Home / Blogs

Attacking DNS Abuse: The Next Amendments Needed

Abusive behavior that leverages the domain name system (DNS) continues to be a problem,1 with a reach that has been widely and credibly documented.2 There is little doubt that bad actors continue to use the DNS for nefarious and costly purposes. While the amendments made in 2024 to ICANN’s Registry Agreement (RA) and Registrar Accreditation Agreement (RAA) were a step in the right direction, more advanced tools are needed to bring abuse rates down.

Notably, developments in the European Union have once again outpaced ICANN’s contracts, with the EU Network and Information Security Directive (NIS2) Guidelines3 directly addressing elements of DNS abuse. ICANN should apply these new security standards across the globe to protect the public from the harms resulting from DNS abuse. The domain industry has a short window to upgrade the RA and RAA before it risks additional governmental intervention.4

Approaching opportunity via the new gTLD program

Some will recall the 2012-2013 time period as one that was extraordinarily busy for all involved in ICANN:

  • The RAA was comprehensively renegotiated, resulting in almost 100 amendments dealing with a wide variety of concerns;
  • The new gTLD program was rapidly unfolding with more than 1,900 gTLD applications, challenging the community and ICANN Org to “get it right” as managers of the largest expansion of the internet’s namespace to date; and
  • ICANN Org, registries, registrars, and the community worked collaboratively to align contractual provisions with the needs of the latter during the run-up to the launch of new gTLDs, ensuring that registries and registrars were fully equipped to responsibly handle gTLD expansion and minimize the associated levels of DNS abuse.

It’s been a long decade since, but today, we face a similar opportunity to move the DNS further toward stability and security. As the new round of gTLD applications approach—more than ten years after the last round—we should seize the chance now to revamp these agreements to advance the ongoing fight against DNS abuse and other harms.

What about the 2024 updates to the RAA?

While ICANN Org smoothly and professionally gathered and represented the community’s concerns in the 2013 round of contractual updates, it missed the mark in its handling of the 2024 amendments.

Specifically, ICANN Org did not—as it had done so thoroughly before—engage in meaningful and good faith dialogue with the community prior to commencing negotiations. Nor did ICANN Org, other than when it staged a cursory comment period (where it took on exactly none of the community’s additional input)5, do much to negotiate anything beyond what contracted parties themselves sought from amendments. This shortcoming is of concern to the many other stakeholder groups, advisory committees and constituencies that make up the ICANN multistakeholder model.

We hope for much broader engagement from all going forward.

What a good faith, productive collaboration would look like

In terms of process, one can harken back to the 2013 RAA improvements.

Importantly, transparency was a hallmark of the process. Along the negotiation road, ICANN Org kept the community in the loop. There were dozens of consultations, ranging from public comment periods to in-person updates to a dedicated wiki page for community interaction. The community was respected as a collaborator in the process.

ICANN Org should follow this precedent. No one expects or requests a role in the negotiating process itself; however, the community deserves a voice in matters of public interest such as this.

There are previously established standards for such a request. In the instance of the RAA:

  • The agreement was successfully renegotiated in 2009 to include a number of community-based suggestions;
  • Less than two years following the 2009 renegotiation, the RAA—due to wide-ranging community input and ICANN Org responsiveness—was subject to a new round of far more extensive negotiation;
  • During that 18-month (2011-2013) negotiation period, successive RAA drafts were subject to numerous postings and community updates, including community exchanges at every public ICANN meeting over that span of time;
  • Information on the progression of the negotiations, including previously released updates and documentation, was made available to the community via wiki; and
  • Proposed updates were subject to two rounds each of formal public comment.

In the instance of the RA (both the base agreement and individual gTLD contracts):

  • The public had significant input, including two rounds of formal public comment (both in 2013 alone);
  • Each time a gTLD Registry Agreement approaches its renewal, ICANN historically has provided the community with the opportunity to comment on terms of the renewal and/or changes to the contract; and
  • As was the case with the RAA, the base RA was the subject of extensive Governmental Advisory Committee (GAC) advice, including the Beijing Communique.

The above is a non-exhaustive list of various community inputs and serves as a reminder to ICANN Org’s then commitment to partnering with the community to ensure important priorities were reflected in final agreements.

What the community could seek in updates

The community recognizes that there exists now an inflection point within the ICANN sphere, one that has begun to favor productivity and results after years of stagnation. With a new CEO joining ICANN Org, it is the hope of many that this translates as well to real and far-reaching results on the issue of DNS abuse, and not merely is a box to be checked.

In terms of useful tools for pushing back on DNS abuse, the following would be useful tools:

  • The ability to act at scale (e.g., at the registrar account level), not just keep playing whack-a-mole;
  • Employment of risk-based procedures, as recommended by the NIS Cooperation Group, to either verify registrant identity or to identify, suspend or deactivate suspicious domains;
  • Evolve the definition of DNS abuse to include “impostor” domains, such as those that mimic famous and well-known brands and actions associated with them (e.g., “login”, “security”, etc.);
  • A clearly stated prohibition against child sexual abuse material (CSAM);
  • An affirmative duty for registries and registrars to mitigate maliciously registered domain names (rather than simply forwarding the request downstream to hosting providers);
  • Documentation to the reporter of abuse of steps taken to mitigate;
  • Improvement of response timeframes to match the urgency of DNS threat vectors and an improved time to resolution;
  • Better empowerment of ICANN Compliance to proactively deal with egregious outliers;
    • Not merely enforcement, but helpful guidance to the contracted party community
    • Remediation action from Compliance upon inaction from non-compliant contracted parties
  • Requiring registration data reveals in instances of abuse, particularly in cases where it occurs at scale.

These are just a few of the improvements that would demonstrate ICANN Org’s commitment to partnering with the broader community to ensure important priorities were reflected in agreements.

The community stands ready to contribute productively and in good faith to this important initiative.

By Mason Cole, Internet Governance Advisor at Perkins Coie

Filed Under

Comments

Abuse Mitigation - Understanding What, Who and When Alex Deacon  –  Nov 12, 2024 12:01 PM

For your information, the DNS Research Federation (https://dnsrf.org) has initiated a new system for measuring internet abuse (beyond DNS Abuse) —not just by counting instances of abuse but by tracking how, when, and who is responsible for mitigating it.

For an introduction, see -  https://dnsrf.org/blog/abuse-mitigation—-understanding-what—who-and-when/index.html

The goal is to detect and measure actual mitigation actions to understand which measures and actors are making a difference. This data will give us insight into the overall effectiveness of policies and the impact of mitigation across the ecosystem, including current and future policy or contract updates.

A need to widen the scope in adressing abuse Volker Greimann  –  Nov 16, 2024 3:46 AM

There will always be abuse on the internet. It is just too lucrative for threat actors to engage in, and no matter what we do to combat it, it will always find new ways and venues to cause harm to internet users.

But that does not mean we should give up the fight. We just need to be more clever about it.

ICANN has always been an attractive venue to address topics of abuse. Where else but ICANN do we have the chance to regulate companies across the world, no matter the jurisdictions they may be in. Clearly, you can achieve more at ICANN than through piecemeal regulation and lobbying.

But not everything can be resolved through regulating the DNS and domain names. Addressing the issue of abuse through the DNS will never cause the root sources to go away.

Ultimately, domain names are - when registered for abusive purposes - just one of many delivery mechanism for abuse that resides elsewhere. But there is no ICANN for hosters. There is no ICANN for social networks. There is no ICANN for content delivery networks. There is no ICANN for mail services. There is no ICANN for internet service providers who offer services that can be abused. But all of these are causing more damages, are the sources for more abuse than domain names ever will be.

Maybe it is time that we break through the silos and engage with other elements of the internet ecosystem and work together to be more effective in mitigating abuse on the internet.

Maybe we need additional international regulatory bodies that have the power to effectively bind other elements of the ecosystems to common rules.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix