|
Abusive behavior that leverages the domain name system (DNS) continues to be a problem,1 with a reach that has been widely and credibly documented.2 There is little doubt that bad actors continue to use the DNS for nefarious and costly purposes. While the amendments made in 2024 to ICANN’s Registry Agreement (RA) and Registrar Accreditation Agreement (RAA) were a step in the right direction, more advanced tools are needed to bring abuse rates down.
Notably, developments in the European Union have once again outpaced ICANN’s contracts, with the EU Network and Information Security Directive (NIS2) Guidelines3 directly addressing elements of DNS abuse. ICANN should apply these new security standards across the globe to protect the public from the harms resulting from DNS abuse. The domain industry has a short window to upgrade the RA and RAA before it risks additional governmental intervention.4
Some will recall the 2012-2013 time period as one that was extraordinarily busy for all involved in ICANN:
It’s been a long decade since, but today, we face a similar opportunity to move the DNS further toward stability and security. As the new round of gTLD applications approach—more than ten years after the last round—we should seize the chance now to revamp these agreements to advance the ongoing fight against DNS abuse and other harms.
While ICANN Org smoothly and professionally gathered and represented the community’s concerns in the 2013 round of contractual updates, it missed the mark in its handling of the 2024 amendments.
Specifically, ICANN Org did not—as it had done so thoroughly before—engage in meaningful and good faith dialogue with the community prior to commencing negotiations. Nor did ICANN Org, other than when it staged a cursory comment period (where it took on exactly none of the community’s additional input)5, do much to negotiate anything beyond what contracted parties themselves sought from amendments. This shortcoming is of concern to the many other stakeholder groups, advisory committees and constituencies that make up the ICANN multistakeholder model.
We hope for much broader engagement from all going forward.
In terms of process, one can harken back to the 2013 RAA improvements.
Importantly, transparency was a hallmark of the process. Along the negotiation road, ICANN Org kept the community in the loop. There were dozens of consultations, ranging from public comment periods to in-person updates to a dedicated wiki page for community interaction. The community was respected as a collaborator in the process.
ICANN Org should follow this precedent. No one expects or requests a role in the negotiating process itself; however, the community deserves a voice in matters of public interest such as this.
There are previously established standards for such a request. In the instance of the RAA:
In the instance of the RA (both the base agreement and individual gTLD contracts):
The above is a non-exhaustive list of various community inputs and serves as a reminder to ICANN Org’s then commitment to partnering with the community to ensure important priorities were reflected in final agreements.
The community recognizes that there exists now an inflection point within the ICANN sphere, one that has begun to favor productivity and results after years of stagnation. With a new CEO joining ICANN Org, it is the hope of many that this translates as well to real and far-reaching results on the issue of DNS abuse, and not merely is a box to be checked.
In terms of useful tools for pushing back on DNS abuse, the following would be useful tools:
These are just a few of the improvements that would demonstrate ICANN Org’s commitment to partnering with the broader community to ensure important priorities were reflected in agreements.
The community stands ready to contribute productively and in good faith to this important initiative.
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
For your information, the DNS Research Federation (https://dnsrf.org) has initiated a new system for measuring internet abuse (beyond DNS Abuse) —not just by counting instances of abuse but by tracking how, when, and who is responsible for mitigating it.
For an introduction, see - https://dnsrf.org/blog/abuse-mitigation—-understanding-what—who-and-when/index.html
The goal is to detect and measure actual mitigation actions to understand which measures and actors are making a difference. This data will give us insight into the overall effectiveness of policies and the impact of mitigation across the ecosystem, including current and future policy or contract updates.
There will always be abuse on the internet. It is just too lucrative for threat actors to engage in, and no matter what we do to combat it, it will always find new ways and venues to cause harm to internet users.
But that does not mean we should give up the fight. We just need to be more clever about it.
ICANN has always been an attractive venue to address topics of abuse. Where else but ICANN do we have the chance to regulate companies across the world, no matter the jurisdictions they may be in. Clearly, you can achieve more at ICANN than through piecemeal regulation and lobbying.
But not everything can be resolved through regulating the DNS and domain names. Addressing the issue of abuse through the DNS will never cause the root sources to go away.
Ultimately, domain names are - when registered for abusive purposes - just one of many delivery mechanism for abuse that resides elsewhere. But there is no ICANN for hosters. There is no ICANN for social networks. There is no ICANN for content delivery networks. There is no ICANN for mail services. There is no ICANN for internet service providers who offer services that can be abused. But all of these are causing more damages, are the sources for more abuse than domain names ever will be.
Maybe it is time that we break through the silos and engage with other elements of the internet ecosystem and work together to be more effective in mitigating abuse on the internet.
Maybe we need additional international regulatory bodies that have the power to effectively bind other elements of the ecosystems to common rules.