That seriously devalues MarkMonitor's services. MarkMonitor claims to be a
"an ICANN-accredited registrar and recognized industry leader since 1999".
The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains and are not allowed to screw up. GoDaddy should not be involved here at all.
GoDaddy Registry operates the .us registry. You cannot have a .us domain without their involvement. Consider whether you wanted a .com domain instead (which is operated by Verisign).
> The whole point of paying for MarkMonitor is that they're an expensive service for valuable domains
A while ago and, out of curiosity, I did a Whois Lookup to see what big tech companies are using as their domain registrar and found that Microsoft, Google, Amazon, Tesla, Netflix and Shopify are all using MarkMonitor. On the other hand Apple uses "Nom-iq Ltd. dba COM LAUDE", Meta (and its children) uses RegistrarSafe and Nvidia uses SafeNames.
They are operated by important entities. Not companies that release sexy commercials featuring Danica Patrick. I keep getting confused between GoDaddy and Carl’s, Jr.
Well, another point of MarkMonitor is to get access to ccTLDs with requirements that are more difficult for you to meet yourself. Like needing to have a physical address within the country. MarkMonitor has offices in a bunch of countries just to meet that requirement, so they can sell ccTLD domains to customers.
The legality of that system seems a little questionable to me, but IANAL.
If you register a ".ps" domain, it doesn't matter if you use MarkMonitor or Namecheap, they can't help you when the ongoing genocide results in the removal of Palestine as a country and ".ps" no longer is a valid country code top level domain.
Similarly, if you register a .us domain instead of a ".com", ".net", or ".org", MarkMonitor can't help you when GoDaddy inevitably screws up.
History has borne this out: .com domains are well-managed. ccTLDs like '.io', '.su', and '.fj' have all had significant security or availability issues because they're run by "eh, whoever the hell the country picks" with no standards.
Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
>>> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
That sounds like MarkMonitor is at least partly at fault here.
> Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Look into what’s happened with pricing on domains like .org and .info. They’re increasingly absurd, with the restrictions on price increases that once were there largely being removed, at the pushing of the sharks that bought the registrar. Why are these prices increasing well above inflation rate, when if anything the costs should go down over time? Why is .info now almost twice as expensive as .com?
"Their enforcement team works with platforms to remove infringing content and can even help with legal proceedings if needed. They don't just find problems—they help solve them through their connections with major online platforms and their understanding of takedown procedures."
What you're paying for is MarkMonitor's people having the cell phone number of the guy at the operations end of whatever point in the chain screwed up. At least that was their original pitch. Now, they have a whole range of tracking services which you can get elsewhere.
Agreed. This is a whole lot of screw ups that I would have expected from the indie company down the street, not an ICANN accredited registrar. It's pretty pathetic when it takes public pressure for the ICANN to finally start doing their goddamn job.
These big companies spend tens of millions on homegrown tooling, even their own languages and databases, but they can't assign one dev to write a domain-monitoring tool?
You are thinking like a developer. In reality that means that now they are responsible for it, if MarkMonitor messes something up they can use their relationship to all the registrars to fix the problem and MarkMonitor is on the hook in case anything goes wrong.
This is a better situation to be in than some internal tooling that failed to notify someone because it got forgotten after the developer left.
Because it's cheaper and more reliable to outsource that to a company specializing in it.
If one dev had written it, how many times would that tool have failed by now? When the original dev left the company a decade ago, the tool has been transferred between teams six times, it failed a migration and the email address it used to send errors to no longer exists so nobody noticed, and it's literally gotten lost in the shuffle?
Markmonitor is much more about the people and service behind it rather than the software. To replace markmonitor you don't need a dev to write a tool. You need a dev to write a tool, and then a team of people who build relationships with everyone in the domain world and are available 24/7 to make calls and deal with issues if they come up.
To try to convince my employer at the time to drop Zoom, I decided to see how many security vulns I could find in 2-3 hours.
Found 12 confirmed bugs in that window using only binwalk and osint.
The worst was that I noticed the zoom.us godaddy account password reset email address was the personal gmail account of Eric S Yuan, the CEO.
So, I tried to do a password reset on his gmail account. No 2FA, and only needed to answer two reset questions. Hometown, and phone number. Got those from public data and got my reset link, and thus, the ability to control the zoom.us domain name.
They were unable to find a single English speaking security team member to explain these bugs to, and it took them 3 months to confirm them and pay me $800 in bug bounties, total, for all 12 bugs.
The one bright side is this did convince my employer to drop them.
How long ago was this? A few years ago they were hiring aggressively for security team members in the US, including a dedicated fuzzing team. I’m guessing this was from early on when Zoom was just getting popular?
It's easy to blame GoDaddy, but 'miscommunication' takes two.
You pay Markmonitor a shitload of money to make sure this doesn't happen. They should have dedicated people at GoDaddy and direct communication channels.
This is a significant fuckup on Markmonitor's part, even if GoDaddy did something different than was requested from them.
I can guarantee you that miscommunication doesn't always require 2 people.
Source: Have been OH SO EVER PRECISCE AND EXACT in my communication with certain idiots, and they still screw it up. Several instances of "put this here carefully", only to return and find it all the way across the room upside-down and broken, come to mind.
A few years ago I had a .us TLD. I eventually decided that I probably shouldn't be reliant on a country code for my domain, it's the same reason why I don't use .io
I'm not saying that this couldn't have happened with a gTLD But why put your brand at the mercy of a government like that?
What TLD is not subject to a country's laws? .aq? .su?
Edit: .eu might be an even better candidate for this requirement, but you can ask British former domain owners how that worked out
gTLDs just subject you to an additional layer of incompetence, namely from the company running it. The government where they're located can still come knocking. It's also not like e.g. .nl is run by the Dutch government officials, it's a nonprofit started by some people in the 80s iirc
gTLDs are regulated by ICANN. As much as an organization can achieve to be a global multistakeholder group, at least the intention is to be global.
ICANN have a mostly hand-off approach to ccTDLs. The intention is that each country decide on their own regulations and management when it comes to their country code specific domains.
.nl is a very special case, and it is true that the Dutch government was not involved. .nl was the first country code TLD created outside of the US, when the domain system still was part of ARPANET and operated by the United States Department of Defense. .nl was then transferred to a foundation 10 years later, and that's where ownership now resides.
ccTLDs are somewhat of a mess. Many are created in universities, then transferred to a company or foundation. Others were sold to companies from the start. In some cases, government have sold their ccTLD to other countries.
.se for example was created in a Swedish university, and then later the government took possession of it (or the university gave it to them, can't really say). Now there are laws that explicitly defines how it should be used and governed, which then a non-profit foundation manage the implementation.
> gTLDs just subject you to an additional layer of incompetence, namely from the company running it.
ccTLDs also have to be run by some organization, which is often a private company. Maybe the country's oversight over this organization is better than ICANN's oversight over gTLD operators. Maybe it's not. Historically, the worst technical incidents have occurred at ccTLDs.
Zoom are already at the mercy of the government by virtue of being incorporated in the US, and having the majority of their staff there. "Generic" TLD's like .com come under US purview also anyway.
Dodged a bullet there given that .io is at risk of being discontinued altogether. It hasn't been decided yet, but better to not have that dangling over your head.
You can bet it wouldn't be actually discontinued, but you can bet when/if the UK gives away the island to Mauritius or whatever, they'll lease the rights to the highest bidder, and those people will be free to extort everyone with a valuable .io domain.
It's going to be interesting to see what they do. One of the core arguments when claiming the domain industry enjoys a competitive market is that switching costs are bearable and that switching TLDs is an option if registries increase prices too much.
So ICANN has a non-trivial choice to make. Either they maintain the position that switching costs are bearable and let .io disappear, or they admit that TLD switching is impossible and save .io, which will make it hard to argue the threat of (registrants) TLD switching keeps the industry competitive.
> But why put your brand at the mercy of a government like that?
I tend to trust my government (Canada) and I appreciate that WHOIS information is hidden by default for .ca domains. I live here and always will so it seems fit to use the national TLD for representing myself and my work.
same here with .ch! I trust Switzerland’s stability way more than I’d trust any business or country. I’m not actually sure if there’s any ccTLD more trustworthy. (yes I know that the TLD is ‘managed’ by a private company but still)
IIRC CIRA who is the delegated ccTLD manager of .ca is not a government entity (this is quite common in the ccTLD space actually, a lot of ccTLD are being managed by foundations or non-profits).
> .com itself is under jurisdiction of USA and operated by Verisign
Barely. The NTIA gave up all their leverage over .com in 2018. The only thing the US can do at this point is let the cooperative agreement auto-renew to limit price increases.
I wouldn't be surprised if the US withdrew from the agreement altogether at this point. Then .com would fall under the joint control of ICANN and Verisign.
> Literally every single TLD is administered by a government.
False. I’m not sure what you’re trying to assert, but governments don’t necessarily need to control/admin gTLDs, and as far as ccTLDs go, they’re under jurisdiction of the corresponding nation, usually, but they’re going to be “administered” by a tech company that holds a contract.
Anyway, “.com” does indeed answer to U.S. jurisdiction, despite being technically a gTLD, but registrations are not restricted to US-based entities. The main things that keep “.com” associated with the USA include the history/legacy of this quintessential “original” domain, as well as a general support from major countries that provide a “second-level” commercial domain, such as “.co.uk”.
This kind of possibility is why Fastmail purchased fastmail.com and migrated away from our old 'fastmail.fm' domain. .fm was cool, but we ran into a couple of outages on the .fm servers meaning we went offline. No such issues since we've been on .com.
Sure, but probably when zoom got the zoom.us domain, Neustar was running the .us registry. Godaddy acquired Neustar's registry business in 2020 when everyone was busy looking at other things.
Also after dividing the number of outages by the number of customers?
I'm not a customer (wouldn't buy my domain overseas) and have no solid opinion on GoDaddy besides that I hate the name. I hear the horror stories also. I'm just wondering if this is a knee-jerk reaction
I've used about 12 registrar's and dns providers and they are trash top to bottom - literally the worst and most difficult to do everything from basic setup to how they do things just plain weird compared to other hosting providers. They also aren't the cheapest option so other than brand recognition I don't get why people use them.
I bought my first domain from GoDaddy in high school. I remember them having the slowest dns portal in the world, and having to call support at least once about something they screwed up. Don't really remember the details, but I remember them causing problems and losing my business within a year. I've used at least 3 other registers since then and never had a single problem.
Here's something you all need to learn about site (or for that matter, tool) reliability:
Nobody gives a shit about how many good outcomes between incidents there are. They care about how many good hours happen between incidents, and they care how big the incidents are.
So if you make a tool that your coworkers use 5 times as much as the old process, that tool better make things at least 6x more stable or people will start talking about how the process fails 'all the time'.
"all the time", as near as I've been able to figure out, after people have been yelling at me, my team, or a team I'm privy to, is not "every day". No, all the time just means that it happens every couple of weeks and one time happened twice in one day, twice in consecutive days, or with two customers in rapid succession. Usually the day they're screaming about.
So if you're doing that thing every day all day long, where you used to do it rarely, but you made some progress on making it more frequent, nobody cares that it's every 100th run that fails, when it used to be every 10th. They just see the drama has gotten more frequent (and nowhere near as frequent as their narrative says, but you've already lost that argument)
They need to implement secondary and tertiary domains—with diverse registrars and hosting infrastructure—for the Zoom client’s calling home. Maybe even a fallback anycast ip address for service discovery. Given how much companies like mine pay for service, it’s reasonable to expect that level of engineering foresight. But hindsight will do—let’s get it fixed. #HugOps to all employees working overtime and taking care of this.
Zoom CEO: Hi, we'd like an SLA credit for the global outage you caused our company.
GoDaddy: I am so sorry about that. I can offer you a one-time coupon for $10 off your next purchase or renewal. Would you like me to apply this to your account?
---
Most companies just hope an apologetic zoom call is enough to retain your business, and most of the time it works. Not enough has been written about the asymmetry of your SLA credits to your revenue impact for a given vendor outage and how that should guide your build vs buy decision framework.
You probably don’t want to optimize for the SLA credit making up for a significant part of your lost revenue — because that would mean when things are operating normally, you don’t have much of a profit margin.
SLA’s are generally more helpful for getting out of long term contracts with unreliable vendors than actually making up for revenue lost during an outage.
SLA credits are an incentive for the service provider not making up for lost revenue from the outage.
If you have 100% SLA credit under 99% availability you can't aford to be less than 99% available and I know that your SLA means something to you, not just an aspirational bullet point.
Why would you use godaddy for a service as large as Zoom? They have been garbage for years. The way they locked out their ACME api for anyone but top tear clients sealed the deal for me. I would never trust them.
> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
Markmonitor is used by some fairly large corps and web properties. It’ll be interesting to find out exactly what this miscommunication was.
If there were symmetry, then renewing the domain would cost millions instead of $20 or whatever it is, to cover the payouts. Is that what you want?
If it is, you can buy custom insurance for the event from an insurance company, and pay the same kind of yearly fee.
And remember that with build vs buy, what you build will often be worse than what you buy, because at least what you buy is getting bugs fixed from bug reports across the world from other customers. An internal tool will rarely be as stress-tested and battle-hardened as what you can buy.
Readit News
I guess that's what happens where they had to accept substandard domain, because they were unwilling to be creative about their name.
A while ago and, out of curiosity, I did a Whois Lookup to see what big tech companies are using as their domain registrar and found that Microsoft, Google, Amazon, Tesla, Netflix and Shopify are all using MarkMonitor. On the other hand Apple uses "Nom-iq Ltd. dba COM LAUDE", Meta (and its children) uses RegistrarSafe and Nvidia uses SafeNames.
Someone had fun with that one.
Imagine being a small startup with a similar problem. Godaddy will not even entertain you.
.us is not the “root DNS” and your misidentification is muddying the waters.
.us is a TLD (Top-Level Domain) and more specifically, a ccTLD (cc = ‘Country Code’).
https://en.wikipedia.org/wiki/.us
And the English Wikipedia says that its registrar is a subsidiary of GoDaddy named “Registry Services, LLC”.
The root DNS servers and registry are not run by GoDaddy or a subsidiary.
https://en.wikipedia.org/wiki/Root_name_server
They are operated by important entities. Not companies that release sexy commercials featuring Danica Patrick. I keep getting confused between GoDaddy and Carl’s, Jr.
The legality of that system seems a little questionable to me, but IANAL.
the whole point of MarkMonitor is more in the trademark realm, rather than a cloud sysop role.
"Mark" is what trademarks are called in the ... trade.
If you register a ".ps" domain, it doesn't matter if you use MarkMonitor or Namecheap, they can't help you when the ongoing genocide results in the removal of Palestine as a country and ".ps" no longer is a valid country code top level domain.
Similarly, if you register a .us domain instead of a ".com", ".net", or ".org", MarkMonitor can't help you when GoDaddy inevitably screws up.
History has borne this out: .com domains are well-managed. ccTLDs like '.io', '.su', and '.fj' have all had significant security or availability issues because they're run by "eh, whoever the hell the country picks" with no standards.
Financially, a proper gTLD also can't raise prices unilaterally and weirdly, while if you pick a ccTLD, the country has free reign to arbitrarily change prices, delete your domain, take over your domain, etc etc.
Do not use a ccTLD.
If you're based in Germany, I don't see a reason why you would want to avoid .de domains.
That sounds like MarkMonitor is at least partly at fault here.
Look into what’s happened with pricing on domains like .org and .info. They’re increasingly absurd, with the restrictions on price increases that once were there largely being removed, at the pushing of the sharks that bought the registrar. Why are these prices increasing well above inflation rate, when if anything the costs should go down over time? Why is .info now almost twice as expensive as .com?
Yes, it is.
"Their enforcement team works with platforms to remove infringing content and can even help with legal proceedings if needed. They don't just find problems—they help solve them through their connections with major online platforms and their understanding of takedown procedures."
What you're paying for is MarkMonitor's people having the cell phone number of the guy at the operations end of whatever point in the chain screwed up. At least that was their original pitch. Now, they have a whole range of tracking services which you can get elsewhere.
Dead Comment
Dead Comment
Dead Comment
Dead Comment
This is a better situation to be in than some internal tooling that failed to notify someone because it got forgotten after the developer left.
If one dev had written it, how many times would that tool have failed by now? When the original dev left the company a decade ago, the tool has been transferred between teams six times, it failed a migration and the email address it used to send errors to no longer exists so nobody noticed, and it's literally gotten lost in the shuffle?
Dead Comment
Found 12 confirmed bugs in that window using only binwalk and osint.
The worst was that I noticed the zoom.us godaddy account password reset email address was the personal gmail account of Eric S Yuan, the CEO.
So, I tried to do a password reset on his gmail account. No 2FA, and only needed to answer two reset questions. Hometown, and phone number. Got those from public data and got my reset link, and thus, the ability to control the zoom.us domain name.
They were unable to find a single English speaking security team member to explain these bugs to, and it took them 3 months to confirm them and pay me $800 in bug bounties, total, for all 12 bugs.
The one bright side is this did convince my employer to drop them.
Deleted Comment
You pay Markmonitor a shitload of money to make sure this doesn't happen. They should have dedicated people at GoDaddy and direct communication channels.
This is a significant fuckup on Markmonitor's part, even if GoDaddy did something different than was requested from them.
Source: Have been OH SO EVER PRECISCE AND EXACT in my communication with certain idiots, and they still screw it up. Several instances of "put this here carefully", only to return and find it all the way across the room upside-down and broken, come to mind.
I don't know why you're trying to spin it as Mark Monitor fault.
Deleted Comment
I'm not saying that this couldn't have happened with a gTLD But why put your brand at the mercy of a government like that?
Edit: .eu might be an even better candidate for this requirement, but you can ask British former domain owners how that worked out
gTLDs just subject you to an additional layer of incompetence, namely from the company running it. The government where they're located can still come knocking. It's also not like e.g. .nl is run by the Dutch government officials, it's a nonprofit started by some people in the 80s iirc
ICANN have a mostly hand-off approach to ccTDLs. The intention is that each country decide on their own regulations and management when it comes to their country code specific domains.
.nl is a very special case, and it is true that the Dutch government was not involved. .nl was the first country code TLD created outside of the US, when the domain system still was part of ARPANET and operated by the United States Department of Defense. .nl was then transferred to a foundation 10 years later, and that's where ownership now resides.
ccTLDs are somewhat of a mess. Many are created in universities, then transferred to a company or foundation. Others were sold to companies from the start. In some cases, government have sold their ccTLD to other countries.
.se for example was created in a Swedish university, and then later the government took possession of it (or the university gave it to them, can't really say). Now there are laws that explicitly defines how it should be used and governed, which then a non-profit foundation manage the implementation.
ccTLDs also have to be run by some organization, which is often a private company. Maybe the country's oversight over this organization is better than ICANN's oversight over gTLD operators. Maybe it's not. Historically, the worst technical incidents have occurred at ccTLDs.
I don't know if that's actually the case, I've heard some shady sites are using .su(Soviet Union) to avoid judicial actions.
Dodged a bullet there given that .io is at risk of being discontinued altogether. It hasn't been decided yet, but better to not have that dangling over your head.
So ICANN has a non-trivial choice to make. Either they maintain the position that switching costs are bearable and let .io disappear, or they admit that TLD switching is impossible and save .io, which will make it hard to argue the threat of (registrants) TLD switching keeps the industry competitive.
I tend to trust my government (Canada) and I appreciate that WHOIS information is hidden by default for .ca domains. I live here and always will so it seems fit to use the national TLD for representing myself and my work.
Literally every single TLD is administered by a government.
.com itself is under jurisdiction of USA and operated by Verisign
Barely. The NTIA gave up all their leverage over .com in 2018. The only thing the US can do at this point is let the cooperative agreement auto-renew to limit price increases.
I wouldn't be surprised if the US withdrew from the agreement altogether at this point. Then .com would fall under the joint control of ICANN and Verisign.
False. I’m not sure what you’re trying to assert, but governments don’t necessarily need to control/admin gTLDs, and as far as ccTLDs go, they’re under jurisdiction of the corresponding nation, usually, but they’re going to be “administered” by a tech company that holds a contract.
Anyway, “.com” does indeed answer to U.S. jurisdiction, despite being technically a gTLD, but registrations are not restricted to US-based entities. The main things that keep “.com” associated with the USA include the history/legacy of this quintessential “original” domain, as well as a general support from major countries that provide a “second-level” commercial domain, such as “.co.uk”.
https://en.wikipedia.org/wiki/.com
I'm not a customer (wouldn't buy my domain overseas) and have no solid opinion on GoDaddy besides that I hate the name. I hear the horror stories also. I'm just wondering if this is a knee-jerk reaction
Nobody gives a shit about how many good outcomes between incidents there are. They care about how many good hours happen between incidents, and they care how big the incidents are.
So if you make a tool that your coworkers use 5 times as much as the old process, that tool better make things at least 6x more stable or people will start talking about how the process fails 'all the time'.
"all the time", as near as I've been able to figure out, after people have been yelling at me, my team, or a team I'm privy to, is not "every day". No, all the time just means that it happens every couple of weeks and one time happened twice in one day, twice in consecutive days, or with two customers in rapid succession. Usually the day they're screaming about.
So if you're doing that thing every day all day long, where you used to do it rarely, but you made some progress on making it more frequent, nobody cares that it's every 100th run that fails, when it used to be every 10th. They just see the drama has gotten more frequent (and nowhere near as frequent as their narrative says, but you've already lost that argument)
Deleted Comment
Deleted Comment
GoDaddy: I am so sorry about that. I can offer you a one-time coupon for $10 off your next purchase or renewal. Would you like me to apply this to your account?
---
Most companies just hope an apologetic zoom call is enough to retain your business, and most of the time it works. Not enough has been written about the asymmetry of your SLA credits to your revenue impact for a given vendor outage and how that should guide your build vs buy decision framework.
SLA’s are generally more helpful for getting out of long term contracts with unreliable vendors than actually making up for revenue lost during an outage.
If you have 100% SLA credit under 99% availability you can't aford to be less than 99% available and I know that your SLA means something to you, not just an aspirational bullet point.
> This block was the result of a communication error between Zoom’s domain registrar, Markmonitor, and GoDaddy Registry, which resulted in GoDaddy Registry mistakenly shutting down zoom.us domain.
Markmonitor is used by some fairly large corps and web properties. It’ll be interesting to find out exactly what this miscommunication was.
If it is, you can buy custom insurance for the event from an insurance company, and pay the same kind of yearly fee.
And remember that with build vs buy, what you build will often be worse than what you buy, because at least what you buy is getting bugs fixed from bug reports across the world from other customers. An internal tool will rarely be as stress-tested and battle-hardened as what you can buy.
Deleted Comment