM" lettering on the side. And the price was totally cheap.
Well they did their job fine; I landed in Gatwick, took a train to Heathrow, and flew on Iberia into and back out of Barcelona. Unfortunately, before I departed, my father phoned my fiancée to break the news that "ZOOM Airline" was bankrupt, and all their flights were grounded. They had run out of fuel in Scotland, and nobody would top up the tanks. My return ticket from London to San Diego was worthless.
So Dad puts me on a British Airways flight and I got home safe. But from August 2008, or before, I have harbored a visceral animosity towards any foreign actors named "ZOOM".
wow
how
[dead]
oops rolls eyes
Markmonitor and zoom are both terrible companies so I can't feel bad about this
Since parent (autoexec) has provided links to all of these claims, do not let it go to the down-vote hell and disappear.
Why Markmonitor is terrible: https://news.ycombinator.com/item?id=43712299
Why Zoom is terrible: https://news.ycombinator.com/item?id=43712438
If you think it is not enough to call them terrible, reply to these comments as to why not.
What's wrong with Markmonitor? They don't have nearly the customer base of Zoom (where I can relate to any complaints, I'm sure)
They've earned themselves a reputation for sending false DMCA notices.
https://www.inquisitr.com/markmonitor-sends-false-copyright-...
https://torrentfreak.com/record-labels-defeat-false-dmca-tak...
https://torrentfreak.com/court-dismisses-charters-claims-of-...
https://torrentfreak.com/hbo-wants-google-to-censor-hbo-com-...
https://torrentfreak.com/after-4-years-copyright-holders-sti...
They haven't even always been good to their own clients: https://torrentfreak.com/anti-piracy-lawfirm-defrauded-right...
Can you explain what that last article has to do with MarkMonitor? To me it just sounds like MarkMonitor once bought a company from a law firm which was sued for fraud 5 years after the sale was completed. So it doesn't appear that MarkMonitor was in any way related to the fraud which occurred.
Good call out! If Schlüter didn't continue doing work for DtecNet after the sale to MarkMonitor then we can't really blame MarkMonitor for the things he was doing 5 years later.
Curious what your rationale is for Zoom being a terrible company? I don't disagree.
I decided zoom was a bad company very early for security and privacy reasons
https://www.theverge.com/2019/7/8/20687014/zoom-security-fla...
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...
The endless stream of news on privacy problems and vulnerabilities that have come to light since then have only made me feel better about that initial opinion.
https://techcrunch.com/2023/08/08/zoom-data-mining-for-ai-te...
https://www.tomsguide.com/news/zoom-security-privacy-woes
https://cybersecuritynews.com/zoom-app-vulnerability/
https://www.theregister.com/2024/02/15/zoom_privilege_escala...
https://gbhackers.com/zoom-security-update-patches-multiple-...
https://thecyberexpress.com/multiple-zoom-vulnerabilities-de...
Zoom, a multibillion dollar corporation, uses the shit tier of all companies, _GoDaddy_, for their registrar?
What a blunder.
GoDaddy runs the .us TLD. You cannot avoid them if you want that TLD
You can avoid them by not using the .us TLD.
And the 5 years or so since Godaddy bought .us should have been long enough to migrate to another name.
That's not the registrar, that's the registry
Someone in the Zoom company management forgot to update the billing credit card for that domain, I bet you $1000. Happens all the time with our clients.
They don’t use normal registrations. Anyone with any size is using MarkMonitor and do monthly billing and have a dedicated person. No credit cards.
The entire point of MarkMonitor is that won't happen.
Except while it probably wasn’t a credit card expiry it did result in the domain being suspended. Looks pretty bad for MarkMonitor. They didn’t do the “monitor” part of their name.
Well then, someone at MarkMonitor forgot to update the credit card, then. hehe
I wonder how long mark monitor would keep renewing the domain without payment...
I don't think the domain was up for renewal this year. Even if it were, it wouldn't expire until the 23rd.