Now I have the proposal in front of me this is my response to Nominet which I am emailing today.
F. About You: Nominet know exactly who I am and that I represent Andrews & Arnold Ltd in my reply as a nominet member, ISP and small business.
The proposals appear to deliberately confuse several aspects :-
1. Better quality of registrant details to make domain owners more accountable
2. Requirement for a UK service address for registrants
3. Use of DNSSEC
4. Malware scanning websites
I think that lumping these issues together in one consultation and making them all an aspect of a new area of domain space is misleading. These are mostly orthogonal issues which may want to be applied to .uk domains in various ways if they are sensible. As such I think the consultation itself is flawed.
The objectives are to make a more trusted domain space - this sounds good, but means you are making all existing .uk domain space less trusted! That is bad, very bad.
As the registrant of .net.uk, .co.uk, and .ltd.uk domains I am opposed to Nominet telling the general public that my domains are no longer to be trusted and forcing me to pay to register a .uk domains to regain that confidence.
G. Security: Offering a web site owner a malware scanning service is indeed a useful thing for many web site owners. I am sure many such services exist and will have their own "trust" mark of some sort shown on the sites in question. However, linking this to the working operation of the domain is very bad.
1. It confuses the remit of a domain registrar and virus scanning companies.
2. It makes the rather odd assumption that domains have to even have a web site and seems to ignore the many ways a domain can be used in connection with malware (e.g. as an email target).
3. It is unworkable as the website may have malware on secure areas of the site which cannot be "scanned"
4. It is unworkable as the website may host end user content for which the domain owner is not responsible, and result in a usable vector for taking a domain down but posting malware
5. It does not help user confidence as a website could easily contain links to external malware, which consumers would not realise are not part of the scanning process. Making them part of the scanning process makes things even more unworkable.
G. Security. DNSSEC. I think making DNSSEC mandatory is a good idea. This is, however, a separate issue and could be consulted on. One idea is that any new domain space under .uk should have DNSSEC mandatory, that a deadline be set for all new domain registrations in all .uk space to have DNSSEC mandatory, and a deadline for mandatory DNSSEC on existing domains with chasing of domain owners. One idea would be to make some of the existing space more trusted, e.g. mandate a deadline for all net.uk domains to have DNSSEC sooner.
H. Verification: This looks a long winded and costly and confusing process which will not actually add any extra security.
1. I am not entirely sure myself if I prefer to ensure a UK presence. This seems like a good idea though, and perhaps should be something considered for direct .uk registrations. Again, this is a separate issue, and making one part of .uk space more trusted than other parts is bad. Requiring a UK address could easily be something phased in for existing .uk domains.
2. A postal process of verification seems excessive. For a start, as you expect this to be companies, why not make it so the company registered office is always a "trusted" address and allow immediate registration to any company. Link in to Companies House to check company name and address. That is simple, automated, and passes the buck on address checking to someone else (Companies House). Indeed, why not make the company registered address part of whois for all domains registered to a company, not just the new direct .uk space?
3. Verification of an email contact would be useful and again, can be automated.
4. However, all of this is pretty academic. There are many "service address" services already and they will simply start offering service address services for UK domains for non UK domain owners, and for people not wishing to publish usable addresses. So is there really a point?
I. Third level sub-domains. Restricting sub domains is totally wrong and unworkable.
1. The whole idea of "owning" a domain is that it belongs to the person that bought it. If they then have restrictions on what they do with the domain then that means they don't really own it. None of the existing domains have restrictions on what can be done, either at a DNS level, or at the level of content on web sites or use of email addresses. This is a fundamental change to the way domains are used and inconsistent with the whole worldwide domain system.
2. I cannot see how the restrictions would work in practice. The idea is preventing "sale" of sub-domains. But what is "sale". I could sell web space on a sub-domain, which is not selling the sub-domain. I could sell DNS services on a sub-domain - not selling the sub-domain as such, and not even delegating by NS record, but to all practical purposes the same and clearly the same from a consumer point of view. I could "rent" a sub domain not "sell" it (which is what happens anyway). I could simple sell paths under the domain on a web site, which to a consumer would carry the same trust as the main domain but be someone else's web site.
3. Basically, if the "rules" allow any use of the domain by third parties which are not directly under registrant control, then you have the scope to have the uk.com type scenario and lack of consumer understanding. If you restrict so all use has to be under registrant control you stop a variety of "legitimate" use of a domain and make it a lemon.
J. Reserved and protected names: I do not quite understand what the hell you are saying here.
1. This seems to be suggesting restrictions on third
level names within the new second level domains. This makes no sense. Again, owning a domain means doing what I like with it. How exactly will Nominet stop me putting "co" in my DNS? And why would they. There is nothing stopping me have com.aa.net.uk now as a fourth level domain, so why would there be a restriction on com.aa.uk ?
2. If this is in fact talking about the restrictions on second level domains, e.g. not allowing com.uk, then that is consistent with existing policies in top level domains, and not actually needed as most restricted domains of relevance already exist under .uk. This almost does not need to be a rule - nominet could simply register these restricted domains themselves first.
3. Restricting other second level domains - not sure why this is needed.
K. Phased Release: The way sunrise has been handled in other areas of .uk space worked reasonably well and I don't see a reason not to do the same. What I would say is that only UK registered trade marks should be considered, or considered with higher preference to non UK trademarks as this is, after all, .uk namespace. This also makes the process of validating a trademark simpler and ideally cheaper as the UK patent office has a web site that can be easily checked.
1. There is also a consideration that maybe existing .co.uk, .net.uk, .ltd.uk, .plc.uk holders should have some preference in a sunrise period. Obviously only on long standing domains predating the consultation. This would seem sensible if Nominet are forcing existing domain owners to get new domains in order to maintain any trust in the domain.
L. Channel to Market. Nominet seem to be saying that as a Nominet registrar, you don't already trust me to correctly register domains and you want me to jump through new hoops to somehow prove I am worthy. That is silly.
M. Existing domains. Obviously don't take away any existing sub domains. Some of them already have (or should have) higher trust such as .ltd.uk, .plc.uk and .net.uk.
N. General views.
1. The consultation is a confusing mix of different ideas which should be considered independently including considering how they apply to existing domains. Some of the ideas are good (DNSSEC). Direct .uk domain registration itself does not seem like a bad idea. Mixing it with other ideas, and making it have restrictions on DNS records allowed within the domain is crazy, and virus scanning web sites is not Nominet's job at all.
2. The objectives of the proposal appear to be to devalue trust in existing domains, which seems like a stunningly bad idea.