While I can understand where you’re coming from, I’d have to take issue with the idea of registries singling out specific domains for special treatment.
Improving security across the board would be a good thing, but singling out specific domains would be highly problematic

I should declare at the outset I am the CEO of the .nz registry, at whom your comments were aimed.

You have some interesting logic here - “a registrar is compromised therefore the registry should have done more to limit the effect of such a compromise”.

Let’s just work through the implications of that.  Yes we registries could introduce a manual process for the registrar to follow on specified domains (presumably specified by the registrar).  This manual process is likely to cost around 10 to 20 times the annual cost of the domain, because registry costs are all built around a high degree of automation.

So we now we would have a two tier market where the registrants that can afford to pay a lot more get much better protection.

Let’s suppose some of the less well off registrants aren’t happy with that and start to kick up a fuss.  They want the same level of protection but without the exorbitant cost.  Something the consumer protection regulators are likely to sympathise with strongly.  What’s more, these registrants point out that you can have an automated process which achieves the same result at a fraction of the cost.  One where the registry emails the registrant directly to ask them to unlock a domain or accept a specific change. 

Do registries reply “no, we only work through registrars and so the two tier system is the best we can do”?  Or do we fundamentally change the relationships between registry -> registrar -> registrant?

Or perhaps registrars should raise their game by being transparent on their internal controls, publishing their security audits, developing an industry certification scheme and so on, rather than expecting registries to protect them from themselves?  And perhaps registries and regulators should begin to insist on some of that?

I’m not sure that the registries have any place to enforce better controls.  I think that your manual process which a registrar would have to complete is also a mechanism that a would be hacker may bypass.  Already, BGP-hijacking allows for one to bypass one part of the security mechanism that registries use (IP ACLs).  Registrants may want to look for better authentication mechanisms.

Since registrars are the ones that are effectively the end-user to registry connection through the registrar than you are ultimately suggesting that the end-user have some contact with the registry.  A better way is that registrants are recognizing that registrars can be different based on their security practices and for registrars to innovate.

Thanks to all for taking the time to review and comment on this post.

First of all, let me be very clear, that I am in no way suggesting that registrars are not responsible for the security of domains under their management.

I am simply stating that there are additional measures that registries could also employ to ensure the security of valuable domains, such as setting domains to a Registry Lock status, to prohibit updates by any third party.

Yes, additional costs might be incurred for the management of this domain status. Given the value of corporate websites, I would think that this is a cost for which owners of highly-trafficked websites would pay, even though changes to highly trafficked sites are not particularly common.

Some of the world’s largest websites are already employing this added level of security. As the demand for this type of security increases, I suspect that we will hear more about it.