Domain names are vital in a modern society

In 2012, after more than a decade of stability in a domain market where the number of actors and top-level domains remained relatively constant, ICANN 1 chose to make a change. They opened up registration of top-level domains to anyone, provided applicants met certain financial and technical requirements. The objective of this liberalization of the market was to give customers a wider range of options and to contribute to increased competition and innovation.

After processing the first round of applications, currently ca. 1200 new top-level domains have been registered2. Plans for a new round of applications are under way, but it is not yet clear when the application window for the next round will open.

So, what has happened in the domain market in recent years? Are players competing on the same terms as before, or have the rules of the game changed? And what does this all mean for end customers and others in the market?

So far, there are now five times as many top-level domains in the market, compared to 2012. This means increased competition for both new and established actors.

Most new top-level domains have distinct, meaningful names. Among them are generic descriptions (.top, .club, .global, .app), names of cities and other geographical references (.berlin, .amsterdam), descriptions of industries (.lawyer, .doctor, .ceo), interests (.horse, .cooking), group identities (.mormon) and brand names (.statoil, .gucci, .bbc).

It will take time for the newcomers to establish themselves in this market. As of July 2016, the new generic top-level domains have a market share of approx. 6.4 percent 3. Certain top-level domains dominate in terms of size, both among well-established top-level domains and new domains. The world’s largest top-level domain, .com, alone has a market share of approximately 39 percent 4. However, the largest newcomer, .xyz, has managed to carve out a place among the world’s ten largest top-level domains.

For many top-level domains, however, total number of domain names is not a relevant measure of success. The business concept behind .luxury, for example, is to be an exclusive product for the select few, which is not compatible with rapid growth. Another example includes top-level domains that have not been registered for the purpose of resale, such as .statoil and .bbc.

For decades, actors in the domain market have seen a stable increase in the demand for domains. Recently, however, there are some indications that the market is maturing. Long-term trends for established top-level domains show growth in demands slowing down. The exception is a short-term spike in late 2015, which was caused by Chinese investors registering a large number of domains. The growth has begun to return to its previous level. The new top-level domains are growing faster than established domains 5, but for these domains, too, Chinese investors has been buying up domains in large numbers over the last year. For example, in April 2016, .xyz reported that more than 50 percent of registrations came from Chinese customers 6.

If this trend of slowing growth in new registrations under established top-level domains continues, several top-level domains may soon experience zero growth. A saturated domain market will, in turn, lead to more fierce competition.

One additional explanation for the slowing demands may be that domain names have become less visible. Increased use of mobile devices means increased use of apps and clickable links, where the user does not have to relate to the domain name behind the content. At the same time, however, domain names are a central part of Internet infrastructure, and there is no competing technology in sight.

Technically speaking, all domain names work the same way. As a result, top-level domains must use other means to differentiate themselves from competitors and create value for their customers. The most common strategy is to build an identity for the top-level domain, which, in turn, adds value for customers registering their domain names there. One example in this regard is .com, whose brand is so strong that many prefer a longer and more complicated .com domain over a shorter domain under a lesser known top-level domain. Similarly, .no has built a distinct identity as a Norwegian, high-quality domain; .no is the obvious first choice for companies and private individuals with a connection to Norway.

Building a strong identity, however, is not achieved overnight. With more than a thousand new players now entering the field, it is going to take considerable resources and long-term marketing to just be visible in the crowd. New top-level domains need a strong business concept and a solid foundation for income generation to succeed, and the same could also be said for established top-level domains that haven’t been able to build a clear identity before newcomers flooded the market. 7

In addition, the identity of a top-level domain is more than just branding. Its identity also reflects the “neighbourhood” its customers become a part of. A top-level domain where the majority of domains function as its customers’ primary site on the internet, is more attractive to new customers than if the majority of domains there serve no other purpose than to redirect visitors to other top-level domains 8. The value of a good “neighbourhood” also manifests itself when some security organizations recommend that companies block all traffic leading to specific top-level domains, because more than 90 percent of domains there are used for unwanted activities, such as spam, fraud and malware. 9

Identity is a central aspect in the competition between top-level domains, but they do, of course, also compete in terms of price. For example, .tk (Tokelau) has built one of the world’s largest top-level domains by ignoring the aspect of identity altogether, and instead offering .tk domains for free for the first year. If the customer at the end of the year does not wish to keep the domain, the organization managing .tk takes over, earning money by directing traffic from the domains to advertising sites. The new top-level domain with the highest number of registrations, .xyz, also climbed to this position by offering domains for free when starting up the top-level domain.

Even though the number of top-level domains has doubled many times over, the way the domain market works has remained relatively unaffected. Market liberalization often lead to changes in the fundamental “rules of the game” over time, however, as seen in other markets. The telecom market is one example in this regard. In principle, disruptive changes can come from any player, but in the domain market, perhaps the greatest potential for disruption lies with major players like Google and Amazon.

Both have a history of disrupting established markets by introducing new business models and new technology. Today, they hold approximately 40–50 top-level domains each 10, and more will follow as the last pending applications are processed. These players control many links in the value chain, and they also control a number of products that may be used with domains. This could give them the opportunity to take full control of the customers’ experience, giving customers a seamless, streamlined solution, provided they use their products. So far, not much has happened with their top-level domains, but one would be wise to keep an eye on these players in the domain market in the time to come.

Competition may also be external. Increased use of social media, such as Facebook and Instagram, offers alternatives to dedicated websites and e-mail. Unlike domain names, this option locks customers to a single provider and this provider’s terms and conditions for use. In exchange, these services are free, easy to use, and offer attractive added functionality, including the ability to connect users in a community with other users.

Operating a top-level domain has become more challenging. Increased competition is placing more and more exacting demands on established and new top-level domains; they have to generate tangible value for customers, either by the top-level domain’s identity or by additional services. There will most certainly be casualties. .doosan was the first new generic top-level domain to be discontinued, but it will probably not be the last 11.

All top-level domains are facing increased competition, regardless of whether the organization managing it aims to make a profit for owners and investors, or whether it is a non-profit organization tasked with a social mission. Norid’s vision is to run the registry for .no domains to the betterment of Norwegian society, and this still applies in the face of increased competition. The Norwegian top-level domain has a good reputation as a high-quality domain, but the work to keep up with society’s needs will remain a primary concern for us in the future.

For customers, increased competition and the large number of new players in the market mean they have a wider selection of options to choose from. For example, registering domains under several different top-level domains could open up new possibilities for profiling, and reflect an affiliation with specific groups.

The challenge with endless choice, of course, is that it may be difficult to find the right one. Nobody wants to set up the company’s new site under a top-level domain with a reputation for spam and malware. At the same time, this situation is no different from other industries; customers should always look into the reputation of those providing their critical services.

The Internet has become a key platform for value-creation in modern society. Online retailers in Norway had a total turnover exceeding NOK 21 billion in 20171. Three percent of all Norwegian domain names with a website has shopping basket functionality built in2 and for many businesses, online sales is the primary sales channel. The Internet is also a primary channel of communication between public agencies and the nation’s inhabitants and businesses, e.g. in connection with tax returns, employer's contributions and access to public services. In all these circumstances, it is extremely important that users actually end up on the website they intended to reach.

A website can be accessed in different ways: Clicking a link, via an app, via hits from a search engine, or entering the URL into a browser. All these methods of access entail looking up a domain name. The lookup initiates a search for an IP address used to contact the server operating the service the user is requesting access to. Originally, the domain name system was not designed to ensure that the return for a lookup actually came from the right source. This means it is possible for attackers to falsify returns and direct a user to another IP address than the one associated with the domain. For example, a user may be directed to a website that looks like the online retailer they intended to visit, but instead, the website is located on a server controlled by scammers.

DNSSEC (DNS Security Extensions) is a security mechanism that offers a solution to this problem. When a domain is secured by DNSSEC, all returns to domain queries will be signed cryptographically. This makes it possible to verify both that the response comes from the right source, and that it has not been changed along the way.

The signature is created by a private key accessible only to the operator of the domain name. The signature is validated by the device making the query in the domain name system retrieving a public key for the domain. It then pairs the key and signature to validate the answer. Given the hierarchy of the domain name system, a scammer cannot enter false keys in addition to false responses. The public key of a domain is part of an unbroken chain of keys validating each other, all the way to the top level. In order for DNSSEC to work, all levels have to be secured by DNSSEC. A chain is only as strong as its weakest link.

DNSSEC solves the problem of false responses to queries. It is important to be aware, however, that DNSSEC is only a small piece in a large puzzle of security measures needed to keep us safe online. DNSSEC ensures that we reach the address we wanted to reach, not that the contents of the site are safe.

Norid considers DNSSEC to be a key security component in the domain name system, and believes that the technology should be standard for Norwegian domain names.

Norid introduced DNSSEC as an infrastructure upgrade, and did not require domain holders to be aware of the technology or to actively order it to get the security upgrade for their domain. This approach to DNSSEC, however, required sufficiently sophisticated technology and a considerable effort on the part of domain name traders (registrars). Norid could facilitate for the implementation of DNSSEC, but the registrars had to do the job of signing and maintaining the domains for their customers.

Despite the need for sophisticated technology and limited room for errors, many registrars quickly came on board. In May 2015, six months after Norid introduced the technology, the Norwegian top-level domain was among the world’s leading top-level domains regarding percentage of secure domains, where it has remained since 3. As of 1 September 2018, 439,109 .no domains have been signed using DNSSEC 4, which accounts for 57.9 percent of all domains under .no. Three other European country code top-level domains also stand out, with a large percentage of secured domains 5: Czech Republic (.cz), at 52.8 percent 6, the Netherlands (.nl), at 52.7 percent 7; and Sweden(.se), at 46.6 percent 8.

Even though .no has a very high percentage of secured domains overall, the degree of implementation among registrars varies considerably. As of September 2018, 94 of 350 registrars offering Norwegian domain names offer secure domains through DNSSEC. Only 21 of these have signed more than 10 percent of their domain portfolio. Consequently, the majority of secured domains are associated with a small number of registrars.

With more than half of all Norwegian domain names secured with DNSSEC, this technology has become a new standard here. Even so, only ten percent of the twenty most popular Norwegian domains 9 are signed, whereof one domain is among the ten most popular domains.

We see that public agencies lag behind in securing their domains. Less than half (47.3 percent 10) of domains registered by public administrative agencies have been signed using DNSSEC. It is a concern that the governmental domain categories (stat.no and dep.no) and the domain category reserved for the Armed Forces (mil.no) have not implemented the new technology. This means that domains under one of these domain categories, e.g. nsm.stat.no, cannot choose to secure their site using DNSSEC, because the links above them in the chain are not secured. However, the degree of signing within public administration varies; while only 22 percent of state domain names have been signed, the municipalities have signed 54 percent of their domains.

The large share of DNSSEC-secured Norwegian domains means many domain lookups yield signed returns. In order for this to protect the individual user, however, the server retrieving the return for the domain query must check (validate) it, ensuring that returns containing false or inadequate signatures are rejected. This is handled by dedicated servers (recursive resolvers), which are often operated by Internet service providers, hosting providers and service supervisors of internal networks within an organization. In order to fully utilize the potential of DNSSEC, as many as possible of these providers must secure their users by enabling validation.

The degree of validation in Norway has increased considerably since DNSSEC was introduced for Norwegian domains in 2014. As of 30 August 2018, approx. 80 percent of domain lookups in Norway are validated 11. The degree of validation for .no is high on a world-wide basis 12.

The high degree of validation in Norway can be attributed to the fact that some major providers, such as Telenor Norge, Altibox, Nextgentel and Get, whose combined customer base is relatively large, have enabled validation. However, there are still some major providers, including Broadnet, that have not enabled validation.

The immediate effect of DNSSEC is to safeguard users from false responses from the domain name system, but a secure domain name system also serves as a foundation on which we can build a whole new set of security features.

We are accustomed to being able to securely send e-mail, even at airports, in Internet cafés and using guest networks, because our devices exchange data with the e-mail server using a secure, encrypted connection that third parties cannot tap into or change. Similarly, we look for the green padlock symbol and HTTPS before transferring data such as credit card numbers, user names and passwords on websites we visit.

In order for these connections to be secure, our device must authenticate that it is communicating with the right service, and exchange the necessary cryptographic data. The authentication process largely relies on certificates issued by certificate authorities.

The problem is that there are very many certificate authorities, and the level of security they offer varies considerably. Meanwhile, there has been a shortage of good mechanisms to inform users of which certificate authority is authorized to issue certificates for a given services, or which certificate or key the service in question uses. Google is among those who have experienced problems with this issue. In some cases, certificates have been issued for Google’s domains that have not been authorized by Google 13. Such unauthorized certificates make it possible for someone to hijack or tap into traffic to the service.

The domain name system offers a possible solution to this problem. The system’s main purpose is to respond with the IP addresses of a service under a given domain, but the system can also provide certain types of additional information, such as which certificate authority is authorized to issue certificates for a given service 14. DNSSEC enables the user’s device to trust this information, instead of having to accept certificates from every certificate authority.

This application is particularly relevant in Norway, seeing as we have already implemented DNSSEC to a relatively large degree, and most social critical services are available online. Public authorities have a large number of online services for communication with the nation’s residents. So far, approx. 30 percent15 of these web sites use HTTPS, but the Norwegian National Security Authority recommend that all these should be secured with this technology, using certificates issued by certificate authorities subject to Norwegian law 16. The need for public websites to securely be able to communicate which certificate authorities they use is therefore quite pressing.

In the future, the distribution of secure information about services through the domain name system may extend the use of certificates to services that currently do not have that option, e.g. e-mail. Software for mail servers implementing this functionality is already underway.

The internet has completely changed society. Over the course of a regular week in 2017, 96 percent of the population aged 9 to 79 used the internet1 . In 1995, only 5 percent did. These numbers both reflect the tremendous development that has taken place in a very short time period and indicate how important this infrastructure is in today’s society.

The internet is an important source of news, information and entertainment, and people use the internet as part of their jobs, in school, and in their personal lives. 71 percent of the people who use the internet over the course of a day, use it to send or receive e-mail. People who go on Facebook every day account for roughly the same percentage. More than half the population use the internet daily to look up facts or find background information. In addition, video, TV and music, usually in the form of streaming services, fight for people’s attention online2.

Our online habits mean the internet is a key platform for value-creation. Online retailers in Norway had a total turnover exceeding NOK 21 billion in 20173, and this figure keeps growing. Three percent of Norwegian domain names have shopping basket functionality built in4, and for many businesses, online sales are the primary sales channel. The internet has also become a primary channel of communication between public agencies and the nation’s inhabitants and businesses, e.g. for tax returns, employer's National Insurance contributions, and access to public services. When the public sector goes digital, an increasing number of services will be available online.

This development means that anyone offering anything, be it goods, services or information, must be online. There are many ways to establish an online presence, from your own domain to free services to a multitude of social media. In order to be perceived as professional – someone people can trust – it’s important to be conscious of how you choose to present yourself. Your choice of channel and the profile of your content will affect the identity you create for yourself and your business.

For Norwegian businesses, their own website is the most frequently chosen channel for one-to-many communication5. In addition, email is among the most common forms of communication online; most of us send or receive email daily.

There are several different ways to access these two channels. Your business may choose to register its own domain name and create a website and email using that domain, such as www.mydomain.no and shop@mydomain.no. Or you can choose to use one of the many free email providers, such as gmail.com or hotmail.com. There are also providers who let you create a free website using their service. Wordpress.com and blogg.no are just two examples.

The drawback of using free services is that your business will have an email address or a website that is linked to that specific service provider, such as shop@gmail.com and shop.wordpress.com, and you have to comply with the provider’s terms of use. If the provider changes its terms of use or close the service, your business is forced to find a new address and inform all of its customers, suppliers and partners about the new contact information.

It is also important to keep in mind that not all addresses are created equal; customers and others have more faith in some than others. For example, businesses who rely on free email addresses is perceived as less professional than those whose email addresses are on their own domain.6

With its own domain name, the business itself – the domain holder – is free to set the rules for the content and decide what the domain is to be used for. The domain holder is free to choose which provider to use for website, email and other services, and can take the domain name and its content to another provider if they want. Most Norwegian businesses (83 percent)7 have registered at least one domain name.

Norwegian domain names are domain names ending in .no, which is the Norwegian country-code top-level domain. As of August 2018, there are approx. 300 country-code top-level domains and 1250 so-called generic top-level domains8 worldwide. Most are open to anyone who wants to register a domain, so there are plenty of options.

Technically speaking, all domain names work the same way, regardless of which top-level domain they are registered under. Most top-level domains have chosen roughly the same level of pricing. For customers, that means that the choice of top-level domain primarily becomes one of identity; what do they want to be associated with? The identity of a top-level domain – its brand – gives value to any domain name registered under it.

One example of the importance of top-level domain identity is .com, which is a popular top-level domain. It is getting crowded, but its brand is so strong that many prefer a longer and more complicated .com domain over a shorter name under a lesser known top-level domain. One of the first top-level domains to try to build a competing brand was .biz, which was launched in 2001. 10 years later, however, only one .biz domain was among the 500,000 most popular websites worldwide, while there were 323,000 .com domains9 on the list.

Another top-level domain with a strong brand is .no. There is a clear consensus in Norway that .no is the most recognizable in the Norwegian market10, and it has a definite identity as Norwegian and as a quality domain. Of Norwegian businesses that have registered domains, 95 percent have chosen to register one or more under .no. They list .no being easy to find for customers, that .no indicates it’s a Norwegian business, and that .no signals that they are professional as important factors in choosing a .no domain.11

The identity of a top-level domain is more than pure branding, however. It also reflects the “neighbourhood” its customers become a part of, i.e. which other domains have been registered within the top-level domain and what they are used for. A top-level domain where the majority of domains are used as the domain holders’ primary home on the internet, is more attractive to new customers than if the majority of domains serve no other purpose than to redirect visitors to other top-level domains12, or worse, are registered for activities such as spam, fraud and malware.

One of the factors influencing the type of neighbourhood a top-level domain fosters, is the requirements imposed on those seeking to register domain names. Top-level domains with few or no identification requirements, and which also offer free registration, tends to attract questionable activities13.

It’s no coincidence that top-level domains like .tk, for example, who has minimal requirements for its applicants and offers free domain names the first year, long has been regarded as such a top-level domain. In 2013, one of the largest providers of anti-spam solutions reported that 90 percent of .tk domains they had encountered were used to send spam14. The same trend can be found in several of the top-level domains established in recent years.15

At the other end of the spectrum, we find the Norwegian top-level domain, where anyone who wants to register a domain name must identify themselves, by providing either an organization number registered in the Register of Business Enterprises, or a national identity number registered in the National Population Register. This means there is a real person or business behind every Norwegian domain name. This is a requirement that has strong support among Norwegian businesses and in the general population.16

In Norway, we have also decided to put a cap on the number of domain names each domain holder can register. The idea behind this requirement is to make sure there are good names available for future domain holders, too, but it also serves as an obstacle for those who want to register a large number of disposable domains to spread spam or malware. Of course, these requirements don’t necessarily mean you can trust everything that comes from a Norwegian domain name, but they contribute to making .no a good neighbourhood. This, in turn, add value to all Norwegian domain names, something which is reflected in how people prefer to shop from a Norwegian domain name if all other factors are equal.17

A domain name is the business’ own little corner on the internet, and so becomes a central part of the digital identity of the business. Knowing that, it’s important to choose a top-level domain that reflects the identity the business is trying to build. Nobody wants to set up the company’s new site under a top-level domain with a reputation for spam and malware. This is no different online than in other contexts; customers normally look into the reputation of those providing critical services.

Social media are applications that help you create and share content and participate in social networks. A large amount of people use these channels daily. With 2.2 billion active users, Facebook is the most popular social medium worldwide, followed by YouTube and WhatsApp.18

There are considerable differences from country to country in terms of which social medium is most popular. In Norway, Facebook is the most popular, with around 3.4 million Norwegians having their own profile, followed by Snapchat and Instagram.19 Their popularity, however, is in stark contrast to the level of trust people have in these channels as a source of information. As much as a third of the population indicate that they have low or very low trust in Facebook, whereas around a quarter say the same of Snapchat and Instagram.20

Social media invites interaction and participation to a much greater extend than conventional websites do. The threshold for two-way communication is low, and it is easy for users to establish a basic relationship as a “follower” etc. of businesses or events they are interested in.

Because the success of a social network is entirely dependent on how many people use it, most social media have chosen a business model that focuses on growth. Having a user profile is free. The service is financed by running ads in various forms.

Different social media are used in different ways. Platforms like Facebook focus on creating constant interaction, primarily between family and friends. They achieve this by facilitating for users to share status updates, photos, social games, etc., while mechanisms like likes, comments, and sharing functions as social rewards for active users. Other types of social media, like Twitter, are about fast mass communication. There are also some social media that benefits the user even if they don’t create a profile and actively connect with other users in the network. YouTube is one example. You can see content shared on YouTube without creating a profile. 71 percent of the Norwegian population over the age of 18 use this service every month, but only 44 percent have their own profile.21

Seeing as the different social media attract different user groups, you can reach specific groups by strategically choosing where and how to communicate. This makes it possible to reach those most interested in your message. In addition, some social media also offer the opportunity to segment users by behaviours and characteristics, making it possible to home in on the desired target audience based on the purpose of your message.

One drawback to using social media is that you are using a channel where the provider sets the terms of use. The provider will likely have some restrictions on the type of content one is allowed to post, for example, and these do not necessarily comply with Norwegian law or Norwegian expectations. This is what happened in 2016, when Facebook removed a photo of a naked child fleeing a napalm attack during the Vietnam War22, or when they blocked the instructional photos posted by Ammehjelpen, a breastfeeding help group.23

The social media provider is also the one to decide if and when to change the terms of use, and if so, what these changes will entail. Facebook, for example, has changed the algorithms for how a post shows up in people’s news feeds24 several times, and the chances of a business reaching a wide audience by posting a regular status update (organic reach) have been severely reduced. Naturally, changing the terms in turn also affects the strategy businesses apply in their use of the channel.

It’s important to be aware that most social media channels require quite broad authorizations from users in terms of exploiting the content produced and uploaded by users. For example, the terms of use for Facebook, Google, Snapchat, Twitter and LinkedIn include the right to use, copy, distribute, display, publish, make available and create derivative works of user content.25 In addition to covering most forms of commercial and non-commercial use of the content, several social media services also require that any rights acquired by them be transferable to third parties. As a result, users lose control of the content they produce.

One of the challenges of being online is the difficulty of building a stable identity customers recognize and trust in a landscape that is forever changing. Social media come and go, and it’s hard to know which channels will be relevant in the future.

Having your own domain makes it possible to build a stable presence online, with content under the company’s control and ownership. 79 percent of Norwegian businesses believe their domain name is important for their brand, and most use it as a gateway to their products or services.26

In addition, a conscious approach to social media can create increased visibility and interaction in connection with important messages from the business. Around 14 percent27 of Norwegian websites have integrated a Facebook module (widget) on their site. After the business’ own website, Facebook is the most popular channel of communication.

Which types of social media a business chooses to use will depend on where its target audience is and which social media give the best value for money.

In today’s information jungle it can be difficult to present a clear and recognizable profile. In order to build a uniform digital identity, it can be a good idea to use the same profile name in several channels. If your domain name – be it your company name or the name of a product – is used in email addresses and as profile names in social media, it’s easier for people to remember and recognize your business across different channels.