|
||
Google revealed on its official blog today that it is handling an average of more than 70 billion requests per day on its free Public DNS service.
According to VeriSign’s latest public statistics, it is handling only an average of 59 billion DNS requests per day, less than that handled by Google. However, VeriSign does not perform this service for free.
VeriSign registry fees are $7.85/yr for each dot-com domain name, and $5.86/yr for each dot-net domain name, with prices increasing 7% and 10% annually (respectively) due to a sweetheart no-bid contract with ICANN.
With more than 100 million dot-com domain names registered, VeriSign generates nearly $800 million per year in revenues from the public, with infrastructure costs and load that are comparable to a service provided by Google absolutely free. This should clarify the extent to which ICANN and VeriSign are gouging the public. It certainly does not cost Google $800 million/yr to run their Public DNS service.
The time has come for ICANN to open up the dot-com registry contract to a public tender process in order that the public receives the best possible price for registry services. The current contract is the equivalent of the $436 hammer or the $640 toilet seat that used to be common in the defense industry.
Should ICANN not open up the contract to a public tender process, the NTIA or DOC should compel them to do so. Failing that, the Department of Justice should open up anti-trust investigations to examine whether consumers are being harmed by this anti-competitive untendered contract that bears no relation to the costs of performing the service. Under competition, dot-com registry costs would almost certainly be below $2/yr per domain name. That’s $500 million or more per year that the NTIA, DOC and DOJ can return to consumers by forcing a tender process for dot-com registry services.
It also begs the question: Why are registrars not more vocal in opposition to the no-bid sweetheart contract that VeriSign enjoys? The answer is clear—many of them want to emulate VeriSign, to become registry operators in new TLDs. This desire for new monopolies and new monopoly pricing demonstrates how broken ICANN has become, and how distant it is from the true desires of consumers.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byCSC
Sponsored byDNIB.com
A World-Renowned Source for Internet Developments. Serving Since 2002.
I’m sure you know this already George, but there’s a difference between running a DNS network and running a registry. Verisign has to run an SRS, for starters. The way ICANN breaks it down, DNS is just one of five critical components of a registry.
I’m not disagreeing that Verisign could be challenged on pricing, but I think the Google service makes for a poor comparison.
Kevin: Of course, there’s a very slight difference. A registry operator has 2 functions:
(a) maintain the master database (connecting with registrars through the SRS), and
(b) resolving the names (i.e. when someone asks “What are the nameservers of Example.com” Verisign stands ready to give the answers of 199.43.132.53 and 199.43.133.53; that’s the “simple” analysis, one can read elsewhere the technical details of how DNS works).
Maintaining the master database is trivial. There are only 100 million records (ecommerce companies like Visa, Mastercard, Amazon, etc. have much larger databases), with most records changing only once a year (upon renewal, the expiry date changes). Once in a while, the nameservers will update (maybe every couple of years). Heck, VeriSign doesn’t even handle thick WHOIS for com/net. As an “upper bound”, VeriSign does far less work than a registrar does for maintenance of the zone file, and a registrar like GoDaddy has thousands of employees dealing with millions of customers. In comparison, VeriSign deals with only a relatively small number of registrars (less than 2000, and most of the transactions are done by the top 50 registrars; many of the registrars are “shells” simply operated by big registrars in order to catch expiring names on the drops). VeriSign once complained that the “load” from expiring names was egregious (thus requiring WLS). Yet, later they were able to “fix the problem” so that load was no longer an issue. That “fix” was costless. So, back of the envelope calculation, I’d estimate the cost for the maintenance of the master zone file at around 50 cents to $1 per year per domain (i.e. less than the margin that typical registrars are making, at scale).
The second function is resolving the actual domain names. This is where VeriSign has for years trumpeted its “billions” of DNS requests were day, as if it was some astronomical number that the average Joe (or politician/regulator) simply could not fathom. Their 59 billion DNS requests/day is now put into respective. It’s less than the number of DNS requests that Google handles per day, for free.
Now, some might quibble that the types of DNS requests are slightly different, i.e. that I’m attempting to compare apples to oranges. Not so. The technical differences are quite small. If anything, I’m comparing Red Delicious apples to Granny Smith Apples.
ICANN has all kinds of pathetic and meaningless comment periods that they’ve opened up in the past. I challenge them to open one up asking a simple question: Does the public believe that the dot-com contract should be opened up to public tender?
I’ll pay $10,000 to ICANN if that comment period didn’t generate at least 1000 public comments, far exceeding the input they receive on their usual topics. Of course, ICANN prefers to bury its head in the sand.
Of course, where I wrote "put into respective", I meant "put into PERSPECTIVE".
Without commenting on your substantive points I should just explain that you really are comparing apples with oranges when talking about volumes of DNS requests. It is not a matter of quibbling but one of straightforward accuracy of understanding of the technology.
The servers that Verisign runs are authoritative and so the requests to them are only coming from caching servers not from end user devices. Google runs caching DNS servers that respond to requests directly from end user devices as well as other caching servers. The whole point about caching servers is that they cache the data they receive and only contact authoritative servers when that cache needs refreshing, thereby sparing the authoritative servers. So they are designed to only forward a fraction of the requests they receive and thereby reduce the load on the authoritative servers.
The traffic volumes to the two simply cannot be compared (nor can the underlying technology, but that’s a separate point) if the intention is to make an inference about the capacity of one to provide the service of the other.
Jay: I disagree. It’s not as though VeriSign needs to forward any requests at all—they control the master zone file for .com. All their results are likely being served out of RAM (and probably a lot of those results are simply NXDOMAIN, as per SiteFinder!).
Comparison:
(A) VeriSign receives a DNS request for the nameservers of example.com. They can answer simply by looking at the zone file for .com, which is in their servers). This is a pure lookup.
vs.
(B) Google Public DNS receives a DNS request for the A record “www.example.com”, and needs to answer 192.0.43.10. If that result is in its cache, it simply returns 192.0.43.10. If it’s not, it needs to refresh its cache by (i) possibly querying VeriSign for the current nameservers of example.com, (ii) asking a nameserver of example.com, perhaps A.IANA-SERVERS.NET (199.43.132.53), for the current value of http://www.example.com, and (iii) returning the result to the users (namely 192.0.43.10). (simplified, there’s a whole bunch of TTLs involved).
Google’s DNS must further cache all kinds of different DNS requests (A records, MX records, TXT records, etc.), whereas VeriSign’s are all of a narrower range. VeriSign’s mostly going to return nameserver records, or NX domain.
How can one argue that Google’s servers are doing *less* than what VeriSign is providing? Even if by some magic they’re doing more, it’s going to be the same order of magnitude, in economic terms, and still a trivial amount compared to the $800 million/yr that VeriSign is getting to operate .com.
The proof would be in the pudding. Let’s have a public tender, and the true costs would quickly be revealed.
George, I can see from your answer that you are not technical at all and this is leading you to make a number of technical assumptions that are unfortunately not correct. I don't mean to appear rude but when I read your assertion that handling more RR types makes one server more complex than the other, I did have to smile. It should be obvious that you can make your case on policy and principle grounds without continuing with this flawed understanding of DNS.
A McDonald's that only has Big Macs on the menu is going to be a lot simpler to run (more easily optimized) than one that has Big Macs, fries, Filet O'Fish, Chicken and salad. That's basic economics. On the McDonald's menu, smiles are free. :-) But, if VeriSign (or even ICANN, or your registry) wants to give out some transparent accounting data that their costs are really substantial to operate their servers, compared to Google who somehow manages to serve the public for free**, please go ahead. ** Clearly Google isn't doing it for free, but it costs far less than $800 million. Plus Google gains market intelligence from the DNS data, to offsets its minor costs.
Hi George, While I agree that giving a monopoly forever is sub-optimal, I don't think Google and Verisign are comparable. Verisign MUST provide world-class globally redundant DNS services at great cost. Google already had much of the infrastructure in place so that the provision of (best-effort) DNS services while non-trivial didn't mean shelling out nearly as much as Verisign. In any case, while A.IANA-SERVERS.NET is an auth server for example.com, that is a special case. The "A" root server is not actually auth for .com domains, but rather a .com request to a root-server will tell your DNS server where to find .com. ubuntu@ubuntu:~$ dig @A.ROOT-SERVERS.NET www.example.com ; <<>> DiG 9.7.1-P2 <<>> @A.ROOT-SERVERS.NET www.example.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45376 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.example.com. IN A ;; AUTHORITY SECTION: com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 a.gtld-servers.net. 172800 IN A 192.5.6.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 ;; Query time: 369 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Wed Feb 15 06:15:59 2012 ;; MSG SIZE rcvd: 505 I think jay is correct, direct comparisons can't be made.
P.S. I forgot to mention, I think because of this news by Google, VeriSign will react by either:
(a) ceasing the reporting of its DNS traffic data (for “security reasons, we don’t want the bad guys to know”), or
(b) asking to lower the TTL, so that it can juice the numbers higher :)
Google’s recursive resolver is really quite different from Verisign’s registry. Nonetheless, it’s painfully obvious that Verisign is overcharging for .COM. The .COM and .NET domains use the exact same everything, .NET is $2 cheaper, and I haven’t heard them complain that they’re losing money. When .NET was up for bid, there were credible bidders offering to do it for $3.
I don’t know how ICANN can get out of their settlement with VRSN that promises renewals forever, but perhaps DOC can insist.
Let me take a step back and explain a little bit further (and I have to giggle about “lack of technical expertise”, when my background is in finance—I’m sure stochastic calculus or pricing mortgage-backed securities and other fixed-income derivatives is a bit more involved than DNS technicalities. I may not be a high priest of the DNS, running a root server, but I know enough. And this article isn’t meant to convince the high priests about anything—- it’s intended for policymakers, politicians, etc.
For years, VeriSign has given out 2 stats: (a) the total number of domains registered, and (b) average daily DNS requests. The first stat is already public information (due to the monthly registry reports that all gTLD registry operators provide). The second number is not a stat that VeriSign has to publish—instead, it’s a number they wanted to publish, to “impress people” and for political gain.
VeriSign’s stranglehold on the .com monopoly is based on creating fear, uncertainty and doubt as to what would happen if anyone else took over their role. They engage in theatrics in order to maintain that atmosphere. The average daily DNS requests is a big part of those theatrics. They can waltz into Washington and talk about how they handled an average of 1 billion DNS requests/day (years ago), and people would “oooh and aaah” as most people cannot fathom such big numbers. It sounds truly impressive. Their latest stats were 59 billion DNS requests per day, as I mentioned above. If a DNS request was a “dollar”, that’s like the net worth of Bill Gates or Warren Buffett—it’s difficult to imagine. It’s even more impressive when they multiply by 30 days in a month and can say 1.7 trillion monthly DNS requests. The main things that the average Joe discusses in “trillions” is the size of the US deficit or government spending. Statistics that are in the billions or trillions sound very impressive. Clearly, VeriSign must be an important company, someone irreplaceable if they’re doing something billlions of times per day—or at least that’s what VeriSign wants the public and policymakers to believe.
In the olden days of the web, webmasters would try to engage in the same kind of theatrics, talking about how their website received “a million hits”—which is a truly meaningless statistic. A “hit” might be a 43 byte clear pixel. A single pageview might have 200 “hits” due to images on the page, etc. So, people moved on to “pageviews” as a statistic. Or they talked about unique visitors. Or they talked about minutes of engagement. Or they talked about millions of hours of videostreams viewed (e.g. YouTube). And so on. In other words, the industry evolved somewhat from meaningless statistics into more meaningful ones. There’s obviously still a lot of showboating going on, especially for pre-revenue companies looking for VC money—they’ll give the public many meaningless stats (whereas an investor ultimately wants to know about revenues and profits).
So, going back to VeriSign, they’ve been engaging in these theatrics for years, with “daily DNS requests” as their showcase number. They’ve never qualified that number in any way. It’s just daily DNS requests, period. Now comes along Google, who is able to showcase an even bigger number! It’s the exact same unqualified unit of measurement (daily DNS requests), and Google’s number exceeds VeriSign’s number. And Google’s doing it for free.
If you think this does not create shock waves at VeriSign, I think you’re sadly mistaken. I’m sure they’re horrified that the number that they’ve used for years to create FUD, their ace-in-the-hole, is exposed as a meaningless statistic, just like “hits” to a website. VeriSign has invested in that number for years. What are their options?
As some of the “high priests” in this thread of comments have attempted to argue, VeriSign could go down a “technical” path and suggest that “all DNS requests are not created equal”, that we’re comparing “apples and oranges.” That argument will fail. If VeriSign goes down that path, it has to explain why they’re different, and attempt to explain that the cost structures are different for different types of DNS requests. If you have to go into an arcane technical argument, you’ve lost 99% of the audience (i.e. that audience is far more likely to believe the argument that “a DNS request is a DNS request is a DNS request”). Even if it’s apples vs. oranges, those are both “fruit” of similar calories and nutrition. It’s not like they’re apples and elephants. If VeriSign wants to try to suggest a Google “DNS request” is like a cheap “hit”, whereas a VeriSign DNS request is like a “1 hour video stream”, let them take their best shot. The public is far more likely to disbelieve that argument, and instead believe that VeriSign is trying to sell them the $436 hammer or the $640 toilet seat.
If VeriSign instead has to go down the economic route, explaining cost structures of various DNS requests, then that’s even more of a win for my side—do you really believe VeriSign wants to talk about how very little their actual financial costs are, compared to the $7.85/yr per domain they’re getting? The absolute last thing VeriSign wants to talk about is actual dollars and cents. Transparency about their true costs would be the nightmare scenario for them, when their strategy for years has been disinformation.
Another option is for VeriSign to abandon the use of that number. That’s fine with me! That’s what my side would love for them to do, deprive them of one of their talking points, one of their theatrical tactics.
The last option is for VeriSign to come up with a brand new number to showcase. Uh oh, that means that they have to admit that their current metric is inherently flawed and misleading, and is thus a meaningless statistic. After years of investing in that metric, do you think the public will trust a new metric that VeriSign wants to showcase? I don’t think so. Their credibility will have been destroyed.
There are parallels to an article of a few years back, when I wrote about ICANN’s use of for-profit companies as comparables in its employee compensation. There were 78 comments to that article, with ICANN supporters attempting to argue that ICANN’s compensation practices were justifiable. But, the numbers speak for themselves. Folks tried the “arcane technical argument” that an ICANN non-profit employee is somehow “different” than a non-profit employee at some other firm. Did that make any impact? That argument lost big time. Just go and count the number of times ICANN has been hammered in Washington by politicians regarding their excessive pay. It’s quite hilarious. It’s used to directly attack ICANN. Even at the most recent hearing in DC, Kurt Pritz was asked about his own compensation.
VeriSign can attempt to say that their “magical DNS requests” are different than Google’s “ordinary DNS requests.” Just like ICANN’s attempt to argue that their employee compensation is reasonable, it’s an argument they cannot win.
So, in conclusion, yesterday was a great day for those who want to see the .com contract eventually opened up to a tender process, because VeriSign has been deprived of one of their theatrical showcase numbers that is used to create FUD. That’s one less tool in their arsenal. Is it enough to tilt the scales? Maybe not, but it’s definitely damaging to VeriSign. Anything that damages VeriSign’s ability to engage in FUD is something that is good for the public.
Hi. I've written code that financial software uses to do IRR and bond pricing, the kind of stuff you probably thinks happens by magic on your HP 12c. You're right, you don't understand how the DNS works, nor how complex the various interactions are. I'd suggest stopping while you're behind. I happen to agree that in a reasonable world, the price for .COM registrations would be no more than half what they are now, but not because it's technically trivial.
If the price of a .com was cut by 50%, that would make a heck of a lot more domain names viable for profitable parking, which I believe is something you and a lot of other people don't like.
In a perfect world, .COM registrations would cost $100, of which $3 would be for Verisign, and $97 to pay ICANN staff to go on vacation and not come back.
John: It's not clear you actually followed the links. The first link was to an article in RISK Magazine (along with the mathematical proofs) that develops what has become a standard model for pricing the convexity bias in interest rate futures. The second link was to documentation for software I wrote (in C) that calculates things that are far more complex than IRR and bond pricing on a HP12C. Oh, and it also includes bond pricing functions too (that's the "easy" stuff), code that ran orders of magnitude faster than the built-in Excel functions back in the day. I'm not "behind". I'm so far ahead, that I recognize that it takes far more than simply technical arguments to "win." This is politics, not a technical debate. Depriving VeriSign of their theatrical tricks is a winning strategy.
Yeah, we did that kind of stuff when I was getting my economics B.A. To rephrase my previous comment, when you're in a hole, stop digging. If you know a reasonable model for the behavior of a DNS cache, particularly a partitioned one, I'd like to see it. It's surprisingly complicated and subtle. You don't need insult the people who understand the technology to figure out that Verisign's prices are way above cost.
Economics B.A.? LOL This was brand new stuff, not in any textbook. This was graduate level work, and beyond. Check your email.
lol Jay. When I'm acquiring a School.com or other elite domain name, I'm not mucking around in the technical swamplands. What sets me apart is that I can see the limitations of relying purely on technical skills. :) In this debate, in this political arena, relying on technical arguments won't get the desired results.
Two men enter ONE MAN LEAVES!
Verisign's a public company that's now pretty much laser-focused on domains. Why not have a look at its financials? Its cost of revenue is only something like 25%, you could start there.
Kevin: As you said, the key word is "now" -- their financials over the years have been a mish mash of all their SSL stuff, their Jamba and other acquisitions, etc. Even now, though, there isn't the granularity in their numbers for precision (think "Hollywood accounting"). The better comparison is Google's free Public DNS. :) 100x "free" is still "free." The other metric is the root server stats/load. Those root servers are authoritative, just like VeriSign's for dot-com (and of course, VeriSign runs 2 of the root servers; with anycast there are more "physical" servers than just "logical" servers). What are all those other (non-ICANN) root server operators charging the public? Zero. :) They're not even under contract with ICANN. Is the University of Maryland or NASA or Cogent getting $800 million/yr for their "enormous" costs of running the root servers? Nope, they're doing it for free. Authoritative root servers at that. So, you have 3 examples. (a) Google Public DNS -- "free", but not "authoritative" (b) VeriSign dot-com DNS -- $800 million/yr but "authoritative" (c) Root servers -- also "authoritative", even more important than the dot-com DNS, arguably, but "free" (I don't have the latest stats, but back in 2008, the average daily root zone traffic was more than 10 billion requests/day so it's certainly on the same scale as VeriSign for dot-com) VeriSign's $800 million really sticks out in comparison.
I would guess Google makes some serious coin by mining all those DNS queries. And if their name servers are down it is not like they stopped the flow of commerce across 3/4 of the world.
To demonstrate the extent to which dot-com registrants are being gouged by VeriSign’s sweetheart monopoly contract with ICANN, we can examine what it would cost to replicate the registry on Amazon Route 53, a cloud-based DNS offering.
With an average of 59 billion daily DNS requests for dot-com, this amounts to 21.5 trillion DNS requests in a year. At Amazon’s posted price of $0.25 per million queries, that adds up to approximately $5.4 million over the course of a year. In addition, Amazon charges $0.10 per hosted zone per month (or $1.20/yr). For 100 million domain names, that’s an additional $120 million, for a total of $125.4 million (although, certainly one would be able to negotiate a substantial discount in the per zone rate with such a high volume; for now, we’ll assume no discount). The main additional costs are the costs to maintain the shared registry service (i.e. allowing registrars to register domain names, make changes, etc.). A generous estimate would be $50 million per year (i.e. a few hundred employees at $100,000 per year, plus infrastructure). Adding things up, we get to $175.4 million, without any discounts beyond Amazon’s posted rates.
Spreading that conservative amount over 100 million domain names, we get to $1.75/yr per domain name year, far below VeriSign’s fees of $7.85/yr per domain. Note that Amazon’s posted prices already include a margin for their own profits.
One can safely conclude that consumers are being gouged to the tune of more than $500 million per year due to VeriSign’s monopoly on the dot-com registry contract. If the dot-com registry contract came up for tender, companies like Google, Amazon, Akamai, Neustar, Afilias and others could certainly offer equal levels of service at a far more competitive price. The NTIA, DOC, and DOJ should act to compel ICANN to tender this contract, rather than negotiating another sweetheart deal behind closed doors.
George, I like the computed Amazon cost model. I am sure Google is extracting at least that much in terms of valuable customer query data for its ad engine. Verisign at least provides such data to us without such threats to privacy. Yet blocking sites from the root is a threat to freedom and anonymity. There seems to be little doubt that SOPA, PIPA or their descendants will come to fruition that the internet and the use of Verisign DNS would as a whole change. A peer-based DNS system not unlike .bit is simple to build. Tech users would at least try out these types of queries to get access to resources which a government, potentially not even their own, would attempt to deny. Bypassing the root in this way is far too easy. Cost per query? Zero. Would a type of root DNS-DB spring up to handle zones or other "authenticated" requests more efficiently? They might offer it for free and use the query data for resale in much the same way Google already does. And they would have free market competition to contend with. I do not know what the real direct impact of a peer DNS would be, nor do I advocate for one. But the internet seems to have a history of adapting quickly and in a way that destroys old habits and builds new ones. Can peer DNS be used for DNSSEC or handle major zone changes instantly - no. It would be more like browsing Usenet waiting for that post someone sent last week. The fact that there's a way around most consumer driven searches is something that's going to impact Verisign directly, and their $7.85 charge is going to be 'just another reason' to migrate away from the old model and into a new, free one (even if loaded with its own problems to be solved). If Amazon builds it for $1.75 then a company with resources can do the same for less. And if any geek can do peer dns for free - I think Verisign's model is in the kettle. Ultimately it will be at some point if competition isn't introduced, but ultimately governments might force these changes regardless.
Actually, Ed, VeriSign can threaten our “privacy” because the latest contract with ICANN gave them the right to use the traffic data (another giveaway which I and others opposed). See section 3.1(f):
Note the key words (which I’ve bolded) “without limitation.” While there is some weak language saying that VeriSign can’t use “Personal Data”—does anyone trust ICANN to enforce that? You and I and end-users are not parties to the agreement, so we have no legal standing to enforce that agreement. And if VeriSign ever breached that clause, they wouldn’t lose the dot-com monopoly in any case, because they’ve worded that contract so that it’s nearly impossible for them to ever lose that monopoly.
Of course, I think that contract is anti-competitive, and some court or the NTIA/DOC/DOJ should have it struck down.
Really interesting discussion—worth working all the way down the thread. I know a lot more about how DNS works than the average Joe, but I’ll leave the apples to apples debate to the engineers.
I will say that as a longtime tech comms person in this space, George is right on one point. Google using that DNS requests metric must be causing severe heartburn for VeriSign PR. It’s a big messaging challenge for them, and I’m very interested to watch how they handle.