Skip to main content

Email from Bruce Tonkin to Tim Cole

Hello Tim,

Melbourne IT welcomes the efforts undertaken by ICANN to investigate the incident, which Melbourne IT considers to be an isolated, but serious, security incident amongst many thousands of transfers that have been processed in accordance with the transfers policy by Melbourne IT. Melbourne IT hopes that ICANN will take the same effort to investigate other instances where a registrar has failed to comply with the transfer policy.

Melbourne IT has several large resellers that are larger organisations than any of the existing ICANN accredited registrars, and have an international reputation for the development of IT systems and processes. Melbourne IT has agreements in place with some of these resellers regarding the transfer of registrar process. These agreements have only been applied where each reseller has been able to fully satisfy and prove to Melbourne IT that they maintain systems for verifying the actual registrant who wishes to transfer their name in accordance with the ICANN transfer policy.

Although Melbourne IT has an audit and compliance process for checking that a reseller is complying with the transfers policy, the incident has highlighted that there is still a risk that one of these resellers may not be complying with the transfers policy for all transfers. Melbourne IT has software for authenticating transfers that complies with the ICANN transfers policy, which is used by all its direct customers and the majority of its reseller customers. As a result of the incident, Melbourne IT is planning to expand the use of this software for all its resellers to further reduce the risk of an unauthorised transfer.

Melbourne IT will continue to cooperate fully with ICANN in the further investigation of the role of resellers in transfers, and in the development of further improvements to the transfers policy.


Bruce Tonkin
Chief Technology Officer
Melbourne IT

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."